azorult | f3bb7544807de64fc3ea293a82cc45a99874721f4c1f2a0b62a3a2953c3efd55

Change Default File Association

T1042

Processes:

uninstall.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4296-187-0x0000000002590000-0x00000000025BE000-memory.dmp	family_redline
behavioral2/memory/4296-192-0x0000000002770000-0x000000000279C000-memory.dmp	family_redline

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Nirsoft 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1613596398745.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1613596398745.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1613596401214.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1613596401214.exe	Nirsoft

Executes dropped EXE 64 IoCs

Processes:

winrar-x64-600ru.exeuninstall.exeWinRAR.exekeygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exeSetup.exekey.exekeygen-step-1.exekeygen-pr.exe6489A2274AE24900.exe6489A2274AE24900.exemd2_2efs.exe1613596398745.exe1613596401214.exefile.exeF202.tmp.exeF33B.tmp.exeF202.tmp.exeBTRSetp.exeinstaller.exe[CRACKNET.NET]PW12345Kepserverex_5_5_14_493_crack_by_CORE.exe2005533.223948085.432162697.23Windows Host.exegdrrr.exekeygen-pr.exekeygen-step-1.exejfiag3g_gg.exekeygen-step-3.exekey.exekeygen-step-4.exekey.exeSetup.exeThunderFW.exejfiag3g_gg.exemd2_2efs.exefile.exeB087.tmp.exeB115.tmp.exeBTRSetp.exeB087.tmp.exeinstaller.exe2927084.325654046.624369147.48keygen-pr.exekeygen-step-1.exegdrrr.exekey.exekeygen-pr.exekeygen-step-1.exekey.exejfiag3g_gg.exekeygen-pr.exekey.exekeygen-step-1.exekey.exekey.exejfiag3g_gg.exe[CRACKNET.NET]PW12345Kepserverex_5_5_14_493_crack_by_CORE.exe

pid	process
2592	winrar-x64-600ru.exe
4032	uninstall.exe
3164	WinRAR.exe
1296	keygen-pr.exe
1228	keygen-step-1.exe
4060	keygen-step-3.exe
3844	keygen-step-4.exe
3104	key.exe
3848	Setup.exe
3836	key.exe
2224	keygen-step-1.exe
3228	keygen-pr.exe
2512	6489A2274AE24900.exe
2936	6489A2274AE24900.exe
2228	md2_2efs.exe
4116	1613596398745.exe
4348	1613596401214.exe
4400	file.exe
4508	F202.tmp.exe
4544	F33B.tmp.exe
4828	F202.tmp.exe
1408	BTRSetp.exe
3824	installer.exe
4988	[CRACKNET.NET]PW12345Kepserverex_5_5_14_493_crack_by_CORE.exe
584	2005533.22
4012	3948085.43
4296	2162697.23
5020	Windows Host.exe
4280	gdrrr.exe
4244	keygen-pr.exe
5036	keygen-step-1.exe
4340	jfiag3g_gg.exe
4388	keygen-step-3.exe
3164	key.exe
3096	keygen-step-4.exe
4320	key.exe
4460	Setup.exe
4384	ThunderFW.exe
2740	jfiag3g_gg.exe
2308	md2_2efs.exe
3604	file.exe
2664	B087.tmp.exe
1720	B115.tmp.exe
632	BTRSetp.exe
2776	B087.tmp.exe
4632	installer.exe
4148	2927084.32
3924	5654046.62
4716	4369147.48
1156	keygen-pr.exe
2316	keygen-step-1.exe
4272	gdrrr.exe
1712	key.exe
4980	keygen-pr.exe
2812	keygen-step-1.exe
4896	key.exe
4032	jfiag3g_gg.exe
4212	keygen-pr.exe
2276	key.exe
2744	keygen-step-1.exe
4088	key.exe
4016	key.exe
208	jfiag3g_gg.exe
4428	[CRACKNET.NET]PW12345Kepserverex_5_5_14_493_crack_by_CORE.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Loads dropped DLL 29 IoCs

Processes:

MsiExec.exeF33B.tmp.exeMsiExec.exeB115.tmp.exeMsiExec.exeMsiExec.exe40F1.tmp.exe684F.tmp.exe

pid	process
3020
1472	MsiExec.exe
4544	F33B.tmp.exe
4544	F33B.tmp.exe
4544	F33B.tmp.exe
4544	F33B.tmp.exe
4544	F33B.tmp.exe
4544	F33B.tmp.exe
4748	MsiExec.exe
1720	B115.tmp.exe
1720	B115.tmp.exe
1720	B115.tmp.exe
1720	B115.tmp.exe
1720	B115.tmp.exe
1720	B115.tmp.exe
4364	MsiExec.exe
3528	MsiExec.exe
2076	40F1.tmp.exe
2076	40F1.tmp.exe
2076	40F1.tmp.exe
2076	40F1.tmp.exe
2076	40F1.tmp.exe
2076	40F1.tmp.exe
8	684F.tmp.exe
8	684F.tmp.exe
8	684F.tmp.exe
8	684F.tmp.exe
8	684F.tmp.exe
8	684F.tmp.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

3948085.43gdrrr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	3948085.43
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gdrrr.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 10 IoCs

evasion trojan

System Information Discovery

Processes:

Setup.exeSetup.exe6489A2274AE24900.exeSetup.exemd2_2efs.exemd2_2efs.exemd2_2efs.exemd2_2efs.exeSetup.exe6489A2274AE24900.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6489A2274AE24900.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

70 api.ipify.org
77 ip-api.com

flow	ioc
70	api.ipify.org
77	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exe6489A2274AE24900.exe6489A2274AE24900.exeSetup.exeSetup.exeSetup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	6489A2274AE24900.exe
File opened for modification	\??\PhysicalDrive0	6489A2274AE24900.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	Setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Setup.exeSetup.exeSetup.exeSetup.exe

pid process

3848 Setup.exe
4460 Setup.exe
2884 Setup.exe
4324 Setup.exe

pid	process
3848	Setup.exe
4460	Setup.exe
2884	Setup.exe
4324	Setup.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

key.exe6489A2274AE24900.exeF202.tmp.exekey.exeB087.tmp.exekey.exekey.exe4073.tmp.exe67C1.tmp.exe

description	pid	process	target process
PID 3104 set thread context of 3836	3104	key.exe	key.exe
PID 2512 set thread context of 4904	2512	6489A2274AE24900.exe	firefox.exe
PID 2512 set thread context of 4336	2512	6489A2274AE24900.exe	firefox.exe
PID 4508 set thread context of 4828	4508	F202.tmp.exe	F202.tmp.exe
PID 3164 set thread context of 4320	3164	key.exe	key.exe
PID 2664 set thread context of 2776	2664	B087.tmp.exe	B087.tmp.exe
PID 1712 set thread context of 4896	1712	key.exe	key.exe
PID 2276 set thread context of 4088	2276	key.exe	key.exe
PID 3596 set thread context of 4580	3596	4073.tmp.exe	4073.tmp.exe
PID 4568 set thread context of 2236	4568	67C1.tmp.exe	67C1.tmp.exe

Drops file in Program Files directory 64 IoCs

Processes:

winrar-x64-600ru.exeuninstall.exemsiexec.exe

description	ioc	process
File opened for modification	C:\Program Files\WinRAR	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\DefaultEn.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\DefaultEn64.SFX	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\rarlng.dll	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\rarlng.dll	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\WinConEn.SFX	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\ZipEn.SFX	winrar-x64-600ru.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.exe	msiexec.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259294328	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.rus.txt	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-600ru.exe
File created	C:\Program Files (x86)\gdiview\gdiview\readme.txt	msiexec.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\ZipEn.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\ReadMe.rus.txt	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\DefaultEn.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\WinConEn.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File created	C:\Program Files (x86)\gdiview\gdiview\GDIView.chm	msiexec.exe
File opened for modification	C:\Program Files\WinRAR\WinConEn64.SFX	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\ZipEn64.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\ZipEn64.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-600ru.exe
File created	C:\Program Files\WinRAR\WinConEn64.SFX	winrar-x64-600ru.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-600ru.exe

Drops file in Windows directory 9 IoCs

Processes:

WerFault.exemsiexec.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9A2A452C-3057-4F5E-8C7F-41B0D566B831}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1BD.tmp	msiexec.exe
File created	C:\Windows\Installer\f7645d1.msi	msiexec.exe
File created	C:\Windows\Installer\f7645cf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7645cf.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4160	2228	WerFault.exe	md2_2efs.exe
2932	2308	WerFault.exe	md2_2efs.exe
3696	1188	WerFault.exe	md2_2efs.exe
4108	3820	WerFault.exe	md2_2efs.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

6489A2274AE24900.exesvchost.exe6489A2274AE24900.exemsinfo32.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	6489A2274AE24900.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	6489A2274AE24900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

636 timeout.exe
3472 timeout.exe
4480 timeout.exe
5564 timeout.exe

pid	process
636	timeout.exe
3472	timeout.exe
4480	timeout.exe
5564	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

msinfo32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5040 taskkill.exe

pid	process
5040	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 64 IoCs

Processes:

uninstall.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r15	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r19	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r27	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r05\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r07	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uue\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r03\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r05	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.001	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r01\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r28\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

Setup.exefile.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3492	PING.EXE
4300	PING.EXE
4992	PING.EXE
4760	PING.EXE
1664	PING.EXE
3432	PING.EXE
412	PING.EXE
1000	PING.EXE
4548	PING.EXE
4408	PING.EXE
4808	PING.EXE
3752	PING.EXE
4488	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

key.exe1613596398745.exeWerFault.exe1613596401214.exejfiag3g_gg.exe2005533.22key.exeWerFault.exe2162697.232927084.32jfiag3g_gg.exekey.exekey.exe4369147.48WerFault.exe

pid	process
3104	key.exe
3104	key.exe
4116	1613596398745.exe
4116	1613596398745.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4160	WerFault.exe
4348	1613596401214.exe
4348	1613596401214.exe
2740	jfiag3g_gg.exe
2740	jfiag3g_gg.exe
584	2005533.22
584	2005533.22
584	2005533.22
3164	key.exe
3164	key.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
4296	2162697.23
4296	2162697.23
4296	2162697.23
4148	2927084.32
4148	2927084.32
4148	2927084.32
208	jfiag3g_gg.exe
208	jfiag3g_gg.exe
2276	key.exe
2276	key.exe
1712	key.exe
1712	key.exe
4716	4369147.48
4716	4369147.48
4716	4369147.48
3696	WerFault.exe
3696	WerFault.exe

Suspicious behavior: SetClipboardViewer 3 IoCs

Processes:

5654046.624569887.501550137.17

pid process

3924 5654046.62
196 4569887.50
4648 1550137.17

pid	process
3924	5654046.62
196	4569887.50
4648	1550137.17

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3760	msiexec.exe
Token: SeSecurityPrivilege	2136	msiexec.exe
Token: SeCreateTokenPrivilege	3760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3760	msiexec.exe
Token: SeLockMemoryPrivilege	3760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3760	msiexec.exe
Token: SeMachineAccountPrivilege	3760	msiexec.exe
Token: SeTcbPrivilege	3760	msiexec.exe
Token: SeSecurityPrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeLoadDriverPrivilege	3760	msiexec.exe
Token: SeSystemProfilePrivilege	3760	msiexec.exe
Token: SeSystemtimePrivilege	3760	msiexec.exe
Token: SeProfSingleProcessPrivilege	3760	msiexec.exe
Token: SeIncBasePriorityPrivilege	3760	msiexec.exe
Token: SeCreatePagefilePrivilege	3760	msiexec.exe
Token: SeCreatePermanentPrivilege	3760	msiexec.exe
Token: SeBackupPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeShutdownPrivilege	3760	msiexec.exe
Token: SeDebugPrivilege	3760	msiexec.exe
Token: SeAuditPrivilege	3760	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3760	msiexec.exe
Token: SeChangeNotifyPrivilege	3760	msiexec.exe
Token: SeRemoteShutdownPrivilege	3760	msiexec.exe
Token: SeUndockPrivilege	3760	msiexec.exe
Token: SeSyncAgentPrivilege	3760	msiexec.exe
Token: SeEnableDelegationPrivilege	3760	msiexec.exe
Token: SeManageVolumePrivilege	3760	msiexec.exe
Token: SeImpersonatePrivilege	3760	msiexec.exe
Token: SeCreateGlobalPrivilege	3760	msiexec.exe
Token: SeCreateTokenPrivilege	3760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3760	msiexec.exe
Token: SeLockMemoryPrivilege	3760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3760	msiexec.exe
Token: SeMachineAccountPrivilege	3760	msiexec.exe
Token: SeTcbPrivilege	3760	msiexec.exe
Token: SeSecurityPrivilege	3760	msiexec.exe
Token: SeTakeOwnershipPrivilege	3760	msiexec.exe
Token: SeLoadDriverPrivilege	3760	msiexec.exe
Token: SeSystemProfilePrivilege	3760	msiexec.exe
Token: SeSystemtimePrivilege	3760	msiexec.exe
Token: SeProfSingleProcessPrivilege	3760	msiexec.exe
Token: SeIncBasePriorityPrivilege	3760	msiexec.exe
Token: SeCreatePagefilePrivilege	3760	msiexec.exe
Token: SeCreatePermanentPrivilege	3760	msiexec.exe
Token: SeBackupPrivilege	3760	msiexec.exe
Token: SeRestorePrivilege	3760	msiexec.exe
Token: SeShutdownPrivilege	3760	msiexec.exe
Token: SeDebugPrivilege	3760	msiexec.exe
Token: SeAuditPrivilege	3760	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3760	msiexec.exe
Token: SeChangeNotifyPrivilege	3760	msiexec.exe
Token: SeRemoteShutdownPrivilege	3760	msiexec.exe
Token: SeUndockPrivilege	3760	msiexec.exe
Token: SeSyncAgentPrivilege	3760	msiexec.exe
Token: SeEnableDelegationPrivilege	3760	msiexec.exe
Token: SeManageVolumePrivilege	3760	msiexec.exe
Token: SeImpersonatePrivilege	3760	msiexec.exe
Token: SeCreateGlobalPrivilege	3760	msiexec.exe
Token: SeCreateTokenPrivilege	3760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3760	msiexec.exe
Token: SeLockMemoryPrivilege	3760	msiexec.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

WinRAR.exemsiexec.exemsiexec.exemsiexec.exemsiexec.exetaskmgr.exe

pid	process
3164	WinRAR.exe
3164	WinRAR.exe
3164	WinRAR.exe
3164	WinRAR.exe
3164	WinRAR.exe
3760	msiexec.exe
4200	msiexec.exe
4284	msiexec.exe
3036	msiexec.exe
4284	msiexec.exe
3036	msiexec.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe

Suspicious use of SendNotifyMessage 42 IoCs

Processes:

taskmgr.exe

pid	process
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe
3996	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Kepserverex_5_5_14_493_crack_by_CORE.exewinrar-x64-600ru.exeuninstall.exeSetup.exe6489A2274AE24900.exe6489A2274AE24900.exefirefox.exe1613596398745.exefirefox.exe1613596401214.exeThunderFW.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exekeygen-pr.exe

pid	process
3008	Kepserverex_5_5_14_493_crack_by_CORE.exe
3008	Kepserverex_5_5_14_493_crack_by_CORE.exe
2592	winrar-x64-600ru.exe
2592	winrar-x64-600ru.exe
2592	winrar-x64-600ru.exe
4032	uninstall.exe
3848	Setup.exe
2512	6489A2274AE24900.exe
2936	6489A2274AE24900.exe
4904	firefox.exe
4116	1613596398745.exe
4336	firefox.exe
4348	1613596401214.exe
4384	ThunderFW.exe
5840	keygen-pr.exe
5840	keygen-pr.exe
5184	keygen-pr.exe
5184	keygen-pr.exe
5588	keygen-pr.exe
5588	keygen-pr.exe
1164	keygen-pr.exe
1164	keygen-pr.exe
5224	keygen-pr.exe
5224	keygen-pr.exe
6064	keygen-pr.exe
6064	keygen-pr.exe
6024	keygen-pr.exe
6024	keygen-pr.exe
6044	keygen-pr.exe
6044	keygen-pr.exe
5164	keygen-pr.exe
5164	keygen-pr.exe
1532	keygen-pr.exe
1532	keygen-pr.exe
6124	keygen-pr.exe
6124	keygen-pr.exe
6104	keygen-pr.exe
6104	keygen-pr.exe
6084	keygen-pr.exe
6084	keygen-pr.exe
5300	keygen-pr.exe
5300	keygen-pr.exe
3628	keygen-pr.exe
3628	keygen-pr.exe
1964	keygen-pr.exe
1964	keygen-pr.exe
4124	keygen-pr.exe
4124	keygen-pr.exe
2256	keygen-pr.exe
2256	keygen-pr.exe
5096	keygen-pr.exe
5096	keygen-pr.exe
3500	keygen-pr.exe
3500	keygen-pr.exe
1832	keygen-pr.exe
1832	keygen-pr.exe
5396	keygen-pr.exe
5396	keygen-pr.exe
5376	keygen-pr.exe
5376	keygen-pr.exe
5100	keygen-pr.exe
5100	keygen-pr.exe
4068	keygen-pr.exe
4068	keygen-pr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

winrar-x64-600ru.execmd.exekeygen-pr.exekeygen-step-4.exekeygen-step-3.exekey.execmd.exeSetup.exemsiexec.execmd.exe6489A2274AE24900.exe

description	pid	process	target process
PID 2592 wrote to memory of 4032	2592	winrar-x64-600ru.exe	uninstall.exe
PID 2592 wrote to memory of 4032	2592	winrar-x64-600ru.exe	uninstall.exe
PID 4052 wrote to memory of 1296	4052	cmd.exe	keygen-pr.exe
PID 4052 wrote to memory of 1296	4052	cmd.exe	keygen-pr.exe
PID 4052 wrote to memory of 1296	4052	cmd.exe	keygen-pr.exe
PID 4052 wrote to memory of 1228	4052	cmd.exe	keygen-step-1.exe
PID 4052 wrote to memory of 1228	4052	cmd.exe	keygen-step-1.exe
PID 4052 wrote to memory of 1228	4052	cmd.exe	keygen-step-1.exe
PID 4052 wrote to memory of 4060	4052	cmd.exe	keygen-step-3.exe
PID 4052 wrote to memory of 4060	4052	cmd.exe	keygen-step-3.exe
PID 4052 wrote to memory of 4060	4052	cmd.exe	keygen-step-3.exe
PID 4052 wrote to memory of 3844	4052		keygen-step-4.exe
PID 4052 wrote to memory of 3844	4052		keygen-step-4.exe
PID 4052 wrote to memory of 3844	4052		keygen-step-4.exe
PID 1296 wrote to memory of 3104	1296	keygen-pr.exe	key.exe
PID 1296 wrote to memory of 3104	1296	keygen-pr.exe	key.exe
PID 1296 wrote to memory of 3104	1296	keygen-pr.exe	key.exe
PID 3844 wrote to memory of 3848	3844	keygen-step-4.exe	Setup.exe
PID 3844 wrote to memory of 3848	3844	keygen-step-4.exe	Setup.exe
PID 3844 wrote to memory of 3848	3844	keygen-step-4.exe	Setup.exe
PID 4060 wrote to memory of 4004	4060	keygen-step-3.exe	cmd.exe
PID 4060 wrote to memory of 4004	4060	keygen-step-3.exe	cmd.exe
PID 4060 wrote to memory of 4004	4060	keygen-step-3.exe	cmd.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 3104 wrote to memory of 3836	3104	key.exe	key.exe
PID 4004 wrote to memory of 1000	4004	cmd.exe	PING.EXE
PID 4004 wrote to memory of 1000	4004	cmd.exe	PING.EXE
PID 4004 wrote to memory of 1000	4004	cmd.exe	PING.EXE
PID 3848 wrote to memory of 3760	3848	Setup.exe	msiexec.exe
PID 3848 wrote to memory of 3760	3848	Setup.exe	msiexec.exe
PID 3848 wrote to memory of 3760	3848	Setup.exe	msiexec.exe
PID 2136 wrote to memory of 1472	2136	msiexec.exe	MsiExec.exe
PID 2136 wrote to memory of 1472	2136	msiexec.exe	MsiExec.exe
PID 2136 wrote to memory of 1472	2136	msiexec.exe	MsiExec.exe
PID 3848 wrote to memory of 2512	3848	Setup.exe	6489A2274AE24900.exe
PID 3848 wrote to memory of 2512	3848	Setup.exe	6489A2274AE24900.exe
PID 3848 wrote to memory of 2512	3848	Setup.exe	6489A2274AE24900.exe
PID 3848 wrote to memory of 2936	3848	Setup.exe	6489A2274AE24900.exe
PID 3848 wrote to memory of 2936	3848	Setup.exe	6489A2274AE24900.exe
PID 3848 wrote to memory of 2936	3848	Setup.exe	6489A2274AE24900.exe
PID 3848 wrote to memory of 2204	3848	Setup.exe	cmd.exe
PID 3848 wrote to memory of 2204	3848	Setup.exe	cmd.exe
PID 3848 wrote to memory of 2204	3848	Setup.exe	cmd.exe
PID 3844 wrote to memory of 2228	3844	keygen-step-4.exe	md2_2efs.exe
PID 3844 wrote to memory of 2228	3844	keygen-step-4.exe	md2_2efs.exe
PID 3844 wrote to memory of 2228	3844	keygen-step-4.exe	md2_2efs.exe
PID 2204 wrote to memory of 3492	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 3492	2204	cmd.exe	PING.EXE
PID 2204 wrote to memory of 3492	2204	cmd.exe	PING.EXE
PID 2936 wrote to memory of 4892	2936	6489A2274AE24900.exe	cmd.exe
PID 2936 wrote to memory of 4892	2936	6489A2274AE24900.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Kepserverex_5_5_14_493_crack_by_CORE.exe
"C:\Users\Admin\AppData\Local\Temp\Kepserverex_5_5_14_493_crack_by_CORE.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Users\Admin\Desktop\winrar-x64-600ru.exe
"C:\Users\Admin\Desktop\winrar-x64-600ru.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592

C:\Program Files\WinRAR\uninstall.exe
"C:\Program Files\WinRAR\uninstall.exe" /setup
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1824

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:1164

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 -- "C:\Users\Admin\Desktop\[CRACKNET.NET]PW12345Kepserverex_5_5_14_493_crack_by_CORE.exe" "?\"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3164

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\keygen.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\Desktop\keygen-step-1.exe
keygen-step-1.exe
2⤵
- Executes dropped EXE
PID:1228

C:\Users\Admin\Desktop\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3104

C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe -txt -scanlocal -file:potato.dat
4⤵
- Executes dropped EXE
PID:3836

C:\Users\Admin\Desktop\keygen-step-3.exe
keygen-step-3.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Desktop\keygen-step-3.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
4⤵
- Runs ping.exe
PID:1000

C:\Users\Admin\Desktop\keygen-step-4.exe
keygen-step-4.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3848

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
4⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3760

C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 0011 installp1
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Users\Admin\AppData\Roaming\1613596398745.exe
"C:\Users\Admin\AppData\Roaming\1613596398745.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613596398745.txt"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:4336

C:\Users\Admin\AppData\Roaming\1613596401214.exe
"C:\Users\Admin\AppData\Roaming\1613596401214.exe" /sjson "C:\Users\Admin\AppData\Roaming\1613596401214.txt"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
5⤵
PID:4756

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4408

C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe
C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe 200 installp1
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4892

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:5040

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6489A2274AE24900.exe"
5⤵
PID:3740

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4300

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
5⤵
- Runs ping.exe
PID:3492

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 2652
4⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4160

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4400

C:\Users\Admin\AppData\Roaming\F202.tmp.exe
"C:\Users\Admin\AppData\Roaming\F202.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4508

C:\Users\Admin\AppData\Roaming\F202.tmp.exe
"C:\Users\Admin\AppData\Roaming\F202.tmp.exe"
5⤵
- Executes dropped EXE
PID:4828

C:\Users\Admin\AppData\Roaming\F33B.tmp.exe
"C:\Users\Admin\AppData\Roaming\F33B.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4544

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\F33B.tmp.exe"
5⤵
PID:4128

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
PID:4836

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4992

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
3⤵
- Executes dropped EXE
PID:1408

C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe"
4⤵
- Executes dropped EXE
PID:3824

C:\ProgramData\2005533.22
"C:\ProgramData\2005533.22"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:584

C:\ProgramData\3948085.43
"C:\ProgramData\3948085.43"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4012

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
- Executes dropped EXE
PID:5020

C:\ProgramData\2162697.23
"C:\ProgramData\2162697.23"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4296

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gdrrr.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4280

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:4340

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2740

C:\Users\Admin\Desktop\keygen-step-1.exe
"C:\Users\Admin\Desktop\keygen-step-1.exe"
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4526D26E73C73C0DE78DFDBD2E15FD53 C
2⤵
- Loads dropped DLL
PID:1472

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 93532F605A053CAB7E1B6A2E0F6BEE06 C
2⤵
- Loads dropped DLL
PID:4748

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4396

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 08470AE266CC28FDE2524407FB51C22F C
2⤵
- Loads dropped DLL
PID:4364

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5CEBB6841F1CEDBDE34D7DB1706353C3 C
2⤵
- Loads dropped DLL
PID:3528

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Executes dropped EXE
PID:3228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4556

C:\Users\Admin\Desktop\[CRACKNET.NET]PW12345Kepserverex_5_5_14_493_crack_by_CORE.exe
"C:\Users\Admin\Desktop\[CRACKNET.NET]PW12345Kepserverex_5_5_14_493_crack_by_CORE.exe"
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen.bat" "
2⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:4244

C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3164

C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:4320

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:5036

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:4388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-3.exe"
4⤵
PID:4532

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4548

C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
PID:3096

C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4460

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4200

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"
5⤵
PID:3140

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4760

C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 2700
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:2932

C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
4⤵
- Executes dropped EXE
PID:3604

C:\Users\Admin\AppData\Roaming\B087.tmp.exe
"C:\Users\Admin\AppData\Roaming\B087.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2664

C:\Users\Admin\AppData\Roaming\B087.tmp.exe
"C:\Users\Admin\AppData\Roaming\B087.tmp.exe"
6⤵
- Executes dropped EXE
PID:2776

C:\Users\Admin\AppData\Roaming\B115.tmp.exe
"C:\Users\Admin\AppData\Roaming\B115.tmp.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\B115.tmp.exe"
6⤵
PID:4900

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
7⤵
- Delays execution with timeout.exe
PID:3472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"
5⤵
PID:4132

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:4808

C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe"
4⤵
- Executes dropped EXE
PID:632

C:\Users\Admin\AppData\Local\Temp\RarSFX3\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\installer.exe"
5⤵
- Executes dropped EXE
PID:4632

C:\ProgramData\2927084.32
"C:\ProgramData\2927084.32"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4148

C:\ProgramData\5654046.62
"C:\ProgramData\5654046.62"
6⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:3924

C:\ProgramData\4369147.48
"C:\ProgramData\4369147.48"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4716

C:\Users\Admin\AppData\Local\Temp\RarSFX4\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\gdrrr.exe"
4⤵
- Executes dropped EXE
PID:4272

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:4032

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:208

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {515980c3-57fe-4c1e-a561-730dd256ab98} -Embedding
1⤵
PID:5076

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\CORE.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\keygen.bat" "
1⤵
PID:4560

C:\Users\Admin\Desktop\keygen-step-1.exe
keygen-step-1.exe
2⤵
- Executes dropped EXE
PID:2316

C:\Users\Admin\Desktop\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
2⤵
- Executes dropped EXE
PID:1156

C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX5\key.exe -txt -scanlocal -file:potato.dat
4⤵
- Executes dropped EXE
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\keygen.bat" "
1⤵
PID:1184

C:\Users\Admin\Desktop\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
2⤵
- Executes dropped EXE
PID:4212

C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe"
3⤵
- Executes dropped EXE
PID:4016

C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX7\key.exe -txt -scanlocal -file:potato.dat
4⤵
PID:4968

C:\Users\Admin\Desktop\keygen-step-1.exe
keygen-step-1.exe
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\keygen.bat" "
1⤵
PID:1964

C:\Users\Admin\Desktop\keygen-step-1.exe
keygen-step-1.exe
2⤵
- Executes dropped EXE
PID:2812

C:\Users\Admin\Desktop\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
2⤵
- Executes dropped EXE
PID:4980

C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2276

C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe -txt -scanlocal -file:potato.dat
4⤵
- Executes dropped EXE
PID:4088

C:\Users\Admin\Desktop\[CRACKNET.NET]PW12345Kepserverex_5_5_14_493_crack_by_CORE.exe
"C:\Users\Admin\Desktop\[CRACKNET.NET]PW12345Kepserverex_5_5_14_493_crack_by_CORE.exe"
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen.bat" "
2⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe"
4⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX6\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-1.exe
keygen-step-1.exe
3⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-3.exe
keygen-step-3.exe
3⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-3.exe"
4⤵
PID:4592

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:3752

C:\Users\Admin\AppData\Local\Temp\RarSFX5\keygen-step-4.exe
keygen-step-4.exe
3⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\RarSFX6\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\Setup.exe"
4⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2884

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4284

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX6\Setup.exe"
5⤵
PID:3216

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:1664

C:\Users\Admin\AppData\Local\Temp\RarSFX6\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\md2_2efs.exe"
4⤵
- Checks whether UAC is enabled
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 2736
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:3696

C:\Users\Admin\AppData\Local\Temp\RarSFX6\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\file.exe"
4⤵
PID:4860

C:\Users\Admin\AppData\Roaming\4073.tmp.exe
"C:\Users\Admin\AppData\Roaming\4073.tmp.exe"
5⤵
- Suspicious use of SetThreadContext
PID:3596

C:\Users\Admin\AppData\Roaming\4073.tmp.exe
"C:\Users\Admin\AppData\Roaming\4073.tmp.exe"
6⤵
PID:4580

C:\Users\Admin\AppData\Roaming\40F1.tmp.exe
"C:\Users\Admin\AppData\Roaming\40F1.tmp.exe"
5⤵
- Loads dropped DLL
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\40F1.tmp.exe"
6⤵
PID:1860

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
7⤵
- Delays execution with timeout.exe
PID:4480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX6\file.exe"
5⤵
PID:2192

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:3432

C:\Users\Admin\AppData\Local\Temp\RarSFX6\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\BTRSetp.exe"
4⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\RarSFX9\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX9\installer.exe"
5⤵
PID:4356

C:\ProgramData\1842925.20
"C:\ProgramData\1842925.20"
6⤵
PID:4672

C:\ProgramData\4569887.50
"C:\ProgramData\4569887.50"
6⤵
- Suspicious behavior: SetClipboardViewer
PID:196

C:\ProgramData\3284988.36
"C:\ProgramData\3284988.36"
6⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\RarSFX6\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX6\gdrrr.exe"
4⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4476

C:\Users\Admin\Desktop\keygen-step-4.exe
"C:\Users\Admin\Desktop\keygen-step-4.exe"
1⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"
2⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4324

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
3⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3036

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX8\Setup.exe"
3⤵
PID:1220

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:4488

C:\Users\Admin\AppData\Local\Temp\RarSFX8\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\md2_2efs.exe"
2⤵
- Checks whether UAC is enabled
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 2688
3⤵
- Program crash
PID:4108

C:\Users\Admin\AppData\Local\Temp\RarSFX8\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\file.exe"
2⤵
PID:2448

C:\Users\Admin\AppData\Roaming\67C1.tmp.exe
"C:\Users\Admin\AppData\Roaming\67C1.tmp.exe"
3⤵
- Suspicious use of SetThreadContext
PID:4568

C:\Users\Admin\AppData\Roaming\67C1.tmp.exe
"C:\Users\Admin\AppData\Roaming\67C1.tmp.exe"
4⤵
PID:2236

C:\Users\Admin\AppData\Roaming\684F.tmp.exe
"C:\Users\Admin\AppData\Roaming\684F.tmp.exe"
3⤵
- Loads dropped DLL
PID:8

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\684F.tmp.exe"
4⤵
PID:5532

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
5⤵
- Delays execution with timeout.exe
PID:5564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX8\file.exe"
3⤵
PID:1844

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:412

C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\BTRSetp.exe"
2⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\RarSFX10\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX10\installer.exe"
3⤵
PID:4712

C:\ProgramData\6346410.69
"C:\ProgramData\6346410.69"
4⤵
PID:4924

C:\ProgramData\1550137.17
"C:\ProgramData\1550137.17"
4⤵
- Suspicious behavior: SetClipboardViewer
PID:4648

C:\ProgramData\265238.2
"C:\ProgramData\265238.2"
4⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\RarSFX8\gdrrr.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX8\gdrrr.exe"
2⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
PID:5512

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3996

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:5700

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5840

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6024

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6044

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6064

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6084

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6104

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:6124

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5164

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5224

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:3588

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:1172

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:5280

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:1716

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:5312

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:4492

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:5320

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:4496

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:5352

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4068

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5100

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5376

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5396

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5300

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:5420

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:5448

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:4724

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:4180

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:500

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:964

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:2288

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:4440

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:3780

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:2140

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:1020

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:2488

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:5400

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:2292

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
PID:296

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5588

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5184

C:\Users\Admin\Desktop\keygen-pr.exe
"C:\Users\Admin\Desktop\keygen-pr.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery