redline | b52242da50ea2b3a05f6787dfa7197a0c99442e91d3bc78b71363c2ff3c4f072

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_32-1 = "V2.0\|Action=Block\|Dir=In\|App=C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe\|Svc=clr_optimization_v4.0.30319_32\|Name=Block traffic for clr_optimization_v4.0.30319_32\|"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_32-2 = "V2.0\|Action=Block\|Dir=Out\|App=C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe\|Svc=clr_optimization_v4.0.30319_32\|Name=Block traffic for clr_optimization_v4.0.30319_32\|"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_64-1 = "V2.0\|Action=Block\|Dir=In\|App=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe\|Svc=clr_optimization_v4.0.30319_64\|Name=Block traffic for clr_optimization_v4.0.30319_64\|"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_64-2 = "V2.0\|Action=Block\|Dir=Out\|App=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe\|Svc=clr_optimization_v4.0.30319_64\|Name=Block traffic for clr_optimization_v4.0.30319_64\|"	msiexec.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2340-290-0x000000000041B23A-mapping.dmp	family_redline

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00050000000132a0-108.dat	family_socelars
behavioral1/files/0x00050000000132a0-174.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1400-196-0x0000000000400000-0x0000000002E08000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00050000000130d5-70.dat	aspack_v212_v242
behavioral1/files/0x00060000000126a2-73.dat	aspack_v212_v242
behavioral1/files/0x00060000000126a2-72.dat	aspack_v212_v242
behavioral1/files/0x00050000000130d5-71.dat	aspack_v212_v242
behavioral1/files/0x000500000001318e-76.dat	aspack_v212_v242
behavioral1/files/0x000500000001318e-77.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

pid	Process
860	setup_installer.exe
1696	setup_install.exe
1628	Thu16466b26f8b7.exe
1400	Thu1628aafb3efd7c3d.exe
1668	Thu164ba03be19.exe
960	Thu167d514d2a7ac5a.exe
1644	Thu161580bf75.exe
1856	Thu166f9a8bbe80.exe
628	Thu16205451b994.exe
1820	Thu165bd34b1e1d4d81.exe
1208	Thu16f584bd3686.exe
1728	Thu16f3de88a335950bb.exe
472	Thu1653d94a8da.exe
1768	Thu16f3de88a335950bb.tmp
1604	Thu16f3de88a335950bb.exe
856	Thu16f3de88a335950bb.tmp
2252	3720332.scr
2312	6537941.scr
2328	postback.exe
2352	FarLabUninstaller.exe
2416	F6Ov3FAHfwyj7yenlzaqdNBa.exe
2436	NDP472-KB4054531-Web.exe
2580	09xU.exE
2616	Setup.exe
2740	WinHoster.exe
2840	2102080.scr
2340	Thu164ba03be19.exe
2624	7042787.scr
2948	8525018.scr
1136	3321.exe
812	SetupUtility.exe
2360	hhjjfdr
2924	ServiceModelReg.exe
2632	ServiceModelReg.exe
2104	conhost.exe
836	regtlibv12.exe
2160	conhost.exe
2332	regtlibv12.exe
2516	regtlibv12.exe
1948	regtlibv12.exe
1356	regtlibv12.exe
2636	regtlibv12.exe
2564	regtlibv12.exe
2316	regtlibv12.exe
276	regtlibv12.exe
2340	regtlibv12.exe
1544	regtlibv12.exe
2956	regtlibv12.exe
1220	aspnet_regiis.exe
2648	aspnet_regiis.exe
2908	ngen.exe
836	mscorsvw.exe
2688	ngen.exe
2576	mscorsvw.exe
2968	mscorsvw.exe
2476	ngen.exe
2136	mscorsvw.exe
1512	ngen.exe
760	mscorsvw.exe
2540	mscorsvw.exe
2088	mscorsvw.exe
2676	mscorsvw.exe
2936	mscorsvw.exe
2452	mscorsvw.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2102080.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2102080.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7042787.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7042787.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation	Thu166f9a8bbe80.exe

Loads dropped DLL 64 IoCs

pid	Process
1080	setup_x86_x64_install.exe
860	setup_installer.exe
860	setup_installer.exe
860	setup_installer.exe
860	setup_installer.exe
860	setup_installer.exe
860	setup_installer.exe
1696	setup_install.exe
1696	setup_install.exe
1696	setup_install.exe
1696	setup_install.exe
1696	setup_install.exe
1696	setup_install.exe
1696	setup_install.exe
1696	setup_install.exe
1176	cmd.exe
112	cmd.exe
112	cmd.exe
948	cmd.exe
948	cmd.exe
1176	cmd.exe
916	cmd.exe
1772	cmd.exe
1628	Thu16466b26f8b7.exe
1628	Thu16466b26f8b7.exe
1668	Thu164ba03be19.exe
1668	Thu164ba03be19.exe
1400	Thu1628aafb3efd7c3d.exe
1400	Thu1628aafb3efd7c3d.exe
1468	cmd.exe
1568	cmd.exe
1568	cmd.exe
960	Thu167d514d2a7ac5a.exe
960	Thu167d514d2a7ac5a.exe
1916	cmd.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
628	Thu16205451b994.exe
628	Thu16205451b994.exe
664	cmd.exe
1320	cmd.exe
1780	cmd.exe
1728	Thu16f3de88a335950bb.exe
1728	Thu16f3de88a335950bb.exe
472	Thu1653d94a8da.exe
472	Thu1653d94a8da.exe
1728	Thu16f3de88a335950bb.exe
1820	Thu165bd34b1e1d4d81.exe
1820	Thu165bd34b1e1d4d81.exe
1768	Thu16f3de88a335950bb.tmp
1768	Thu16f3de88a335950bb.tmp
1768	Thu16f3de88a335950bb.tmp
1768	Thu16f3de88a335950bb.tmp
1604	Thu16f3de88a335950bb.exe
1604	Thu16f3de88a335950bb.exe
1604	Thu16f3de88a335950bb.exe
856	Thu16f3de88a335950bb.tmp
856	Thu16f3de88a335950bb.tmp
856	Thu16f3de88a335950bb.tmp
2232	WerFault.exe
2232	WerFault.exe
2232	WerFault.exe
856	Thu16f3de88a335950bb.tmp
856	Thu16f3de88a335950bb.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6537941.scr

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2102080.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7042787.scr

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	ipinfo.io
14	ip-api.com
41	ipinfo.io

Drops file in System32 directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp120_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\en-US\dfshim.dll.mui	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp110_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfh007.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc00C.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\msvcp110_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp120_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc007.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\system32\aspnet_counters.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcr100_clr0400.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcr120_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfh011.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc011.dat	aspnet_regiis.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	aspnet_regiis.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B2238AACCEDC3F1FFE8E7EB5F575EC9	mscorsvw.exe
File created	C:\Windows\system32\perfh009.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfh00C.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\msvcr100_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp120_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcr110_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcr120_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp120_clr0400.dll	Setup.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\7073EBB8E2F3C70E0FA1F650B7DEA970.mof	mofcomp.exe
File created	C:\Windows\system32\perfh007.dat	aspnet_regiis.exe
File created	C:\Windows\system32\msvcr100_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\msvcr120_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfh009.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	aspnet_regiis.exe
File created	C:\Windows\system32\aspnet_counters.dll	msiexec.exe
File created	C:\Windows\system32\en-US\dfshim.dll.mui	msiexec.exe
File created	C:\Windows\system32\msvcp110_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\msvcr110_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	Setup.exe
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\msvcr110_clr0400.dll	msiexec.exe
File created	C:\Windows\SysWOW64\aspnet_counters.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcr110_clr0400.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcr100_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc009.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfh00C.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\aspnet_counters.dll	msiexec.exe
File created	C:\Windows\system32\msvcp120_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\PerfStringBackup.TMP	aspnet_regiis.exe
File created	C:\Windows\system32\perfh011.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\D361F8B496FD6DAF7BEEF497E09C0DC1.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\en-US\dfshim.dll.mui	msiexec.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\6F8564A71977AE6B940705DCC4847A8D.mof	mofcomp.exe
File created	C:\Windows\system32\perfc007.dat	aspnet_regiis.exe
File created	C:\Windows\SysWOW64\en-US\dfshim.dll.mui	msiexec.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\716FDC254E211F547A560E1A71D0E6CA.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\E6195BA9E153534E5472835E2F29A5B0.mof	mofcomp.exe
File opened for modification	C:\Windows\system32\msvcp110_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc00C.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc011.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\7073EBB8E2F3C70E0FA1F650B7DEA970.mof	mofcomp.exe
File created	C:\Windows\system32\perfc009.dat	aspnet_regiis.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2840	2102080.scr
2624	7042787.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 2340	1668	Thu164ba03be19.exe	84

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-NR3TB.tmp	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-E5LA3.tmp	Thu16f3de88a335950bb.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Thu16f3de88a335950bb.tmp
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	msiexec.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml	msiexec.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-UBOF9.tmp	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-2Q7FU.tmp	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\wpf-etw.man	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.VisualBasic.Activities.Compiler\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Activities.Compiler.dll	msiexec.exe
File created	C:\Windows\inf\.NET CLR Networking 4.0.0.0\001F\_Networkingperfcounters.ini	lodctr.exe
File opened for modification	C:\Windows\Installer\MSIE8FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF09C.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\home1.aspx.resx	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationNative_v0400.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Xml.XmlSerializer.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\_TransactionBridgePerfCounters.ini	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFEA.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll	Setup.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\DefaultWsdlHelpGenerator.aspx	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\FileTracker.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Transactions.Bridge.Dtc.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Input.Manipulations\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Input.Manipulations.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\2052\eula.rtf	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\corperfmonsymbols.ini	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D21.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF00B.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1030\eula.rtf	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\DebugAndTrace.aspx.resx	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\XPThemes.manifest	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clretwrc.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\NETFXRepair.exe	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Design.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XsdBuildTask\v4.0_4.0.0.0__31bf3856ad364e35\XsdBuildTask.dll	msiexec.exe
File created	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0010\_TransactionBridgePerfCounters.ini	lodctr.exe
File created	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0804\_TransactionBridgePerfCounters.ini	lodctr.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\netstandard.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Aspnet.config	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.XML.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.WebSockets.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\TLBREF.DLL	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\PresentationCore.dll	msiexec.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index14f.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\normidna.nlp	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Duplex\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceModel.Duplex.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.Http.WebRequest.dll	msiexec.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\_NetworkingPerfCounters.h	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Reflection.Primitives.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDCBD.tmp	msiexec.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.tlb	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PenIMC_v0400.dll	msiexec.exe
File created	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0013\PerfCounters.ini	lodctr.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq.Expressions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.Expressions.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	msiexec.exe
File created	C:\Windows\inf\aspnet_state\0012\aspnet_state_perf.ini	aspnet_regiis.exe
File created	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0816\_TransactionBridgePerfCounters.ini	lodctr.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state_perf.h	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\unSelectedTab_rightCorner.gif	msiexec.exe
File created	C:\Windows\inf\ASP.NET\0012\aspnet_perf2.ini	aspnet_regiis.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index153.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\netmemorycache.h	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\en-US\ServiceModelPerformanceCounters.dll.mui	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\adonetdiag.mof.uninstall	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state_perf.ini	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\App_LocalResources\chooseProviderManagement.aspx.resx	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2232	1400	WerFault.exe	45
3056	1856	WerFault.exe	47

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu16466b26f8b7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu16466b26f8b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hhjjfdr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hhjjfdr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hhjjfdr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hhjjfdr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu16466b26f8b7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hhjjfdr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hhjjfdr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hhjjfdr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hhjjfdr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hhjjfdr

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2628	taskkill.exe
2336	taskkill.exe
2696	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5BBFBC91-284A-11EC-8BB5-D613E35B5575} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340471013"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a60000000002000000000010660000000100002000000083e575d713da71eae99a304b7419a78d9e8b53ec49d5022444fa44fa9e5cd29b000000000e8000000002000020000000a04deb6ff8e418c95ecce1a2e56230866dbee52293c8035efcce446281c02de520000000ad9ba3ede2d0e9b35274d080ffc781f4214fd0c851c9b9081f604d424351f1f4400000000a8cf97408ef9ce9338a8f50e1bfc33602f6d4a70312deb576a677386591849469044385d11a8cb520eb6a165251efb1f34ec08ece95fca996f266a6dae4962c	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\CLSID = "{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0a0103f57bcd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a6000000000200000000001066000000010000200000001e7ce8a948fb8c97f51e076f251c72c9d6dc67f65c10efb1c6399e31e6e4f845000000000e8000000002000020000000e77f0876b10df0bc623fd04501374a805e6fb7c3b0cdc68b2e9df58ed85020f790000000eae836c1cdbe5449556e57d09fabf3cfb75726d509ed4abd9efa224e3db2c69b1eab2d108764c47cfaf1b054e4a43d59f9adb23138b5cb83c4a5b3f3862c7aa4fae41508cd2c85c3535b195aed1b23ec46d9755ef1708e2c5ecd0e29f0174c25ade98e7b7c8149639e0401118da70b24f459e5cd6ac70e16947d021bca3df560de38750ff597ba48869d215f5c95d61a40000000eee7551abd9af214a848c833110d5f545a257c0ca7cce997b2d74491b35f64e45020ee0ee4247b151d456a5e29289b966d0df824cc8ac7e5d341a6f264c6795b	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Cache = a403000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mshta.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\CLSID = "{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ja-JP = "ja-JP.1"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\6CF876C7\LanguageList = 6a0061002d004a00500000006a006100000065006e002d0055005300000065006e0000000000	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\6CF876C7\@%SystemRoot%\system32\dnsapi.dll,-103 = "ドメインネームシステム (DNS) サーバー信頼"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\6CF876C7\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker ドライブ暗号化"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mscorsvw.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mscorsvw.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name = "mscorsvw.exe"	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mscorsvw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mscorsvw.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{B30FD15E-CED6-3977-8151-0D50E79CD703}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B38DA717-D61B-3C13-93CE-2B9370D0AE43}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A7B042D-578A-4366-9A3D-154C0498458E}\InprocServer32\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB4020210 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6BD98650-5AE6-3F03-B6CF-1463BBD45E6D}\4.0.0.0\Class = "System.Reflection.ExceptionHandlingClauseOptions"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BA68FFCE-C94A-3A7B-ABB9-BE5259B66D1B}\4.0.0.0\Class = "System.EnterpriseServices.CompensatingResourceManager.LogRecordFlags"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20C6F4C2-80A8-4310-A59A-1CC487334236}\ProgID\ = "PenIMC4v2.PimcSurrogate2.4"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7DE6016B-A2A2-33A7-875D-3F78DE18094A}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D533D4E5-8654-3F82-81DC-E751CB792593}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5437FDFA-9EC9-4CCC-8531-42F8D9C19AF7}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2173568C-6EDC-392B-880A-CC158D7E2BDA}\4.0.0.0\Class = "System.Resources.UltimateResourceFallbackLocation"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{4E8B1BB8-6A6F-3B57-8AFA-0129550B07BE}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{72B06367-DE53-3111-9C49-B816EFEE3148}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7DE6016B-A2A2-33A7-875D-3F78DE18094A}\4.0.0.0\Class = "System.Diagnostics.SymbolStore.SymSearchPolicies"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{148540D3-E67F-36DC-A55D-2C8DEC53B9D3}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{51E1B3CA-D3CB-39BF-A016-6199569E74B2}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45FB4600-E6E8-4928-B25E-50476FF79425}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB2938782 = "Servicing_Key"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{56ABB41C-4516-30F6-882E-57F234AB5028}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E3DC8079-43BC-3E70-B291-1591CC9E451D}\4.0.0.0\Class = "System.Configuration.Assemblies.AssemblyVersionCompatibility"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{E6FBF496-6B15-3A23-A4D2-A2F7137C1216}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{F75B6772-91E4-4D2F-9D44-61A447109C2B}\DllSurrogate	aspnet_regiis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A6CCEB32-EC73-3E9B-8852-02783C97D3FA}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{23D4A35B-C997-3401-8372-736025B17744}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3613A9B6-C23B-3B54-AE02-6EC764D69E70}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{688A6FF0-5727-32D2-8228-6E838A822616}\4.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{B42619B4-0EDC-3F55-AA64-2140275FA115}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0EFE423A-A87E-33D9-8BF4-2D212620EE5F}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{D58DC4BB-3A4C-3B0C-B75F-9D0876694F3D}\4.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{20C6F4C2-80A8-4310-A59A-1CC487334236}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{049C5C49-BAF0-429C-8B8F-2CC11F5AA422}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{B3B46869-C190-3199-96DA-4006E2AC6E72}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB3095338 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{51191552-C65E-360D-BA21-9F0E454FD59F}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3223E024-5D70-3236-A92A-6B4114B2632F}\4.0.0.0\Class = "System.Reflection.BindingFlags"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6BE41CDF-29D7-32DB-8181-5117F580BA68}\4.0.0.0\Class = "System.Security.Cryptography.CspProviderFlags"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{5437FDFA-9EC9-4CCC-8531-42F8D9C19AF7}\InprocServer32\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F4E1E7F6-A035-41B3-9856-A3C3A1C4684F}\InprocServer32\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{11472518-C3B8-3BF4-9705-2135E1709883}\4.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{8636F9A3-3B92-38E6-95DC-0B965086AC44}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0015B4CC-EDC9-3A0E-B14A-AFB8F75F2A1C}\2.4\0\win32\ = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\System.Web.tlb"	aspnet_regiis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{74CAA246-BE0E-3AE5-A17C-946E10D89626}\4.0.0.0\Class = "System.IO.FileAccess"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4E8B1BB8-6A6F-3B57-8AFA-0129550B07BE}\4.0.0.0\Class = "System.Reflection.Emit.EventToken"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{94942670-4ACF-3572-92D1-0916CD777E00}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9C5923E9-DE52-33EA-88DE-7EBC8633B9CC}\4.0.0.0\Class = "System.Guid"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D12ABE44-783E-328B-AAD3-4ED726E903C7}\4.0.0.0\Class = "System.MidpointRounding"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{38512CF6-FF94-3AD8-8299-F5F64A8956AA}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B718F0F8-E5E7-3651-A2BE-97009B568250}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E6FBF496-6B15-3A23-A4D2-A2F7137C1216}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CD6CB0A8-D6EF-33E8-888E-FE8C78CA568F}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A026E65F-9720-3F82-8DE1-A18E51180A34}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{20C6F4C2-80A8-4310-A59A-1CC487334236}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2E05A70A-1BBE-31DF-B2A8-B8FA0F130915}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{DEAE387D-C9A7-3A9C-B772-0153A2538502}\4.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{215B68E5-0E78-4505-BE40-962EE3A0C379}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{82B28727-8F1B-3C0D-92A6-EBE9F1F4B8C4}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{A419B664-DABD-383D-A0DB-991487D41E14}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{566833C7-F4A0-30EE-BD7E-44752AD570E6}\4.0.0.0\Class = "System.Reflection.Emit.PropertyToken"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8CF0278D-D0AD-307D-BE63-A785432E3FDF}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B6B91160-2ABF-352B-A74D-1174CC324E18}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{4E9963B7-B2BF-4685-9378-8FEBEA364EF8}\InprocServer32\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB3127233 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB3143693 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB3086153 = "Servicing_Key"	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Thu161580bf75.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu161580bf75.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Thu167d514d2a7ac5a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5900000001000000120000005200530041002f00530048004100310000001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Thu167d514d2a7ac5a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	Thu16466b26f8b7.exe
1628	Thu16466b26f8b7.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1372	Process not Found
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1372	Process not Found
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1372	Process not Found
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1372	Process not Found
1856	Thu166f9a8bbe80.exe
1856	Thu166f9a8bbe80.exe
1372	Process not Found
1372	Process not Found
1372	Process not Found
1372	Process not Found
1372	Process not Found
1372	Process not Found
856	Thu16f3de88a335950bb.tmp
856	Thu16f3de88a335950bb.tmp
1372	Process not Found
1372	Process not Found
1372	Process not Found
1372	Process not Found
1372	Process not Found
1372	Process not Found
1372	Process not Found
1372	Process not Found
1372	Process not Found
1372	Process not Found
1372	Process not Found
1372	Process not Found
2416	F6Ov3FAHfwyj7yenlzaqdNBa.exe
2416	F6Ov3FAHfwyj7yenlzaqdNBa.exe
1372	Process not Found
2416	F6Ov3FAHfwyj7yenlzaqdNBa.exe
2416	F6Ov3FAHfwyj7yenlzaqdNBa.exe
1372	Process not Found
2416	F6Ov3FAHfwyj7yenlzaqdNBa.exe
1372	Process not Found
2416	F6Ov3FAHfwyj7yenlzaqdNBa.exe
1372	Process not Found
2416	F6Ov3FAHfwyj7yenlzaqdNBa.exe
1372	Process not Found
1372	Process not Found

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1372	Process not Found
3056	WerFault.exe
2232	WerFault.exe
2492	iexplore.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1628	Thu16466b26f8b7.exe
2360	hhjjfdr
2164	hhjjfdr
1108	hhjjfdr

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeAssignPrimaryTokenPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeLockMemoryPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeIncreaseQuotaPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeMachineAccountPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeTcbPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeSecurityPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeTakeOwnershipPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeLoadDriverPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeSystemProfilePrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeSystemtimePrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeProfSingleProcessPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeIncBasePriorityPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeCreatePagefilePrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeCreatePermanentPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeBackupPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeRestorePrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeShutdownPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeDebugPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeAuditPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeSystemEnvironmentPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeChangeNotifyPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeRemoteShutdownPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeUndockPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeSyncAgentPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeEnableDelegationPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeManageVolumePrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeImpersonatePrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: SeCreateGlobalPrivilege	1820	Thu165bd34b1e1d4d81.exe
Token: 31	1820	Thu165bd34b1e1d4d81.exe
Token: 32	1820	Thu165bd34b1e1d4d81.exe
Token: 33	1820	Thu165bd34b1e1d4d81.exe
Token: 34	1820	Thu165bd34b1e1d4d81.exe
Token: 35	1820	Thu165bd34b1e1d4d81.exe
Token: SeDebugPrivilege	1644	Thu161580bf75.exe
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeDebugPrivilege	2252	3720332.scr
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeDebugPrivilege	2232	WerFault.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	3056	WerFault.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeDebugPrivilege	2948	8525018.scr
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeDebugPrivilege	2340	Thu164ba03be19.exe
Token: SeDebugPrivilege	2624	7042787.scr
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeDebugPrivilege	1136	3321.exe
Token: SeDebugPrivilege	2840	2102080.scr
Token: SeShutdownPrivilege	1372	Process not Found
Token: SeShutdownPrivilege	2616	Setup.exe
Token: SeIncreaseQuotaPrivilege	2616	Setup.exe
Token: SeRestorePrivilege	2644	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
856	Thu16f3de88a335950bb.tmp
2492	iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2492	iexplore.exe
2492	iexplore.exe
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
524	IEXPLORE.EXE
524	IEXPLORE.EXE
524	IEXPLORE.EXE
524	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2908	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 860	1080	setup_x86_x64_install.exe	28
PID 1080 wrote to memory of 860	1080	setup_x86_x64_install.exe	28
PID 1080 wrote to memory of 860	1080	setup_x86_x64_install.exe	28
PID 1080 wrote to memory of 860	1080	setup_x86_x64_install.exe	28
PID 1080 wrote to memory of 860	1080	setup_x86_x64_install.exe	28
PID 1080 wrote to memory of 860	1080	setup_x86_x64_install.exe	28
PID 1080 wrote to memory of 860	1080	setup_x86_x64_install.exe	28
PID 860 wrote to memory of 1696	860	setup_installer.exe	29
PID 860 wrote to memory of 1696	860	setup_installer.exe	29
PID 860 wrote to memory of 1696	860	setup_installer.exe	29
PID 860 wrote to memory of 1696	860	setup_installer.exe	29
PID 860 wrote to memory of 1696	860	setup_installer.exe	29
PID 860 wrote to memory of 1696	860	setup_installer.exe	29
PID 860 wrote to memory of 1696	860	setup_installer.exe	29
PID 1696 wrote to memory of 1660	1696	setup_install.exe	31
PID 1696 wrote to memory of 1660	1696	setup_install.exe	31
PID 1696 wrote to memory of 1660	1696	setup_install.exe	31
PID 1696 wrote to memory of 1660	1696	setup_install.exe	31
PID 1696 wrote to memory of 1660	1696	setup_install.exe	31
PID 1696 wrote to memory of 1660	1696	setup_install.exe	31
PID 1696 wrote to memory of 1660	1696	setup_install.exe	31
PID 1696 wrote to memory of 1468	1696	setup_install.exe	32
PID 1696 wrote to memory of 1468	1696	setup_install.exe	32
PID 1696 wrote to memory of 1468	1696	setup_install.exe	32
PID 1696 wrote to memory of 1468	1696	setup_install.exe	32
PID 1696 wrote to memory of 1468	1696	setup_install.exe	32
PID 1696 wrote to memory of 1468	1696	setup_install.exe	32
PID 1696 wrote to memory of 1468	1696	setup_install.exe	32
PID 1696 wrote to memory of 1568	1696	setup_install.exe	33
PID 1696 wrote to memory of 1568	1696	setup_install.exe	33
PID 1696 wrote to memory of 1568	1696	setup_install.exe	33
PID 1696 wrote to memory of 1568	1696	setup_install.exe	33
PID 1696 wrote to memory of 1568	1696	setup_install.exe	33
PID 1696 wrote to memory of 1568	1696	setup_install.exe	33
PID 1696 wrote to memory of 1568	1696	setup_install.exe	33
PID 1696 wrote to memory of 916	1696	setup_install.exe	34
PID 1696 wrote to memory of 916	1696	setup_install.exe	34
PID 1696 wrote to memory of 916	1696	setup_install.exe	34
PID 1696 wrote to memory of 916	1696	setup_install.exe	34
PID 1696 wrote to memory of 916	1696	setup_install.exe	34
PID 1696 wrote to memory of 916	1696	setup_install.exe	34
PID 1696 wrote to memory of 916	1696	setup_install.exe	34
PID 1696 wrote to memory of 948	1696	setup_install.exe	35
PID 1696 wrote to memory of 948	1696	setup_install.exe	35
PID 1696 wrote to memory of 948	1696	setup_install.exe	35
PID 1696 wrote to memory of 948	1696	setup_install.exe	35
PID 1696 wrote to memory of 948	1696	setup_install.exe	35
PID 1696 wrote to memory of 948	1696	setup_install.exe	35
PID 1696 wrote to memory of 948	1696	setup_install.exe	35
PID 1696 wrote to memory of 1916	1696	setup_install.exe	36
PID 1696 wrote to memory of 1916	1696	setup_install.exe	36
PID 1696 wrote to memory of 1916	1696	setup_install.exe	36
PID 1696 wrote to memory of 1916	1696	setup_install.exe	36
PID 1696 wrote to memory of 1916	1696	setup_install.exe	36
PID 1696 wrote to memory of 1916	1696	setup_install.exe	36
PID 1696 wrote to memory of 1916	1696	setup_install.exe	36
PID 1696 wrote to memory of 1176	1696	setup_install.exe	37
PID 1696 wrote to memory of 1176	1696	setup_install.exe	37
PID 1696 wrote to memory of 1176	1696	setup_install.exe	37
PID 1696 wrote to memory of 1176	1696	setup_install.exe	37
PID 1696 wrote to memory of 1176	1696	setup_install.exe	37
PID 1696 wrote to memory of 1176	1696	setup_install.exe	37
PID 1696 wrote to memory of 1176	1696	setup_install.exe	37
PID 1696 wrote to memory of 664	1696	setup_install.exe	38

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSC5312776\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1660
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu166f9a8bbe80.exe
      4⤵
      Loads dropped DLL
      PID:1468
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu166f9a8bbe80.exe
        
        Thu166f9a8bbe80.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
      - C:\Users\Admin\Pictures\Adobe Films\F6Ov3FAHfwyj7yenlzaqdNBa.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\F6Ov3FAHfwyj7yenlzaqdNBa.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2416
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1424
        6⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu16205451b994.exe /mixone
      4⤵
      Loads dropped DLL
      PID:1568
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16205451b994.exe
        
        Thu16205451b994.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:628
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu16205451b994.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16205451b994.exe" & exit
        6⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Thu16205451b994.exe" /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu161580bf75.exe
      4⤵
      Loads dropped DLL
      PID:916
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu161580bf75.exe
        
        Thu161580bf75.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
      - C:\Users\Admin\AppData\Roaming\3720332.scr
        
        "C:\Users\Admin\AppData\Roaming\3720332.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
      - C:\Users\Admin\AppData\Roaming\6537941.scr
        
        "C:\Users\Admin\AppData\Roaming\6537941.scr" /S
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:2740
      - C:\Users\Admin\AppData\Roaming\2102080.scr
        
        "C:\Users\Admin\AppData\Roaming\2102080.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
      - C:\Users\Admin\AppData\Roaming\7042787.scr
        
        "C:\Users\Admin\AppData\Roaming\7042787.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
      - C:\Users\Admin\AppData\Roaming\8525018.scr
        
        "C:\Users\Admin\AppData\Roaming\8525018.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1628aafb3efd7c3d.exe
      4⤵
      Loads dropped DLL
      PID:948
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1628aafb3efd7c3d.exe
        
        Thu1628aafb3efd7c3d.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 952
        6⤵
        Loads dropped DLL
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu165bd34b1e1d4d81.exe
      4⤵
      Loads dropped DLL
      PID:1916
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu165bd34b1e1d4d81.exe
        
        Thu165bd34b1e1d4d81.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu16466b26f8b7.exe
      4⤵
      Loads dropped DLL
      PID:1176
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16466b26f8b7.exe
        
        Thu16466b26f8b7.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu16f584bd3686.exe
      4⤵
      Loads dropped DLL
      PID:664
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f584bd3686.exe
        
        Thu16f584bd3686.exe
        5⤵
        Executes dropped EXE
        
        PID:1208
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu16f3de88a335950bb.exe
      4⤵
      Loads dropped DLL
      PID:1780
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f3de88a335950bb.exe
        
        Thu16f3de88a335950bb.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1728
      - C:\Users\Admin\AppData\Local\Temp\is-65035.tmp\Thu16f3de88a335950bb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-65035.tmp\Thu16f3de88a335950bb.tmp" /SL5="$50134,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f3de88a335950bb.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f3de88a335950bb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f3de88a335950bb.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\is-4TDJI.tmp\Thu16f3de88a335950bb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4TDJI.tmp\Thu16f3de88a335950bb.tmp" /SL5="$60134,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu16f3de88a335950bb.exe" /SILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\is-QRM94.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QRM94.tmp\postback.exe" ss1
        9⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
        9⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://dateadult-contacts.com/?u=h2dp605&o=lxw09vh
        10⤵
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:275457 /prefetch:2
        11⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2764
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:668685 /prefetch:2
        11⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:406549 /prefetch:2
        11⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:524
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:865302 /prefetch:2
        11⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2908
        
        C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
        9⤵
        Executes dropped EXE
        
        PID:2436
        
        C:\140829a1818fa6f73f98e5c5f3\Setup.exe
        
        C:\140829a1818fa6f73f98e5c5f3\\Setup.exe /q /norestart /x86 /x64 /web
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\140829a1818fa6f73f98e5c5f3\SetupUtility.exe
        
        SetupUtility.exe /screboot
        11⤵
        Executes dropped EXE
        
        PID:812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu164ba03be19.exe
      4⤵
      Loads dropped DLL
      PID:112
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu164ba03be19.exe
        
        Thu164ba03be19.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1668
      - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu164ba03be19.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu164ba03be19.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1653d94a8da.exe
      4⤵
      Loads dropped DLL
      PID:1320
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1653d94a8da.exe
        
        Thu1653d94a8da.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:472
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1653d94a8da.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1653d94a8da.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        6⤵
        Modifies Internet Explorer settings
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1653d94a8da.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu1653d94a8da.exe") do taskkill /F -Im "%~NxU"
        7⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\09xU.exE
        
        09xU.EXE -pPtzyIkqLZoCarb5ew
        8⤵
        Executes dropped EXE
        
        PID:2580
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        9⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
        10⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
        9⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
        10⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHO "
        11⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
        11⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\control.exe
        
        control .\R6f7sE.I
        11⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
        12⤵
        
        PID:2892
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
        13⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
        14⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F -Im "Thu1653d94a8da.exe"
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu167d514d2a7ac5a.exe
      4⤵
      Loads dropped DLL
      PID:1772
    - - C:\Users\Admin\AppData\Local\Temp\7zSC5312776\Thu167d514d2a7ac5a.exe
        
        Thu167d514d2a7ac5a.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:960

C:\Users\Admin\AppData\Local\Temp\3321.exe
C:\Users\Admin\AppData\Local\Temp\3321.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies firewall policy service
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2644
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 3305B2FC460EDC818C2E42C2AD47DCBA
  2⤵
  PID:2028
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\netmemorycache.ini"
    3⤵
    PID:2900
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" -iru
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    PID:1220
  - - C:\Windows\system32\wbem\mofcomp.exe
      mofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof
      4⤵
      Drops file in System32 directory
      PID:2820
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelPerformanceCounters.man"
    3⤵
    PID:2316
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"
    3⤵
    PID:2588
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_SMSvcHostPerfCounters.ini"
    3⤵
    PID:2804
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_TransactionBridgePerfCounters.ini"
    3⤵
    - Drops file in Windows directory
    PID:2164
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\PerfCounters.ini"
    3⤵
    PID:1716
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_Networkingperfcounters.ini
    3⤵
    - Drops file in Windows directory
    PID:2596
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini
    3⤵
    PID:1600
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue
    3⤵
    - Executes dropped EXE
    PID:2908
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems 1
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2688
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 130 -InterruptEvent 0 -NGENProcess e8 -Pipe f4 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2576
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent e8 -InterruptEvent 0 -NGENProcess 194 -Pipe 1a0 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2968
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8927DDDF7403AD32B6CEC7F5206E9FA5
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\netmemorycache.ini"
    3⤵
    PID:2776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" -iru
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:2648
  - - C:\Windows\SysWOW64\wbem\mofcomp.exe
      mofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof
      4⤵
      Drops file in System32 directory
      PID:2872
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelPerformanceCounters.man"
    3⤵
    PID:276
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\_SMSvcHostPerfCounters.ini"
    3⤵
    PID:1280
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\_TransactionBridgePerfCounters.ini"
    3⤵
    - Drops file in Windows directory
    PID:760
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\PerfCounters.ini"
    3⤵
    - Drops file in Windows directory
    PID:2176
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\_Networkingperfcounters.ini
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini
    3⤵
    PID:2892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue
    3⤵
    - Executes dropped EXE
    PID:2476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe executeQueuedItems 1
    3⤵
    - Executes dropped EXE
    PID:1512
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 144 -InterruptEvent 0 -NGENProcess 104 -Pipe 110 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess 1a0 -Pipe 14c -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 0 -NGENProcess 10c -Pipe 1a0 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 0 -NGENProcess 104 -Pipe 10c -Comment "NGen Worker Process"
      4⤵
      PID:2676
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a4 -InterruptEvent 0 -NGENProcess 1ac -Pipe 1b0 -Comment "NGen Worker Process"
      4⤵
      PID:2936
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 0 -NGENProcess 104 -Pipe 1ac -Comment "NGen Worker Process"
      4⤵
      PID:2452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 0 -NGENProcess 1a4 -Pipe 104 -Comment "NGen Worker Process"
      4⤵
      PID:2732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1a4 -Comment "NGen Worker Process"
      4⤵
      PID:2524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 1bc -Pipe 1b8 -Comment "NGen Worker Process"
      4⤵
      PID:916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1bc -Comment "NGen Worker Process"
      4⤵
      PID:2556
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1c4 -Pipe 1c0 -Comment "NGen Worker Process"
      4⤵
      PID:2160
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 1c4 -Comment "NGen Worker Process"
      4⤵
      PID:2332
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 0 -NGENProcess 1cc -Pipe 1c8 -Comment "NGen Worker Process"
      4⤵
      PID:2092
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1cc -Comment "NGen Worker Process"
      4⤵
      PID:1060
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 0 -NGENProcess 1d4 -Pipe 1d0 -Comment "NGen Worker Process"
      4⤵
      PID:1476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1d4 -Comment "NGen Worker Process"
      4⤵
      PID:2964
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 1dc -Pipe 1d8 -Comment "NGen Worker Process"
      4⤵
      PID:1640
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1dc -Comment "NGen Worker Process"
      4⤵
      PID:1916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1e4 -Pipe 1e0 -Comment "NGen Worker Process"
      4⤵
      PID:1108
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1e4 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2676
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 144 -Pipe 1f0 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2936
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 0 -NGENProcess 1ec -Pipe 144 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1ec -Comment "NGen Worker Process"
      4⤵
      PID:2488
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 713106B227A70FA1598FF8D027BB63FC M Global\MSI0000
  2⤵
  PID:2868
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" -msi -ia -v
    3⤵
    - Executes dropped EXE
    PID:2924
  - - C:\Windows\system32\wevtutil.exe
      um C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man
      4⤵
      PID:2468
  - - C:\Windows\system32\wevtutil.exe
      im C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man
      4⤵
      PID:1752
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.JScript.tlb"
    3⤵
    PID:2104
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoree.tlb"
    3⤵
    PID:2160
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.tlb"
    3⤵
    - Executes dropped EXE
    PID:2516
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Drawing.tlb"
    3⤵
    - Executes dropped EXE
    PID:1356
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.EnterpriseServices.tlb"
    3⤵
    - Executes dropped EXE
    PID:2564
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.tlb"
    3⤵
    - Executes dropped EXE
    PID:276
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.Forms.tlb"
    3⤵
    - Executes dropped EXE
    PID:1544
- - C:\Windows\system32\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel.mof"
    3⤵
    - Drops file in System32 directory
    PID:1764
- - C:\Windows\system32\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel35.mof"
    3⤵
    - Drops file in System32 directory
    PID:1716
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C15451A781A400E1484D8699C2816A30 M Global\MSI0000
  2⤵
  PID:1688
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" -msi -ia -v
    3⤵
    - Executes dropped EXE
    PID:2632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.JScript.tlb"
    3⤵
    - Executes dropped EXE
    PID:836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.tlb"
    3⤵
    - Executes dropped EXE
    PID:2332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb"
    3⤵
    - Executes dropped EXE
    PID:1948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.tlb"
    3⤵
    - Executes dropped EXE
    PID:2636
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.tlb"
    3⤵
    - Executes dropped EXE
    PID:2316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.tlb"
    3⤵
    - Executes dropped EXE
    PID:2340
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.Forms.tlb"
    3⤵
    - Executes dropped EXE
    PID:2956
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\SysWOW64\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel.mof"
    3⤵
    - Drops file in System32 directory
    PID:2132
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\SysWOW64\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel35.mof"
    3⤵
    - Drops file in System32 directory
    PID:2560

C:\Windows\system32\taskeng.exe
taskeng.exe {ABD4BCD2-3D11-4BC8-998D-20D67620C0A0} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:1292
- C:\Users\Admin\AppData\Roaming\hhjjfdr
  C:\Users\Admin\AppData\Roaming\hhjjfdr
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1914815-1921200576-601127148-14673450262058555430-341981100-15866500911435755881"
1⤵
- Executes dropped EXE
PID:2104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1413435178171689755219858382561657846805-78265368-99506235710216517081984182807"
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 190 -InterruptEvent 17c -NGENProcess 180 -Pipe 18c -Comment "NGen Worker Process"
  2⤵
  PID:2148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 17c -NGENProcess 180 -Pipe 190 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 1fc -NGENProcess 204 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 1ec -NGENProcess 180 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 208 -NGENProcess 17c -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 180 -NGENProcess 17c -Pipe 1f0 -Comment "NGen Worker Process"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 180 -InterruptEvent 214 -NGENProcess 20c -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  PID:1212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 20c -NGENProcess 208 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 21c -NGENProcess 17c -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 214 -NGENProcess 224 -Pipe 20c -Comment "NGen Worker Process"
  2⤵
  PID:576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 198 -NGENProcess 17c -Pipe 180 -Comment "NGen Worker Process"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 17c -NGENProcess 220 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 22c -NGENProcess 224 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 224 -NGENProcess 198 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 234 -NGENProcess 220 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 220 -NGENProcess 22c -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:2204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 23c -NGENProcess 198 -Pipe 17c -Comment "NGen Worker Process"
  2⤵
  PID:1948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 198 -NGENProcess 234 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 244 -NGENProcess 22c -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 22c -NGENProcess 23c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 23c -NGENProcess 198 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 198 -NGENProcess 1f4 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:1204
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 254 -NGENProcess 244 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 244 -NGENProcess 23c -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 25c -NGENProcess 1f4 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 1f4 -NGENProcess 254 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 264 -NGENProcess 23c -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  PID:2156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 23c -NGENProcess 25c -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 26c -NGENProcess 254 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:1164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 254 -NGENProcess 264 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 274 -NGENProcess 25c -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  PID:1660
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 25c -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:1568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 27c -NGENProcess 234 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 234 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1492
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 284 -NGENProcess 274 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2728
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 274 -NGENProcess 27c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 28c -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 290 -NGENProcess 288 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:2668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 294 -NGENProcess 27c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 298 -NGENProcess 264 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1212
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 29c -NGENProcess 288 -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 288 -NGENProcess 294 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 294 -NGENProcess 274 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a0 -NGENProcess 288 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2b0 -NGENProcess 274 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b4 -InterruptEvent 2a8 -NGENProcess 2b8 -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 28c -NGENProcess 274 -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 2bc -NGENProcess 2b0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2c0 -NGENProcess 2a8 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2c0 -NGENProcess 2bc -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2ac -NGENProcess 2a8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 2cc -NGENProcess 2b8 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d4 -NGENProcess 2bc -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2dc -NGENProcess 28c -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2e0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:2284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2cc -NGENProcess 2c8 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1348
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2a8 -NGENProcess 2e0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2a8 -NGENProcess 2cc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2ac -NGENProcess 2e0 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2f0 -NGENProcess 2e8 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2dc -NGENProcess 2e0 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 2e0 -NGENProcess 2b8 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 2c8 -NGENProcess 2f8 -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 300 -NGENProcess 2f0 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 304 -NGENProcess 2b8 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:1120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2c8 -NGENProcess 30c -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 308 -NGENProcess 314 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:1180
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 304 -NGENProcess 318 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 2e0 -NGENProcess 314 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2776
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 31c -NGENProcess 308 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 324 -NGENProcess 2e0 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 324 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2e8 -NGENProcess 328 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 328 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 308 -NGENProcess 2c0 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 338 -NGENProcess 32c -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 330 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2c0 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 338 -NGENProcess 348 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 2e8 -NGENProcess 2c0 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 344 -NGENProcess 350 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 2b8 -NGENProcess 2c0 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 354 -NGENProcess 2e8 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 350 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:2432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 2c0 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 2c0 -NGENProcess 2b8 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 34c -NGENProcess 360 -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:2216
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 35c -NGENProcess 36c -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 348 -NGENProcess 360 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 368 -NGENProcess 374 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 350 -NGENProcess 360 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:2436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 350 -NGENProcess 368 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:2372
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 2b8 -NGENProcess 360 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 380 -NGENProcess 370 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 368 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 388 -NGENProcess 360 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 380 -NGENProcess 390 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2608
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 378 -NGENProcess 360 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 374 -InterruptEvent 38c -NGENProcess 394 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 384 -NGENProcess 360 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 360 -NGENProcess 374 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 390 -NGENProcess 398 -Pipe 15c -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 390 -NGENProcess 360 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 3a0 -NGENProcess 3a8 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 38c -NGENProcess 360 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 3ac -NGENProcess 370 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 3a0 -NGENProcess 3b4 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:2628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 398 -NGENProcess 370 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3b8 -NGENProcess 3ac -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2616
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3bc -NGENProcess 3b4 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\system32\taskeng.exe
taskeng.exe {B8A44C3A-7042-432B-BD79-C57503E29A02} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2648

C:\Windows\system32\taskeng.exe
taskeng.exe {949E2586-6E00-4647-A334-FD725C962C65} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:892
- C:\Program Files\Mozilla Firefox\default-browser-agent.exe
  "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
  2⤵
  PID:2828
- C:\Users\Admin\AppData\Roaming\hhjjfdr
  C:\Users\Admin\AppData\Roaming\hhjjfdr
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2164

C:\Windows\system32\taskeng.exe
taskeng.exe {7155B2AB-35E2-4EF6-AA42-870E1E41B503} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2176
- C:\Users\Admin\AppData\Roaming\hhjjfdr
  C:\Users\Admin\AppData\Roaming\hhjjfdr
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1108

C:\Windows\system32\taskeng.exe
taskeng.exe {D3003385-6194-4080-B51A-6080C2D9ADFA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery