onlylogger | hxxps://crackdj[.]com

System Information Discovery

Processes:

File1.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	File1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	File1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IntelRapid.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IntelRapid.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Mefuhaesazhe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation	Mefuhaesazhe.exe

Drops startup file 3 IoCs

Processes:

28A0.tmp.exeFile1.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oXaJMQtLP8H2iTxS.exe	28A0.tmp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oXaJMQtLP8H2iTxS.exe	28A0.tmp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IntelRapid.lnk	File1.exe

Loads dropped DLL 64 IoCs

Processes:

setup_install.exe61ebc8658050b_Sat095c6f3836.tmpmsiexec.exerundll32.exeregsvr32.exefq.exeMaskVPNUpdate.exeinstaller.exe161.tmpMsiExec.exeregsvr32.exerundll32.exeMsiExec.exemask_svc.exe

pid	process
1244	setup_install.exe
1244	setup_install.exe
1244	setup_install.exe
1244	setup_install.exe
1244	setup_install.exe
2252	61ebc8658050b_Sat095c6f3836.tmp
2052	msiexec.exe
2052	msiexec.exe
4188	rundll32.exe
1496	regsvr32.exe
1496	regsvr32.exe
4940	fq.exe
4940	fq.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5668	installer.exe
5668	installer.exe
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5668	installer.exe
4980	MsiExec.exe
4980	MsiExec.exe
4156	regsvr32.exe
4156	regsvr32.exe
5580	rundll32.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5240	MsiExec.exe
5240	MsiExec.exe
5240	MsiExec.exe
5240	MsiExec.exe
5240	MsiExec.exe
5240	MsiExec.exe
5240	MsiExec.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
5264	MaskVPNUpdate.exe
6096	mask_svc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\File1.exe	themida
C:\Users\Admin\AppData\Local\Temp\File1.exe	themida
behavioral2/memory/2380-122-0x00007FF620940000-0x00007FF6212BB000-memory.dmp	themida
behavioral2/memory/2380-123-0x00007FF620940000-0x00007FF6212BB000-memory.dmp	themida
behavioral2/memory/2380-124-0x00007FF620940000-0x00007FF6212BB000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe	themida
behavioral2/memory/1828-127-0x00007FF728110000-0x00007FF728A8B000-memory.dmp	themida
behavioral2/memory/1828-128-0x00007FF728110000-0x00007FF728A8B000-memory.dmp	themida
behavioral2/memory/1828-129-0x00007FF728110000-0x00007FF728A8B000-memory.dmp	themida

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

6e7fcf82-04bb-481b-b5d1-06d46e693ee2.exeMSekni.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	6e7fcf82-04bb-481b-b5d1-06d46e693ee2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\Ciqaeluzhuli.exe\""	MSekni.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

File1.exeIntelRapid.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	File1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IntelRapid.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

msiexec.exeinstaller.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\L:	installer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

608 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
608	ip-api.com

Drops file in System32 directory 31 IoCs

Processes:

svchost.exeDrvInst.exesvchost.exeDrvInst.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F7C264DB4F4D13E98BD0F42F39340C0	svchost.exe
File created	C:\Windows\System32\DriverStore\Temp\{f68888b5-45a2-8543-a374-1b3b41f133d4}\SET7AED.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f68888b5-45a2-8543-a374-1b3b41f133d4}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #2	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #4	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f68888b5-45a2-8543-a374-1b3b41f133d4}\SET7AEB.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f68888b5-45a2-8543-a374-1b3b41f133d4}\SET7AEB.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f68888b5-45a2-8543-a374-1b3b41f133d4}\SET7AEC.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedUpdater	svchost.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #5	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f68888b5-45a2-8543-a374-1b3b41f133d4}\SET7AED.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #6	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f68888b5-45a2-8543-a374-1b3b41f133d4}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f68888b5-45a2-8543-a374-1b3b41f133d4}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	rundll32.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #1	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{f68888b5-45a2-8543-a374-1b3b41f133d4}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{f68888b5-45a2-8543-a374-1b3b41f133d4}\SET7AEC.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2F7C264DB4F4D13E98BD0F42F39340C0	svchost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\Tasks\AdvancedWindowsManager #3	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

Processes:

File1.exeIntelRapid.exe61ebc863e3c48_Sat0908028a923.exead760080-e664-4c93-8450-bbc36ff9ac73.exe78b0bb75-5a75-4a52-99af-0af0f2b4d10a.exe6e7fcf82-04bb-481b-b5d1-06d46e693ee2.exe9b3d2795-33ba-48e1-8fbb-0250781a2197.exe2cdbe193-fcaf-40e4-9a68-950838b9e219.exeSetup.exeOriginal.exe75af9695-d4c9-400b-bf1b-a7124ad29336.exec62c6b37-cd7a-4ca1-8713-b015b7bfc73a.exe61ddaf8f-4df8-4881-9377-61fd20e4774f.exe10d41032-bf70-4ad8-83f4-ae7a25822c34.exemask_svc.exemask_svc.exemask_svc.exe

pid	process
2380	File1.exe
1828	IntelRapid.exe
852	61ebc863e3c48_Sat0908028a923.exe
4952	ad760080-e664-4c93-8450-bbc36ff9ac73.exe
5048	78b0bb75-5a75-4a52-99af-0af0f2b4d10a.exe
2712	6e7fcf82-04bb-481b-b5d1-06d46e693ee2.exe
3956	9b3d2795-33ba-48e1-8fbb-0250781a2197.exe
1584	2cdbe193-fcaf-40e4-9a68-950838b9e219.exe
6064	Setup.exe
4800	Original.exe
5700	75af9695-d4c9-400b-bf1b-a7124ad29336.exe
5316	c62c6b37-cd7a-4ca1-8713-b015b7bfc73a.exe
1048	61ddaf8f-4df8-4881-9377-61fd20e4774f.exe
4648	10d41032-bf70-4ad8-83f4-ae7a25822c34.exe
5996	mask_svc.exe
664	mask_svc.exe
6096	mask_svc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

svchost.exeOriginal.exe

description	pid	process	target process
PID 2688 set thread context of 4604	2688	svchost.exe	svchost.exe
PID 5388 set thread context of 4800	5388	Original.exe	Original.exe

Drops file in Program Files directory 64 IoCs

Processes:

161.tmpmsiexec.exepoweroff.tmpMaskVPNUpdate.exeMSekni.exe

description	ioc	process
File created	C:\Program Files (x86)\MaskVPN\is-KPQSR.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-6FBLT.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-8T18K.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-JU4PI.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.msg	161.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\powerOff\Power Off.exe	poweroff.tmp
File created	C:\Program Files (x86)\powerOff\is-EK896.tmp	poweroff.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-8SCP6.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-PJUNA.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-4FGI4.tmp	161.tmp
File created	C:\Program Files (x86)\Footer Quotes\uninstall.tar	MaskVPNUpdate.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\MaskVPN\is-VG18P.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-PMQUU.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-KDLPS.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-4CD2D.tmp	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	161.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-KP597.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-U7FAG.tmp	161.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-PR1NH.tmp	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.dll	161.tmp
File created	C:\Program Files (x86)\MaskVPN\unins000.dat	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-VBAT8.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-11DON.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-QP4QN.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-MQL9I.tmp	161.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-UDHQK.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-DGUVQ.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-9TSOO.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-0RDM0.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-MLR2V.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-H4AAE.tmp	161.tmp
File created	C:\Program Files\Windows Security\ZLXYNZURWQ\poweroff.exe	MSekni.exe
File created	C:\Program Files (x86)\powerOff\unins000.dat	poweroff.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-MN89A.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-CKFRM.tmp	161.tmp
File created	C:\Program Files (x86)\Footer Quotes\infile_x64.cab	MaskVPNUpdate.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-63N5G.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-GIMDG.tmp	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\version	MaskVPNUpdate.exe
File created	C:\Program Files (x86)\Common Files\Ciqaeluzhuli.exe.config	MSekni.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-5H6QS.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-AJA50.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-DUU26.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-GN5KR.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-ET45G.tmp	161.tmp
File created	C:\Program Files (x86)\powerOff\is-3J4RE.tmp	poweroff.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libMaskVPN.dll	161.tmp

Drops file in Windows directory 56 IoCs

Processes:

msiexec.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMaskVPNUpdate.exeDrvInst.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exeWerFault.exeMicrosoftEdgeCP.exerundll32.exeDrvInst.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI4237.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI85C2.tmp	msiexec.exe
File created	C:\Windows\Installer\{a58e4f69-d4e3-8a76-6fe9-ceca6547fd3e}\2e6e40394c455899c25a735c705ee3e7	MaskVPNUpdate.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIDEFA.tmp	msiexec.exe
File created	C:\Windows\Installer\{a58e4f69-d4e3-8a76-6fe9-ceca6547fd3e}\e42520b4318dfd8363560a718a5000cc.001	MaskVPNUpdate.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\f7cb78a.msi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI391E.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f7cb787.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8562.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Installer\MSI50DE.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA062.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8592.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB6F.tmp	msiexec.exe
File created	C:\Windows\Installer\{a58e4f69-d4e3-8a76-6fe9-ceca6547fd3e}\e42520b4318dfd8363560a718a5000cc	MaskVPNUpdate.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdge.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\Installer\{a58e4f69-d4e3-8a76-6fe9-ceca6547fd3e}\2e6e40394c455899c25a735c705ee3e7.001	MaskVPNUpdate.exe
File opened for modification	C:\Windows\Installer\MSI668B.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID6E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8409.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI869E.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSI314D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8640.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7cb787.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBECA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID12C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE0A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI65CF.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1659841449.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSIC5A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 28 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2036	4292	WerFault.exe	4623381116.exe
4348	4292	WerFault.exe	4623381116.exe
1380	4292	WerFault.exe	4623381116.exe
4892	4292	WerFault.exe	4623381116.exe
2320	4292	WerFault.exe	4623381116.exe
5036	4292	WerFault.exe	4623381116.exe
1576	4292	WerFault.exe	4623381116.exe
2040	5168	WerFault.exe	GcleanerEU.exe
4920	5236	WerFault.exe	GcleanerEU.exe
2708	5236	WerFault.exe	GcleanerEU.exe
4804	5168	WerFault.exe	GcleanerEU.exe
5908	5580	WerFault.exe	gcleaner.exe
5636	5580	WerFault.exe	gcleaner.exe
5216	5236	WerFault.exe	GcleanerEU.exe
5848	5168	WerFault.exe	GcleanerEU.exe
2296	5580	WerFault.exe	gcleaner.exe
6084	5168	WerFault.exe	GcleanerEU.exe
1968	5236	WerFault.exe	GcleanerEU.exe
1988	5580	WerFault.exe	gcleaner.exe
4720	5168	WerFault.exe	GcleanerEU.exe
5284	5236	WerFault.exe	GcleanerEU.exe
4968	5580	WerFault.exe	gcleaner.exe
4972	5168	WerFault.exe	GcleanerEU.exe
5708	5236	WerFault.exe	GcleanerEU.exe
4820	5168	WerFault.exe	GcleanerEU.exe
4924	5168	WerFault.exe	GcleanerEU.exe
5136	5236	WerFault.exe	GcleanerEU.exe
4816	5236	WerFault.exe	GcleanerEU.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

svchost.exetapinstall.exeDrvInst.exeDrvInst.exerundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exeOpen__Setup__3456.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Open__Setup__3456.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Open__Setup__3456.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2128 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2796 taskkill.exe
3632 taskkill.exe
4824 taskkill.exe
1480 taskkill.exe

pid	process
2128	timeout.exe

pid	process
2796	taskkill.exe
3632	taskkill.exe
4824	taskkill.exe
1480	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

MicrosoftEdgeCP.exebrowser_broker.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mask_svc.exesvchost.exeDrvInst.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-162 = "Central Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mask_svc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-572 = "China Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	mask_svc.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exesvchost.exeMicrosoftEdgeCP.exemsiexec.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "601"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.hentaiheroes.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "CC"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{MILK21RL-C710-MWL1-5042-AV1QIJC7L5L4}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "9"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\plarium.com\ = "281"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\downloadoperagx.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Female"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\plarium.com\ = "411"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "16000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\plarium.com\Total = "242"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\plarium.com\Total = "321"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.youtube.com\ = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = af28c6293d0fd801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\hentaiheroes.com\NumberOf = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000929e28980c8b81dd8471b871efb9fefdf2ec5adde02fe95521d3c57e67a549899afa60e4f7966205eaedf6e47c0b59e507b2ab480d46af4edbc1	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "SR en-US Lookup Lexicon"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\youtube.com\NumberOfSubdomai = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\downloadoperagx.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\plarium.com\Total = "9"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\downloadoperagx.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\plarium.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\plarium.com\Total = "74"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 73f121ba3d0fd801	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "349601799"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "74"	MicrosoftEdgeCP.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

rundll32.exeinstaller.exe161.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	161.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	161.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	161.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	161.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	rundll32.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Open__Setup__3456.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Setup_i864x.zip:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 13 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4644	PING.EXE
5464	PING.EXE
5136	PING.EXE
3716	PING.EXE
2540	PING.EXE
2268	PING.EXE
4848	PING.EXE
4112	PING.EXE
4352	PING.EXE
1480	PING.EXE
4448	PING.EXE
5336	PING.EXE
3408	PING.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	674	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	550	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IntelRapid.exe

pid process

1828 IntelRapid.exe

pid	process
1828	IntelRapid.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

61ebc863e3c48_Sat0908028a923.exepowershell.exerundll32.exesvchost.exead760080-e664-4c93-8450-bbc36ff9ac73.exe78b0bb75-5a75-4a52-99af-0af0f2b4d10a.exe6e7fcf82-04bb-481b-b5d1-06d46e693ee2.exe9b3d2795-33ba-48e1-8fbb-0250781a2197.exe2cdbe193-fcaf-40e4-9a68-950838b9e219.exeWerFault.exeWerFault.exepoweroff.tmpcmd.exe

pid	process
852	61ebc863e3c48_Sat0908028a923.exe
852	61ebc863e3c48_Sat0908028a923.exe
1784	powershell.exe
1784	powershell.exe
4188	rundll32.exe
4188	rundll32.exe
2688	svchost.exe
2688	svchost.exe
1784	powershell.exe
4952	ad760080-e664-4c93-8450-bbc36ff9ac73.exe
4952	ad760080-e664-4c93-8450-bbc36ff9ac73.exe
1784	powershell.exe
5048	78b0bb75-5a75-4a52-99af-0af0f2b4d10a.exe
5048	78b0bb75-5a75-4a52-99af-0af0f2b4d10a.exe
2712	6e7fcf82-04bb-481b-b5d1-06d46e693ee2.exe
2712	6e7fcf82-04bb-481b-b5d1-06d46e693ee2.exe
3956	9b3d2795-33ba-48e1-8fbb-0250781a2197.exe
3956	9b3d2795-33ba-48e1-8fbb-0250781a2197.exe
1584	2cdbe193-fcaf-40e4-9a68-950838b9e219.exe
1584	2cdbe193-fcaf-40e4-9a68-950838b9e219.exe
1584	2cdbe193-fcaf-40e4-9a68-950838b9e219.exe
1584	2cdbe193-fcaf-40e4-9a68-950838b9e219.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
2036	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4348	WerFault.exe
4344	poweroff.tmp
4344	poweroff.tmp
1380	cmd.exe
1380	cmd.exe

Suspicious behavior: MapViewOfSection 12 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid	process
5820	MicrosoftEdgeCP.exe
5820	MicrosoftEdgeCP.exe
5820	MicrosoftEdgeCP.exe
5820	MicrosoftEdgeCP.exe
5820	MicrosoftEdgeCP.exe
5820	MicrosoftEdgeCP.exe
5468	MicrosoftEdgeCP.exe
5468	MicrosoftEdgeCP.exe
4664	MicrosoftEdgeCP.exe
4664	MicrosoftEdgeCP.exe
4664	MicrosoftEdgeCP.exe
4664	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exe7zG.exe7zG.exe7zG.exe7zG.exe7zG.exe61ebc855aa10f_Sat094506bfb4f2.exe61ebc85f9ca8c_Sat095df864fc.exeLzmwAqmV.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeRestorePrivilege	3176	7zG.exe
Token: 35	3176	7zG.exe
Token: SeSecurityPrivilege	3176	7zG.exe
Token: SeSecurityPrivilege	3176	7zG.exe
Token: SeRestorePrivilege	3596	7zG.exe
Token: 35	3596	7zG.exe
Token: SeSecurityPrivilege	3596	7zG.exe
Token: SeSecurityPrivilege	3596	7zG.exe
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeDebugPrivilege	2728	firefox.exe
Token: SeRestorePrivilege	1320	7zG.exe
Token: 35	1320	7zG.exe
Token: SeSecurityPrivilege	1320	7zG.exe
Token: SeSecurityPrivilege	1320	7zG.exe
Token: SeRestorePrivilege	204	7zG.exe
Token: 35	204	7zG.exe
Token: SeSecurityPrivilege	204	7zG.exe
Token: SeSecurityPrivilege	204	7zG.exe
Token: SeRestorePrivilege	3800	7zG.exe
Token: 35	3800	7zG.exe
Token: SeSecurityPrivilege	3800	7zG.exe
Token: SeSecurityPrivilege	3800	7zG.exe
Token: SeCreateTokenPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeAssignPrimaryTokenPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeLockMemoryPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeIncreaseQuotaPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeMachineAccountPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeTcbPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeSecurityPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeTakeOwnershipPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeLoadDriverPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeSystemProfilePrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeSystemtimePrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeProfSingleProcessPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeIncBasePriorityPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeCreatePagefilePrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeCreatePermanentPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeBackupPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeRestorePrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeShutdownPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeDebugPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeAuditPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeSystemEnvironmentPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeChangeNotifyPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeRemoteShutdownPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeUndockPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeSyncAgentPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeEnableDelegationPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeManageVolumePrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeImpersonatePrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeCreateGlobalPrivilege	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: 31	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: 32	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: 33	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: 34	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: 35	3952	61ebc855aa10f_Sat094506bfb4f2.exe
Token: SeDebugPrivilege	972	61ebc85f9ca8c_Sat095df864fc.exe
Token: SeDebugPrivilege	2076	LzmwAqmV.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	3632	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe7zG.exe7zG.exeOpen__Setup__3456.exe7zG.exe7zG.exe7zG.exepoweroff.tmp7zG.exeinstaller.exe161.tmp

pid	process
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
3176	7zG.exe
3596	7zG.exe
3884	Open__Setup__3456.exe
3884	Open__Setup__3456.exe
3884	Open__Setup__3456.exe
3884	Open__Setup__3456.exe
3884	Open__Setup__3456.exe
3884	Open__Setup__3456.exe
1320	7zG.exe
204	7zG.exe
3800	7zG.exe
4344	poweroff.tmp
5088	7zG.exe
5668	installer.exe
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp
5924	161.tmp

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

firefox.exeOpen__Setup__3456.exe

pid	process
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
3884	Open__Setup__3456.exe
3884	Open__Setup__3456.exe
3884	Open__Setup__3456.exe
3884	Open__Setup__3456.exe
3884	Open__Setup__3456.exe
3884	Open__Setup__3456.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

firefox.exewin-setup-i864.exesetup_installer.exesetup_install.exe61ebc8632c578_Sat096243e85.exe61ebc8579d193_Sat09ea8e57f896.exe61ebc855aa10f_Sat094506bfb4f2.exe61ebc863e3c48_Sat0908028a923.exetaskkill.exe61ebc8658050b_Sat095c6f3836.exe61ebc85c3f8d6_Sat097601daa5.exe61ebc8658050b_Sat095c6f3836.tmp61ebc8649d86d_Sat09a4fee9807b.exeLzmwAqmV.exe25FF.tmp.exe28A0.tmp.exe7508307521.exead760080-e664-4c93-8450-bbc36ff9ac73.exe78b0bb75-5a75-4a52-99af-0af0f2b4d10a.exe6e7fcf82-04bb-481b-b5d1-06d46e693ee2.exe9b3d2795-33ba-48e1-8fbb-0250781a2197.exe2cdbe193-fcaf-40e4-9a68-950838b9e219.exe8654895.exepoweroff.exepoweroff.tmpfq.exeMaskVPNUpdate.exe161.exe161.tmprandom.exeMicrosoftEdge.exeSetup.exeBumperWW.exeaskinstall42.exerandom.exeOriginal.execmd.exe75af9695-d4c9-400b-bf1b-a7124ad29336.exe10d41032-bf70-4ad8-83f4-ae7a25822c34.exec62c6b37-cd7a-4ca1-8713-b015b7bfc73a.exe61ddaf8f-4df8-4881-9377-61fd20e4774f.exetapinstall.exe8136630.exeMicrosoftEdgeCP.exe

pid	process
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
2728	firefox.exe
3748	win-setup-i864.exe
1788	setup_installer.exe
1244	setup_install.exe
3800	61ebc8632c578_Sat096243e85.exe
1124	61ebc8579d193_Sat09ea8e57f896.exe
3952	61ebc855aa10f_Sat094506bfb4f2.exe
852	61ebc863e3c48_Sat0908028a923.exe
3632	taskkill.exe
3632	taskkill.exe
3632	taskkill.exe
3132	61ebc8658050b_Sat095c6f3836.exe
3748	61ebc85c3f8d6_Sat097601daa5.exe
2252	61ebc8658050b_Sat095c6f3836.tmp
3008	61ebc8649d86d_Sat09a4fee9807b.exe
3008	61ebc8649d86d_Sat09a4fee9807b.exe
3008	61ebc8649d86d_Sat09a4fee9807b.exe
2076	LzmwAqmV.exe
2420	25FF.tmp.exe
2176	28A0.tmp.exe
4700	7508307521.exe
4952	ad760080-e664-4c93-8450-bbc36ff9ac73.exe
5048	78b0bb75-5a75-4a52-99af-0af0f2b4d10a.exe
2712	6e7fcf82-04bb-481b-b5d1-06d46e693ee2.exe
3956	9b3d2795-33ba-48e1-8fbb-0250781a2197.exe
1584	2cdbe193-fcaf-40e4-9a68-950838b9e219.exe
964	8654895.exe
4788	poweroff.exe
4344	poweroff.tmp
4940	fq.exe
5264	MaskVPNUpdate.exe
5688	161.exe
5924	161.tmp
5960	random.exe
5960	random.exe
5960	random.exe
5412	MicrosoftEdge.exe
6064	Setup.exe
6112	BumperWW.exe
5876	askinstall42.exe
2008	random.exe
2008	random.exe
2008	random.exe
4800	Original.exe
4496	cmd.exe
5700	75af9695-d4c9-400b-bf1b-a7124ad29336.exe
4648	10d41032-bf70-4ad8-83f4-ae7a25822c34.exe
5316	c62c6b37-cd7a-4ca1-8713-b015b7bfc73a.exe
1048	61ddaf8f-4df8-4881-9377-61fd20e4774f.exe
5496	tapinstall.exe
5608	8136630.exe
5820	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2480 wrote to memory of 2728	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 2728	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 2728	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 2728	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 2728	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 2728	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 2728	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 2728	2480	firefox.exe	firefox.exe
PID 2480 wrote to memory of 2728	2480	firefox.exe	firefox.exe
PID 2728 wrote to memory of 864	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 864	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 376	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 1408	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 1408	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 1408	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 1408	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 1408	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 1408	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 1408	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 1408	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 1408	2728	firefox.exe	firefox.exe
PID 2728 wrote to memory of 1408	2728	firefox.exe	firefox.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2700

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://crackdj.com
1⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://crackdj.com
2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.0.1035290803\1625872707" -parentBuildID 20200403170909 -prefsHandle 1516 -prefMapHandle 1488 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 1624 gpu
3⤵
PID:864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.3.1213462959\1807353833" -childID 1 -isForBrowser -prefsHandle 2284 -prefMapHandle 2276 -prefsLen 156 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 2336 tab
3⤵
PID:376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.13.1471300882\1015299077" -childID 2 -isForBrowser -prefsHandle 3356 -prefMapHandle 3352 -prefsLen 7013 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 3364 tab
3⤵
PID:1408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.20.383565118\865548174" -childID 3 -isForBrowser -prefsHandle 3596 -prefMapHandle 4100 -prefsLen 7941 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 4120 tab
3⤵
PID:2136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2728.27.268814184\953494499" -childID 4 -isForBrowser -prefsHandle 8528 -prefMapHandle 8520 -prefsLen 8937 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2728 "\\.\pipe\gecko-crash-server-pipe.2728" 8500 tab
3⤵
PID:2680

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc85d85b45_Sat0933dfd61ab.exe
61ebc85d85b45_Sat0933dfd61ab.exe
4⤵
- Executes dropped EXE
PID:2080

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2720

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4604

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2484

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1856

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1092

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1036

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1736

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Open__Setup__3456\" -spe -an -ai#7zMap31303:96:7zEvent5957
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3176

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Open__Setup__3456\Open__Setup__3456\" -spe -an -ai#7zMap31895:132:7zEvent16131
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3596

C:\Users\Admin\Downloads\Open__Setup__3456\Open__Setup__3456.exe
"C:\Users\Admin\Downloads\Open__Setup__3456\Open__Setup__3456.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3884

C:\Users\Admin\AppData\Local\Temp\File1.exe
"C:\Users\Admin\AppData\Local\Temp\File1.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2380

C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe
"C:\Users\Admin\AppData\Roaming\Intel Rapid\IntelRapid.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
PID:1828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 3 & del /f /q "C:\Users\Admin\Downloads\Open__Setup__3456\Open__Setup__3456.exe"
2⤵
PID:3056

C:\Windows\SysWOW64\timeout.exe
timeout /t 3
3⤵
- Delays execution with timeout.exe
PID:2128

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup_i864x\" -spe -an -ai#7zMap29069:84:7zEvent24285
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1320

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Setup_i864x\PASSWORD-IS-hello587785.txt
1⤵
PID:1680

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup_i864x\app-setup-i864\" -spe -an -ai#7zMap26917:114:7zEvent2296
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:204

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup_i864x\app-setup-i864\win-setup-i864\" -spe -an -ai#7zMap1433:144:7zEvent5837
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3800

C:\Users\Admin\Downloads\Setup_i864x\app-setup-i864\win-setup-i864.exe
"C:\Users\Admin\Downloads\Setup_i864x\app-setup-i864\win-setup-i864.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
PID:2784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc855aa10f_Sat094506bfb4f2.exe
4⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc855aa10f_Sat094506bfb4f2.exe
61ebc855aa10f_Sat094506bfb4f2.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3952

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:2380

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc85c3f8d6_Sat097601daa5.exe
4⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc85c3f8d6_Sat097601daa5.exe
61ebc85c3f8d6_Sat097601daa5.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /Y .\oF0NJ.B
6⤵
- Loads dropped DLL
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc86696359_Sat0918b27058a.exe
4⤵
PID:3196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc8658050b_Sat095c6f3836.exe
4⤵
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc8649d86d_Sat09a4fee9807b.exe
4⤵
PID:3312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc863e3c48_Sat0908028a923.exe
4⤵
PID:312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc8632c578_Sat096243e85.exe
4⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc861109d8_Sat090153b775.exe /mixtwo
4⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc85f9ca8c_Sat095df864fc.exe
4⤵
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc85f3ab66_Sat09e5e8eeca4.exe
4⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc85d85b45_Sat0933dfd61ab.exe
4⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc85aa0efa_Sat096553627f2f.exe
4⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc859e57b1_Sat09653c9bd.exe
4⤵
PID:3492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc8579d193_Sat09ea8e57f896.exe
4⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61ebc856df6a5_Sat0903df92dc30.exe
4⤵
PID:352

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc8649d86d_Sat09a4fee9807b.exe
61ebc8649d86d_Sat09a4fee9807b.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc8649d86d_Sat09a4fee9807b.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc8649d86d_Sat09a4fee9807b.exe" -a
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc8632c578_Sat096243e85.exe
61ebc8632c578_Sat096243e85.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3800

C:\Users\Admin\AppData\Roaming\25FF.tmp.exe
"C:\Users\Admin\AppData\Roaming\25FF.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2420

C:\Users\Admin\AppData\Roaming\28A0.tmp.exe
"C:\Users\Admin\AppData\Roaming\28A0.tmp.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc8632c578_Sat096243e85.exe" >> NUL
2⤵
PID:4144

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:4352

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc863e3c48_Sat0908028a923.exe
61ebc863e3c48_Sat0908028a923.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:852

C:\Users\Admin\AppData\Local\Temp\ad760080-e664-4c93-8450-bbc36ff9ac73.exe
"C:\Users\Admin\AppData\Local\Temp\ad760080-e664-4c93-8450-bbc36ff9ac73.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4952

C:\Users\Admin\AppData\Local\Temp\78b0bb75-5a75-4a52-99af-0af0f2b4d10a.exe
"C:\Users\Admin\AppData\Local\Temp\78b0bb75-5a75-4a52-99af-0af0f2b4d10a.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5048

C:\Users\Admin\AppData\Local\Temp\6e7fcf82-04bb-481b-b5d1-06d46e693ee2.exe
"C:\Users\Admin\AppData\Local\Temp\6e7fcf82-04bb-481b-b5d1-06d46e693ee2.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2712

C:\Users\Admin\AppData\Local\Temp\9b3d2795-33ba-48e1-8fbb-0250781a2197.exe
"C:\Users\Admin\AppData\Local\Temp\9b3d2795-33ba-48e1-8fbb-0250781a2197.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Users\Admin\AppData\Roaming\8654895.exe
"C:\Users\Admin\AppData\Roaming\8654895.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:964

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s QtGUM.8Qe -u
4⤵
- Loads dropped DLL
PID:1496

C:\Users\Admin\AppData\Local\Temp\2cdbe193-fcaf-40e4-9a68-950838b9e219.exe
"C:\Users\Admin\AppData\Local\Temp\2cdbe193-fcaf-40e4-9a68-950838b9e219.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc856df6a5_Sat0903df92dc30.exe
61ebc856df6a5_Sat0903df92dc30.exe
1⤵
- Executes dropped EXE
PID:3844

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc861109d8_Sat090153b775.exe
61ebc861109d8_Sat090153b775.exe /mixtwo
1⤵
- Executes dropped EXE
PID:680

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc859e57b1_Sat09653c9bd.exe
61ebc859e57b1_Sat09653c9bd.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc85f3ab66_Sat09e5e8eeca4.exe
61ebc85f3ab66_Sat09e5e8eeca4.exe
1⤵
- Executes dropped EXE
PID:2416

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc85f9ca8c_Sat095df864fc.exe
61ebc85f9ca8c_Sat095df864fc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2076

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc85aa0efa_Sat096553627f2f.exe
61ebc85aa0efa_Sat096553627f2f.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc8579d193_Sat09ea8e57f896.exe
61ebc8579d193_Sat09ea8e57f896.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\4623381116.exe" hbone
2⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\4623381116.exe
"C:\Users\Admin\AppData\Local\Temp\4623381116.exe" hbone
3⤵
- Executes dropped EXE
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 668
4⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 688
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 740
4⤵
- Program crash
PID:1380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 776
4⤵
- Program crash
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 992
4⤵
- Program crash
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1160
4⤵
- Program crash
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 1332
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:1576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\7508307521.exe"
2⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\7508307521.exe
"C:\Users\Admin\AppData\Local\Temp\7508307521.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "61ebc8579d193_Sat09ea8e57f896.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc8579d193_Sat09ea8e57f896.exe" & exit
2⤵
PID:4276

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "61ebc8579d193_Sat09ea8e57f896.exe" /f
3⤵
- Kills process with taskkill
PID:4824

C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc8658050b_Sat095c6f3836.exe
61ebc8658050b_Sat095c6f3836.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3132

C:\Users\Admin\AppData\Local\Temp\is-3JS4E.tmp\61ebc8658050b_Sat095c6f3836.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3JS4E.tmp\61ebc8658050b_Sat095c6f3836.tmp" /SL5="$4034A,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zSCF6E802A\61ebc8658050b_Sat095c6f3836.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2252

C:\Users\Admin\AppData\Local\Temp\is-VR23L.tmp\MSekni.exe
"C:\Users\Admin\AppData\Local\Temp\is-VR23L.tmp\MSekni.exe" /S /UID=91
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:1104

C:\Users\Admin\AppData\Local\Temp\25-f3a05-d52-d8fa8-db5a316d3ab58\Mefuhaesazhe.exe
"C:\Users\Admin\AppData\Local\Temp\25-f3a05-d52-d8fa8-db5a316d3ab58\Mefuhaesazhe.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:4232

C:\Users\Admin\AppData\Local\Temp\c9-ffbc6-506-37c9b-a40cb544b0a15\Caezhusaeriki.exe
"C:\Users\Admin\AppData\Local\Temp\c9-ffbc6-506-37c9b-a40cb544b0a15\Caezhusaeriki.exe"
4⤵
- Executes dropped EXE
PID:1700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uo3cnidq.f2x\fq.exe SID=778 CID=778 SILENT=1 /quiet & exit
5⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\uo3cnidq.f2x\fq.exe
C:\Users\Admin\AppData\Local\Temp\uo3cnidq.f2x\fq.exe SID=778 CID=778 SILENT=1 /quiet
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4940

C:\Users\Admin\AppData\Local\Temp\nsnC2A.tmp\fq.exe
C:\Users\Admin\AppData\Local\Temp\nsnC2A.tmp\fq.exe
7⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\nsnC2A.tmp\fq.exe
"C:\Users\Admin\AppData\Local\Temp\nsnC2A.tmp\fq.exe" SID=778 CID=778 SILENT=1 /quiet
7⤵
PID:5264

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Edge\ExtensionInstallForcelist /v 1 /t REG_SZ /d lbiobkhhodgbcpmhjiomcemknhgabakl;file:///C:/Windows/Installer/{a58e4f69-d4e3-8a76-6fe9-ceca6547fd3e}/e42520b4318dfd8363560a718a5000cc.001
8⤵
PID:5784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\ExtensionInstallForcelist /v 1 /t REG_SZ /d lbiobkhhodgbcpmhjiomcemknhgabakl;file:///C:/Windows/Installer/{a58e4f69-d4e3-8a76-6fe9-ceca6547fd3e}/e42520b4318dfd8363560a718a5000cc
8⤵
PID:4968

C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Program Files (x86)\Footer Quotes\chrome_manager_x64.dll" main --install-run
8⤵
PID:5628

C:\Windows\system32\rundll32.exe
rundll32 "C:\Program Files (x86)\Footer Quotes\chrome_manager_x64.dll" main --install-run
9⤵
PID:5832

C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\ProgramData\hejab.dll" main -c uninstall
8⤵
PID:4828

C:\Windows\system32\rundll32.exe
rundll32 "C:\ProgramData\hejab.dll" main -c uninstall
9⤵
PID:3408

C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\ProgramData\hejab.dll" main -c install-run
8⤵
PID:2324

C:\Windows\system32\rundll32.exe
rundll32 "C:\ProgramData\hejab.dll" main -c install-run
9⤵
PID:5176

C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Program Files (x86)\Footer Quotes\chrome_manager_x64.dll" main -c cdo "Footer Quotes"
8⤵
PID:5912

C:\Windows\system32\rundll32.exe
rundll32 "C:\Program Files (x86)\Footer Quotes\chrome_manager_x64.dll" main -c cdo "Footer Quotes"
9⤵
PID:4964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jfn2nxpi.b3m\GcleanerEU.exe /S /subid=948 & exit
5⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\jfn2nxpi.b3m\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\jfn2nxpi.b3m\GcleanerEU.exe /S /subid=948
6⤵
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 816
7⤵
- Program crash
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 820
7⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 884
7⤵
- Program crash
PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 884
7⤵
- Program crash
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 652
7⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 800
7⤵
- Program crash
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 924
7⤵
- Program crash
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 900
7⤵
- Program crash
PID:4924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jfn2nxpi.b3m\GcleanerEU.exe /eufive & exit
5⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\jfn2nxpi.b3m\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\jfn2nxpi.b3m\GcleanerEU.exe /eufive
6⤵
- Executes dropped EXE
PID:5236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 648
7⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 664
7⤵
- Program crash
PID:2708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 800
7⤵
- Program crash
PID:5216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 816
7⤵
- Program crash
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 1124
7⤵
- Program crash
PID:5284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 1172
7⤵
- Program crash
PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 1192
7⤵
- Program crash
PID:5136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 1348
7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f4tbmlc2.xz0\Original.exe & exit
5⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\f4tbmlc2.xz0\Original.exe
C:\Users\Admin\AppData\Local\Temp\f4tbmlc2.xz0\Original.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
7⤵
PID:4592

C:\Windows\SysWOW64\PING.EXE
ping google.com
8⤵
- Runs ping.exe
PID:5464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
7⤵
PID:5632

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
8⤵
- Runs ping.exe
PID:5136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
7⤵
PID:5916

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
8⤵
- Runs ping.exe
PID:3716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
7⤵
PID:5892

C:\Windows\SysWOW64\PING.EXE
ping google.com
8⤵
- Runs ping.exe
PID:2540

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
7⤵
PID:6040

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
8⤵
- Runs ping.exe
PID:1480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
7⤵
PID:4872

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
8⤵
- Runs ping.exe
PID:4448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
7⤵
PID:5940

C:\Windows\SysWOW64\PING.EXE
ping google.com
8⤵
- Runs ping.exe
PID:5336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1380

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
8⤵
- Runs ping.exe
PID:2268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
7⤵
PID:1472

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
8⤵
- Runs ping.exe
PID:4848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping google.com
7⤵
PID:3412

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:1556

C:\Windows\SysWOW64\PING.EXE
ping google.com
8⤵
- Runs ping.exe
PID:4112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping facebook.com
7⤵
PID:5176

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Executes dropped EXE
PID:5168

C:\Windows\SysWOW64\PING.EXE
ping facebook.com
8⤵
- Runs ping.exe
PID:3408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping twitter.com
7⤵
PID:2252

C:\Windows\SysWOW64\PING.EXE
ping twitter.com
8⤵
- Runs ping.exe
PID:4644

C:\Users\Admin\AppData\Local\Temp\f4tbmlc2.xz0\Original.exe
C:\Users\Admin\AppData\Local\Temp\f4tbmlc2.xz0\Original.exe
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jo4pqhiy.krl\161.exe /silent /subid=798 & exit
5⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\jo4pqhiy.krl\161.exe
C:\Users\Admin\AppData\Local\Temp\jo4pqhiy.krl\161.exe /silent /subid=798
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5688

C:\Users\Admin\AppData\Local\Temp\is-RM6HD.tmp\161.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RM6HD.tmp\161.tmp" /SL5="$40418,15170975,270336,C:\Users\Admin\AppData\Local\Temp\jo4pqhiy.krl\161.exe" /silent /subid=798
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
8⤵
PID:2204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
- Executes dropped EXE
PID:5180

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
9⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:5496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
8⤵
PID:5892

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
9⤵
PID:5452

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5996

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a1lk2xw4.q2n\installer.exe /qn CAMPAIGN="654" & exit
5⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\a1lk2xw4.q2n\installer.exe
C:\Users\Admin\AppData\Local\Temp\a1lk2xw4.q2n\installer.exe /qn CAMPAIGN="654"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:5668

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\a1lk2xw4.q2n\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\a1lk2xw4.q2n\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1642560072 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
7⤵
PID:1124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xkfvpst4.om5\random.exe & exit
5⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\xkfvpst4.om5\random.exe
C:\Users\Admin\AppData\Local\Temp\xkfvpst4.om5\random.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5960

C:\Users\Admin\AppData\Local\Temp\xkfvpst4.om5\random.exe
"C:\Users\Admin\AppData\Local\Temp\xkfvpst4.om5\random.exe" -a
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ssqdcybn.zbc\Setup.exe & exit
5⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\ssqdcybn.zbc\Setup.exe
C:\Users\Admin\AppData\Local\Temp\ssqdcybn.zbc\Setup.exe
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:6064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\p1muc251.nl1\BumperWW.exe & exit
5⤵
- Blocklisted process makes network request
PID:852

C:\Users\Admin\AppData\Local\Temp\p1muc251.nl1\BumperWW.exe
C:\Users\Admin\AppData\Local\Temp\p1muc251.nl1\BumperWW.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\nzfc2rpz.xdg\autosubplayer.exe /S & exit
5⤵
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2oxi35am.jdj\gcleaner.exe /mixfive & exit
5⤵
PID:5276

C:\Users\Admin\AppData\Local\Temp\2oxi35am.jdj\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\2oxi35am.jdj\gcleaner.exe /mixfive
6⤵
PID:5580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 668
7⤵
- Program crash
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 716
7⤵
- Program crash
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 804
7⤵
- Program crash
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 680
7⤵
- Program crash
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 1136
7⤵
- Program crash
PID:4968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2gvazaj5.vkn\askinstall42.exe & exit
5⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\2gvazaj5.vkn\askinstall42.exe
C:\Users\Admin\AppData\Local\Temp\2gvazaj5.vkn\askinstall42.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:5828

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:1480

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rs2e5gq3.1xr\RobCleanerInstlr842628.exe & exit
5⤵
PID:5536

C:\Users\Admin\AppData\Local\Temp\rs2e5gq3.1xr\RobCleanerInstlr842628.exe
C:\Users\Admin\AppData\Local\Temp\rs2e5gq3.1xr\RobCleanerInstlr842628.exe
6⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\75af9695-d4c9-400b-bf1b-a7124ad29336.exe
"C:\Users\Admin\AppData\Local\Temp\75af9695-d4c9-400b-bf1b-a7124ad29336.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5700

C:\Users\Admin\AppData\Local\Temp\c62c6b37-cd7a-4ca1-8713-b015b7bfc73a.exe
"C:\Users\Admin\AppData\Local\Temp\c62c6b37-cd7a-4ca1-8713-b015b7bfc73a.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5316

C:\Users\Admin\AppData\Local\Temp\10d41032-bf70-4ad8-83f4-ae7a25822c34.exe
"C:\Users\Admin\AppData\Local\Temp\10d41032-bf70-4ad8-83f4-ae7a25822c34.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Users\Admin\AppData\Local\Temp\61ddaf8f-4df8-4881-9377-61fd20e4774f.exe
"C:\Users\Admin\AppData\Local\Temp\61ddaf8f-4df8-4881-9377-61fd20e4774f.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Users\Admin\AppData\Roaming\8136630.exe
"C:\Users\Admin\AppData\Roaming\8136630.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5608

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s QtGUM.8Qe -u
9⤵
- Loads dropped DLL
PID:4156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\41tdj2it.itl\installer.exe /qn CAMPAIGN=654 & exit
5⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\41tdj2it.itl\installer.exe
C:\Users\Admin\AppData\Local\Temp\41tdj2it.itl\installer.exe /qn CAMPAIGN=654
6⤵
PID:4808

C:\Program Files\Windows Security\ZLXYNZURWQ\poweroff.exe
"C:\Program Files\Windows Security\ZLXYNZURWQ\poweroff.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Users\Admin\AppData\Local\Temp\is-CJ2D5.tmp\poweroff.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CJ2D5.tmp\poweroff.tmp" /SL5="$5038A,490199,350720,C:\Program Files\Windows Security\ZLXYNZURWQ\poweroff.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Program Files (x86)\powerOff\Power Off.exe
"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
PID:4364

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:4152

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4188

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup_i864x\app-setup-i864\win-setup-i864\setup_installer\" -spe -an -ai#7zMap18690:176:7zEvent9519
1⤵
- Suspicious use of FindShellTrayWindow
PID:5088

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5412

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:4212

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D7B7B8A632BC01ED6716CCEB466D3B47 C
2⤵
- Loads dropped DLL
PID:4980

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5E56206E51061D2EBBD1E3285834E770
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5240

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:2796

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F55F2C6036CB04CA6CF3D612298E06E2 E Global\MSI0000
2⤵
PID:4448

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:4752

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4420

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:4556

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
PID:5580

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1820

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{59cc132a-415e-f34e-8dad-c125d0559506}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "000000000000017C" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1804

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000198"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4808

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:5352

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:5360

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup_i864x\app-setup-i864\win-setup-i864\setup_installer\61ebc85c3f8d6_Sat097601daa5\" -spe -an -ai#7zMap17632:232:7zEvent30650
1⤵
PID:5216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5844

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Setup_i864x\app-setup-i864\win-setup-i864\setup_installer\61ebc85c3f8d6_Sat097601daa5\oF0NJ.b
2⤵
PID:5476

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5932

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:6096

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5264

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Program Files (x86)\Footer Quotes\chrome_manager_x64.dll" main
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:5452

C:\Windows\system32\rundll32.exe
"rundll32.exe" "C:\Program Files (x86)\Footer Quotes\chrome_manager_x64.dll" main iFE9Pxf5P I8Uffe71U
2⤵
PID:2316

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\ProgramData\hejab.dll" main
1⤵
PID:4544

C:\Windows\system32\rundll32.exe
"rundll32.exe" C:\ProgramData\hejab.dll main yoqd
2⤵
PID:5460

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5312

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4548

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3548

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5272

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:3408

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
PID:5468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4744

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:864

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4880

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
PID:4664

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4952

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1348

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c0
1⤵
PID:5868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1596

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery