formbook | 35295675b2fbd8ff9900336325e3324270f083705fd0cf51f4ef28763430cdd6

Processes:

systray.exesidebar.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	systray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0BFLFTBPL = "C:\\Program Files (x86)\\Bmrxh\\vgaqhvh.exe"	systray.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Windows\CurrentVersion\Run	sidebar.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

rundll32.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Drops desktop.ini file(s) 52 IoCs

Processes:

ie4uinit.exeregsvr32.exeregsvr32.exemctadmin.exeWinMail.exeExplorer.EXEExplorer.EXEregsvr32.exeWinMail.exe

description	ioc	process
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	ie4uinit.exe
File opened for modification	C:\Users\test\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Favorites\Links for United States\desktop.ini	mctadmin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	regsvr32.exe
File created	C:\Users\test\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	WinMail.exe
File opened for modification	C:\Users\test\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Explorer.EXE
File opened for modification	C:\Users\test\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Explorer.EXE
File opened for modification	C:\Windows\assembly\Desktop.ini	Explorer.EXE
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-2329389628-4064185017-3901522362-1001\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Contacts\desktop.ini	WinMail.exe
File opened for modification	C:\Users\test\Searches\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	ie4uinit.exe
File opened for modification	C:\Users\test\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Favorites\Links\desktop.ini	ie4uinit.exe
File opened for modification	C:\Users\test\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\test\Searches\desktop.ini	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

unregmp2.exeunregmp2.exe

description	ioc	process
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\F:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\test\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\test\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg"	regsvr32.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

reqbqonire.exereqbqonire.exesystray.exe

description	pid	process	target process
PID 1316 set thread context of 1552	1316	reqbqonire.exe	reqbqonire.exe
PID 1552 set thread context of 1384	1552	reqbqonire.exe	Explorer.EXE
PID 1552 set thread context of 1384	1552	reqbqonire.exe	Explorer.EXE
PID 548 set thread context of 1384	548	systray.exe	Explorer.EXE
PID 548 set thread context of 2164	548	systray.exe	Explorer.EXE

Drops file in Program Files directory 64 IoCs

Processes:

Explorer.EXEUnlocker1.9.2.exesystray.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp	Explorer.EXE
File opened for modification	C:\Program Files\Unlocker\Unlocker.url	Unlocker1.9.2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_lg.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInTray.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1257.TXT	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\XDPFile_8.ico	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeUpdater.dll	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\ReadMe.htm	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\zy______.pfm	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDXFile_8.ico	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-BoldIt.otf	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-It.otf	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt55.ths	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Bmrxh\vgaqhvh.exe	systray.exe
File created	C:\Program Files\Unlocker\UnlockerDriver5.sys	Unlocker1.9.2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\rss.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1252.TXT	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\eula.ini	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_super.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\submission_history.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\icudt26l.dat	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\bl.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\forms_distributed.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\engphon.env	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInAcrobat.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\info.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.cer	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\UKRAINE.TXT	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa37.hyp	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-Bold.otf	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZY______.PFB	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	Explorer.EXE
File created	C:\Program Files\Unlocker\UnlockerCOM.dll	Unlocker1.9.2.exe

Drops file in Windows directory 64 IoCs

Processes:

Explorer.EXErundll32.exeie4uinit.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Music	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\ul_msvcm80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	Explorer.EXE
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDFFile_8.ico	Explorer.EXE
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\RMFFile_8.ico	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationProvider_gac_x86	Explorer.EXE
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Documents	Explorer.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationHostDLL_x86.dll.mui	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_amd64	Explorer.EXE
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\wordicon.exe	Explorer.EXE
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo	Explorer.EXE
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\index143.dat	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100kor_x64	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PenIMC2_v0400_X86.dll	Explorer.EXE
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Desktop	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcp100_x64	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\microsoft.build.tasks.v4.0.dll_gac_x86	Explorer.EXE
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Downloads	Explorer.EXE
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu	Explorer.EXE
File opened for modification	C:\Windows\assembly\Desktop.ini	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\microsoft.build.tasks.v4.0.dll_amd64	Explorer.EXE
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe	Explorer.EXE
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu	Explorer.EXE
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Pictures	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_atl100_x64	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationClient_gac_x86	Explorer.EXE
File opened for modification	C:\Windows\Installer\5367.msp	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\wpfgfx_x86.dll	Explorer.EXE
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\xlicons.exe	Explorer.EXE
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDXFile_8.ico	Explorer.EXE
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index133.dat	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100enu_x64	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\ul_msvcr80.dll.98CB24AD_52FB_DB5F_FF1F_C8B3B9A1E18E	Explorer.EXE
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Links	Explorer.EXE
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Pictures	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100_x64	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationNative_x86.dll	Explorer.EXE
File opened for modification	C:\Windows\Installer\7411.msp	Explorer.EXE
File opened for modification	C:\Windows\assembly\pubpol37.dat	Explorer.EXE
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\APIFile_8.ico	Explorer.EXE
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Videos	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationTypes_amd64.dll	Explorer.EXE
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\outicon.exe	Explorer.EXE
File opened for modification	C:\Windows\Fonts\fms_metadata.xml	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100jpn_x64	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\System_Xaml_gac_x86	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PresentationFramework_amd64.dll	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\System_Windows_Controls_Ribbon_gac_x86	Explorer.EXE
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Links	Explorer.EXE
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent	Explorer.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	ie4uinit.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\system_data_dll_gac_x86	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\WindowsBase_gac_x86	Explorer.EXE
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SecStoreFile.ico	Explorer.EXE
File opened for modification	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\misc.exe	Explorer.EXE
File opened for modification	C:\Windows\assembly\pubpol4.dat	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_msvcr100_x64	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\System_Windows_Controls_Ribbon_amd64.dll	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationTypes_gac_x86	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100rus_x64	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\System_Windows_Controls_Ribbon_x86.dll	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAutomationClientsideProviders_gac_x86	Explorer.EXE
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100u_x64	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2188 2488 WerFault.exe vgaqhvh.exe
2572 2144 WerFault.exe

pid	pid_target	process	target process
2188	2488	WerFault.exe	vgaqhvh.exe
2572	2144	WerFault.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

perfmon.exeExplorer.EXErunonce.exeExplorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	perfmon.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Explorer.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Explorer.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	perfmon.exe

Enumerates system info in registry 2 TTPs 38 IoCs

Query Registry

System Information Discovery

Processes:

csrss.exechrome.exechrome.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

Processes:

ie4uinit.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	ie4uinit.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

Processes:

ie4uinit.exeregsvr32.exeregsvr32.exesystray.exeExplorer.EXEmctadmin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Main\Save_Session_History_On_Exit = "no"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\IETld\LowMic	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\16\IEFixedFontName = "Vani"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\26\IEFixedFontName = "NSimsun"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\31\IEPropFontName = "Segoe UI Symbol"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Khmer UI"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\39	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Main\Local Page = "C:\\Windows\\system32\\blank.htm"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Help_Menu_URLs	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Desktop\General	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Desktop\General	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\4	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\6\IEFixedFontName = "Courier New"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\9\IEPropFontName = "Times New Roman"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\10	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\38	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\38\IEFixedFontName = "MV Boli"	ie4uinit.exe
Key created	\Registry\User\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\5	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\8	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\32\IEPropFontName = "Segoe UI Symbol"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\35\IEPropFontName = "Estrangelo Edessa"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Toolbar	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\13\IEPropFontName = "Shruti"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\23\IEFixedFontName = "GulimChe"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\26	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Main\Search Page = "http://go.microsoft.com/fwlink/?LinkId=54896"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\10\IEPropFontName = "Mangal"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\13	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\17\IEFixedFontName = "Tunga"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\32	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\New Windows\PlaySound = "1"	ie4uinit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Document Windows\width = 00000080	ie4uinit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Document Windows\y = 00000000	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\14\IEFixedFontName = "Kalinga"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\32\IEFixedFontName = "Segoe UI Symbol"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\36\IEFixedFontName = "Myanmar Text"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\37	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\SQM\InstallDate = "1645813977"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Main\Cache_Update_Frequency = "Once_Per_Session"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Settings\Anchor Color Visited = "128,0,128"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\31	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\LowRegistry	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\11	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\21	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\21\IEFixedFontName = "Microsoft Himalaya"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\26\IEPropFontName = "Simsun"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\29\IEFixedFontName = "Plantagenet Cherokee"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Settings\Anchor Color = "0,0,255"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	ie4uinit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Document Windows\x = 00000080	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\15\IEPropFontName = "Vijaya"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Main\UseClearType = "no"	ie4uinit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = 909df91c762ad801	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	mctadmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\12\IEPropFontName = "Raavi"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\International\Scripts\24\IEPropFontName = "MS PGothic"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Main\Show_StatusBar = "yes"	ie4uinit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

Processes:

ie4uinit.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	ie4uinit.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe

Modifies registry class 64 IoCs

Processes:

unregmp2.exeunregmp2.exeExplorer.EXEregsvr32.exeExplorer.EXEregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.midi\OpenWithProgIds	unregmp2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.WTV\OpenWithProgIds	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/quicktime	unregmp2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ts\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-midi	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.3g2	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmz\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001_Classes\Local Settings	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0 = ff000000f90000eeebbeeb000400070000004d0000003153505330f125b7ef471a10a5f102608c9eebac310000000a000000001f000000100000004d0061006e0061006700650020004100630063006f0075006e00740073000000000000004d00000031535053537def0c64fad111a2030000f81fedee3100000005000000001f0000000f0000007000610067006500410064006d0069006e005400610073006b00730000000000000000004d000000315350538727bf5ccf480842b90eee5e5d4202943100000019000000001f0000000f0000007500730065007200630070006c002e0064006c006c002c002d00310000000000000000000000000000000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\1\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1001_CLASSES\Local Settings\MuiCache	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/3gpp2	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\ = "UnlockerShellExtension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wmv	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.3gpp\OpenWithProgIds	unregmp2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-ms-wax	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell	unregmp2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-asf-plugin	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.AudioCD\shell\Play	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2\0\0\NodeSlot = "11"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\1\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ts	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0\0 = 07010000010100eeebbef300040001000000510000003153505330f125b7ef471a10a5f102608c9eebac350000000a000000001f000000120000004300680061006e0067006500200061006e0020004100630063006f0075006e0074000000000000005100000031535053537def0c64fad111a2030000f81fedee3500000005000000001f0000001200000070006100670065004300680061006e0067006500430068006f0069006300650073000000000000004d000000315350538727bf5ccf480842b90eee5e5d4202943100000019000000001f0000000f0000007500730065007200630070006c002e0064006c006c002c002d00310000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wav\OpenWithProgIds	unregmp2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/midi	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mov\OpenWithProgIds	unregmp2.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0\0\0\0	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.WMD\OpenWithProgIds	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-mplayer2	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

reqbqonire.exesystray.exetaskmgr.exeperfmon.exe

pid	process
1552	reqbqonire.exe
1552	reqbqonire.exe
1552	reqbqonire.exe
548	systray.exe
548	systray.exe
548	systray.exe
548	systray.exe
548	systray.exe
548	systray.exe
548	systray.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
548	systray.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
548	systray.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
548	systray.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
548	systray.exe
2012	taskmgr.exe
1704	perfmon.exe
1704	perfmon.exe
1704	perfmon.exe
2012	taskmgr.exe
1704	perfmon.exe
2012	taskmgr.exe
1704	perfmon.exe
2012	taskmgr.exe
1704	perfmon.exe
2012	taskmgr.exe
548	systray.exe
1704	perfmon.exe
2012	taskmgr.exe
1704	perfmon.exe
2012	taskmgr.exe
1704	perfmon.exe
2012	taskmgr.exe
1704	perfmon.exe
2012	taskmgr.exe
1704	perfmon.exe
2012	taskmgr.exe
548	systray.exe
1704	perfmon.exe
2012	taskmgr.exe
1704	perfmon.exe
2012	taskmgr.exe
1704	perfmon.exe
2012	taskmgr.exe
1704	perfmon.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

Explorer.EXEtaskmgr.exeExplorer.EXE

pid process

1384 Explorer.EXE
2012 taskmgr.exe
2164 Explorer.EXE
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

Unlocker.exeUnlocker.exeUnlocker.exe

pid process

2120 Unlocker.exe
2120 Unlocker.exe
2828 Unlocker.exe
2828 Unlocker.exe
468 Unlocker.exe
468 Unlocker.exe

pid	process
2120	Unlocker.exe
2120	Unlocker.exe
2828	Unlocker.exe
2828	Unlocker.exe
468	Unlocker.exe
468	Unlocker.exe

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

reqbqonire.exesystray.exe

pid	process
1552	reqbqonire.exe
1552	reqbqonire.exe
1552	reqbqonire.exe
1552	reqbqonire.exe
548	systray.exe
548	systray.exe
548	systray.exe
548	systray.exe
548	systray.exe
548	systray.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

reqbqonire.exesystray.exeExplorer.EXEtaskmgr.exeperfmon.exeWerFault.exeSetup.exeUnlocker.exeUnlocker.exe

description	pid	process
Token: SeDebugPrivilege	1552	reqbqonire.exe
Token: SeDebugPrivilege	548	systray.exe
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeDebugPrivilege	2012	taskmgr.exe
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeDebugPrivilege	1704	perfmon.exe
Token: SeSystemProfilePrivilege	1704	perfmon.exe
Token: SeCreateGlobalPrivilege	1704	perfmon.exe
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeDebugPrivilege	2188	WerFault.exe
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeTakeOwnershipPrivilege	2272	Setup.exe
Token: SeTakeOwnershipPrivilege	2272	Setup.exe
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeDebugPrivilege	2120	Unlocker.exe
Token: SeLoadDriverPrivilege	2120	Unlocker.exe
Token: SeBackupPrivilege	2120	Unlocker.exe
Token: SeTakeOwnershipPrivilege	2120	Unlocker.exe
Token: SeDebugPrivilege	2828	Unlocker.exe
Token: SeLoadDriverPrivilege	2828	Unlocker.exe
Token: SeBackupPrivilege	2828	Unlocker.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

Explorer.EXEtaskmgr.exe

pid	process
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe
2012	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Explorer.EXE

pid	process
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Explorer.EXEWinMail.exeWinMail.exe

pid process

1384 Explorer.EXE
1384 Explorer.EXE
1384 Explorer.EXE
1384 Explorer.EXE
1384 Explorer.EXE
1384 Explorer.EXE
2616 WinMail.exe
3008 WinMail.exe

Suspicious use of UnmapMainImage 38 IoCs

Processes:

Explorer.EXE

pid	process
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

INV21029.exereqbqonire.exeExplorer.EXEsystray.exetaskmgr.exechrome.exe

description	pid	process	target process
PID 1556 wrote to memory of 1316	1556	INV21029.exe	reqbqonire.exe
PID 1556 wrote to memory of 1316	1556	INV21029.exe	reqbqonire.exe
PID 1556 wrote to memory of 1316	1556	INV21029.exe	reqbqonire.exe
PID 1556 wrote to memory of 1316	1556	INV21029.exe	reqbqonire.exe
PID 1316 wrote to memory of 1552	1316	reqbqonire.exe	reqbqonire.exe
PID 1316 wrote to memory of 1552	1316	reqbqonire.exe	reqbqonire.exe
PID 1316 wrote to memory of 1552	1316	reqbqonire.exe	reqbqonire.exe
PID 1316 wrote to memory of 1552	1316	reqbqonire.exe	reqbqonire.exe
PID 1316 wrote to memory of 1552	1316	reqbqonire.exe	reqbqonire.exe
PID 1316 wrote to memory of 1552	1316	reqbqonire.exe	reqbqonire.exe
PID 1316 wrote to memory of 1552	1316	reqbqonire.exe	reqbqonire.exe
PID 1384 wrote to memory of 548	1384	Explorer.EXE	systray.exe
PID 1384 wrote to memory of 548	1384	Explorer.EXE	systray.exe
PID 1384 wrote to memory of 548	1384	Explorer.EXE	systray.exe
PID 1384 wrote to memory of 548	1384	Explorer.EXE	systray.exe
PID 548 wrote to memory of 840	548	systray.exe	cmd.exe
PID 548 wrote to memory of 840	548	systray.exe	cmd.exe
PID 548 wrote to memory of 840	548	systray.exe	cmd.exe
PID 548 wrote to memory of 840	548	systray.exe	cmd.exe
PID 1384 wrote to memory of 1516	1384	Explorer.EXE	explorer.exe
PID 1384 wrote to memory of 1516	1384	Explorer.EXE	explorer.exe
PID 1384 wrote to memory of 1516	1384	Explorer.EXE	explorer.exe
PID 1384 wrote to memory of 2012	1384	Explorer.EXE	taskmgr.exe
PID 1384 wrote to memory of 2012	1384	Explorer.EXE	taskmgr.exe
PID 1384 wrote to memory of 2012	1384	Explorer.EXE	taskmgr.exe
PID 2012 wrote to memory of 1704	2012	taskmgr.exe	perfmon.exe
PID 2012 wrote to memory of 1704	2012	taskmgr.exe	perfmon.exe
PID 2012 wrote to memory of 1704	2012	taskmgr.exe	perfmon.exe
PID 1384 wrote to memory of 956	1384	Explorer.EXE	explorer.exe
PID 1384 wrote to memory of 956	1384	Explorer.EXE	explorer.exe
PID 1384 wrote to memory of 956	1384	Explorer.EXE	explorer.exe
PID 1384 wrote to memory of 1748	1384	Explorer.EXE	chrome.exe
PID 1384 wrote to memory of 1748	1384	Explorer.EXE	chrome.exe
PID 1384 wrote to memory of 1748	1384	Explorer.EXE	chrome.exe
PID 1748 wrote to memory of 1452	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1452	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1452	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe
PID 1748 wrote to memory of 1924	1748	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\INV21029.exe
"C:\Users\Admin\AppData\Local\Temp\INV21029.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556

C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe C:\Users\Admin\AppData\Local\Temp\truuumm
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe C:\Users\Admin\AppData\Local\Temp\truuumm
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe"
3⤵
PID:840

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1016

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:1516

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\System32\perfmon.exe
"C:\Windows\System32\perfmon.exe" /res
3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62a4f50,0x7fef62a4f60,0x7fef62a4f70
3⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1276 /prefetch:8
3⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1052 /prefetch:2
3⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1696 /prefetch:8
3⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
3⤵
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:1
3⤵
PID:668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
3⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2752 /prefetch:2
3⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
3⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3144 /prefetch:8
3⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3240 /prefetch:8
3⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3112 /prefetch:8
3⤵
PID:2444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3304 /prefetch:8
3⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3220 /prefetch:8
3⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3156 /prefetch:8
3⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
3⤵
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
3⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
3⤵
PID:2820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
3⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
3⤵
PID:2908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
3⤵
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4592 /prefetch:8
3⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
3⤵
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
3⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
3⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5492 /prefetch:8
3⤵
PID:2556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5596 /prefetch:8
3⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3728 /prefetch:8
3⤵
PID:2528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3744 /prefetch:8
3⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3676 /prefetch:8
3⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5020 /prefetch:8
3⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3704 /prefetch:8
3⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3764 /prefetch:8
3⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:8
3⤵
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
3⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
3⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:1
3⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
3⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
3⤵
PID:2356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
3⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
3⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
3⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3700 /prefetch:8
3⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 /prefetch:8
3⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8
3⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:8
3⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1856 /prefetch:8
3⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
3⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
3⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
3⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1044,10518215230587322948,5324062942827604471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4900 /prefetch:8
3⤵
PID:2632

C:\Program Files (x86)\Bmrxh\vgaqhvh.exe
"C:\Program Files (x86)\Bmrxh\vgaqhvh.exe"
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2488 -s 160
3⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Users\Admin\Desktop\Unlocker1.9.2.exe
"C:\Users\Admin\Desktop\Unlocker1.9.2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2184

C:\Users\Admin\AppData\Local\Temp\DeltaTB.exe
"C:\Users\Admin\AppData\Local\Temp\DeltaTB.exe" /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244

C:\Users\Admin\AppData\Local\Temp\AB1115A5-BAB0-7891-B513-47C5E35F1725\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\AB1115A5-BAB0-7891-B513-47C5E35F1725\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\AB1115~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
5⤵
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1096

C:\Program Files (x86)\Internet Explorer\IELowutil.exe
"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding
6⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\AB1115A5-BAB0-7891-B513-47C5E35F1725\Latest\Setup.exe
C:\Users\Admin\AppData\Local\Temp\AB1115A5-BAB0-7891-B513-47C5E35F1725\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=122471" /srcExt=ss /instlRef=sst /S /mtb /mds /mhp /mnt
5⤵
- Executes dropped EXE
PID:2888

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Unlocker\UnlockerCOM.dll"
3⤵
- Loads dropped DLL
PID:2320

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Unlocker\UnlockerCOM.dll"
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2680

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:2824

C:\Program Files\Unlocker\Unlocker.exe
"C:\Program Files\Unlocker\Unlocker.exe" "C:\Users"
2⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Program Files\Unlocker\Unlocker.exe
"C:\Program Files\Unlocker\Unlocker.exe" "C:\Users"
2⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Program Files\Unlocker\Unlocker.exe
"C:\Program Files\Unlocker\Unlocker.exe" "C:\Users\Admin\Desktop\FormatMerge.dib"
2⤵
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
PID:468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:2116

C:\Windows\system32\net.exe
net user test /add
3⤵
PID:2140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user test /add
4⤵
PID:2984

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1460

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1352

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2992

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Enumerates system info in registry
PID:2876

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
PID:564

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
2⤵
PID:1504

C:\Windows\system32\userinit.exe
C:\Windows\system32\userinit.exe
2⤵
PID:2216

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
3⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2164

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
4⤵
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Internet Explorer settings
PID:2300

C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE
4⤵
- Drops desktop.ini file(s)
PID:2260

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
5⤵
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
4⤵
- Enumerates connected drives
- Modifies registry class
PID:2076

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
4⤵
- Drops startup file
- Drops desktop.ini file(s)
PID:2364

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install
4⤵
PID:2028

C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -UserConfig
4⤵
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:2768

C:\Windows\System32\ie4uinit.exe
C:\Windows\System32\ie4uinit.exe -ClearIconCache
5⤵
PID:2256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36
5⤵
- Drops file in Windows directory
PID:2752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m
5⤵
PID:2764

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
6⤵
PID:2944

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
4⤵
- Sets desktop wallpaper using registry
- Modifies Internet Explorer settings
PID:1184

C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE
4⤵
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
4⤵
- Enumerates connected drives
- Modifies registry class
PID:2420

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
4⤵
- Drops startup file
- Drops desktop.ini file(s)
- Modifies registry class
PID:1168

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install
4⤵
PID:2276

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
4⤵
- Loads dropped DLL
PID:2356

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x144,0x148,0x14c,0x118,0x150,0x14016a890,0x14016a8a0,0x14016a8b0
5⤵
PID:2284

C:\Windows\System32\wer46t.exe
"C:\Windows\System32\wer46t.exe"
4⤵
PID:2096

C:\Windows\SysWOW64\runonce.exe
C:\Windows\SysWOW64\runonce.exe /Run6432
4⤵
- Checks processor information in registry
PID:1692

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
5⤵
PID:1884

C:\Program Files (x86)\Bmrxh\vgaqhvh.exe
"C:\Program Files (x86)\Bmrxh\vgaqhvh.exe"
5⤵
- Executes dropped EXE
PID:2144

C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
4⤵
- Adds Run key to start application
PID:1492

C:\Windows\System32\mctadmin.exe
"C:\Windows\System32\mctadmin.exe"
4⤵
- Drops desktop.ini file(s)
- Modifies Internet Explorer settings
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
4⤵
- Enumerates system info in registry
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef62a4f50,0x7fef62a4f60,0x7fef62a4f70
5⤵
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1284 /prefetch:8
5⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1124 /prefetch:2
5⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1680 /prefetch:8
5⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
5⤵
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
5⤵
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
5⤵
PID:868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
5⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
5⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2640 /prefetch:1
5⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3128 /prefetch:2
5⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3432 /prefetch:8
5⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
5⤵
PID:3200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
5⤵
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3416 /prefetch:8
5⤵
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1116,17635082688737395924,10170816228879891301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4112 /prefetch:8
5⤵
PID:3280

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2244

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1640

C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
1⤵
PID:2900

C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 160
1⤵
- Loads dropped DLL
- Program crash
PID:2572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery