socelars | ccbecba4ce6fdfaecbbf19cb34f1a1a7ba54b00732694d457c6461053132581b

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-06-2022 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

984cdc0f7f2bc6dabccc5da23de60d32.exe
Size

766KB
MD5

984cdc0f7f2bc6dabccc5da23de60d32
SHA1

3272225357f571c5b4e9b6c945d40b08a0d700ed
SHA256

ccbecba4ce6fdfaecbbf19cb34f1a1a7ba54b00732694d457c6461053132581b
SHA512

51cc950183d09af113ca0f86568f735922c59d84e74839ea4d8cb725206fc6cc1954686dbc84e0e8b16761ef1dc45f61a23d65cb6b91e482faf42da7b1a0eec2

Score

10^/10

socelars discovery evasion persistence spyware stealer suricata upx vmprotect

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 9176 4660 rundll32.exe
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9176	4660	rundll32.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-T3DGM.tmp\ApiTool.dll	acprotect
C:\Users\Admin\AppData\Local\Temp\is-T3DGM.tmp\ApiTool.dll	acprotect

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Blocklisted process makes network request 55 IoCs

Processes:

MsiExec.exe

flow	pid	process
175	9896	MsiExec.exe
177	9896	MsiExec.exe
180	9896	MsiExec.exe
186	9896	MsiExec.exe
188	9896	MsiExec.exe
175	9896	MsiExec.exe
195	9896	MsiExec.exe
212	9896	MsiExec.exe
215	9896	MsiExec.exe
224	9896	MsiExec.exe
227	9896	MsiExec.exe
228	9896	MsiExec.exe
231	9896	MsiExec.exe
232	9896	MsiExec.exe
231	9896	MsiExec.exe
233	9896	MsiExec.exe
232	9896	MsiExec.exe
235	9896	MsiExec.exe
236	9896	MsiExec.exe
242	9896	MsiExec.exe
245	9896	MsiExec.exe
255	9896	MsiExec.exe
256	9896	MsiExec.exe
260	9896	MsiExec.exe
261	9896	MsiExec.exe
267	9896	MsiExec.exe
269	9896	MsiExec.exe
271	9896	MsiExec.exe
272	9896	MsiExec.exe
275	9896	MsiExec.exe
277	9896	MsiExec.exe
283	9896	MsiExec.exe
284	9896	MsiExec.exe
285	9896	MsiExec.exe
286	9896	MsiExec.exe
288	9896	MsiExec.exe
292	9896	MsiExec.exe
269	9896	MsiExec.exe
295	9896	MsiExec.exe
296	9896	MsiExec.exe
297	9896	MsiExec.exe
300	9896	MsiExec.exe
302	9896	MsiExec.exe
303	9896	MsiExec.exe
304	9896	MsiExec.exe
305	9896	MsiExec.exe
308	9896	MsiExec.exe
311	9896	MsiExec.exe
312	9896	MsiExec.exe
313	9896	MsiExec.exe
314	9896	MsiExec.exe
188	9896	MsiExec.exe
186	9896	MsiExec.exe
177	9896	MsiExec.exe
180	9896	MsiExec.exe

Downloads MZ/PE file

Drops file in Drivers directory 4 IoCs

Processes:

befeduce.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	befeduce.exe
File opened for modification	C:\Windows\System32\drivers\SETED91.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETED91.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe

Executes dropped EXE 25 IoCs

Processes:

984cdc0f7f2bc6dabccc5da23de60d32.tmpbefeduce.exeLojulaevaewi.exeNaewaexofoxi.exeinstaller.exeirecord.exeirecord.tmp161.exegcleaner.exe161.tmprandom.exeI-Record.exefile.exerandom.exehandselfdiy_0.exewDzAUYj.exe00000029..exermaa1045.exeinstaller.exetapinstall.exetapinstall.exemask_svc.exemask_svc.exemask_svc.exeMaskVPNUpdate.exe

pid	process
3380	984cdc0f7f2bc6dabccc5da23de60d32.tmp
4112	befeduce.exe
4676	Lojulaevaewi.exe
4692	Naewaexofoxi.exe
6628	installer.exe
7108	irecord.exe
7204	irecord.tmp
7420	161.exe
7508	gcleaner.exe
7528	161.tmp
7860	random.exe
7876	I-Record.exe
8272	file.exe
8560	random.exe
8956	handselfdiy_0.exe
8984	wDzAUYj.exe
9068	00000029..exe
9368	rmaa1045.exe
9548	installer.exe
9972	tapinstall.exe
10188	tapinstall.exe
2968	mask_svc.exe
1652	mask_svc.exe
7120	mask_svc.exe
9536	MaskVPNUpdate.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-T3DGM.tmp\ApiTool.dll	upx
C:\Users\Admin\AppData\Local\Temp\is-T3DGM.tmp\ApiTool.dll	upx
behavioral2/memory/7528-235-0x0000000005BF0000-0x0000000005FF0000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/9368-281-0x0000000140000000-0x0000000140679000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Naewaexofoxi.exerandom.exefile.exe161.tmpgcleaner.exebefeduce.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Naewaexofoxi.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	161.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	gcleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	befeduce.exe

Loads dropped DLL 49 IoCs

Processes:

984cdc0f7f2bc6dabccc5da23de60d32.tmpinstaller.exe161.tmpMsiExec.exeI-Record.exerundll32.exeMsiExec.exeMsiExec.exemask_svc.exeMaskVPNUpdate.exe

pid	process
3380	984cdc0f7f2bc6dabccc5da23de60d32.tmp
6628	installer.exe
6628	installer.exe
7528	161.tmp
7528	161.tmp
6628	installer.exe
7528	161.tmp
7528	161.tmp
8028	MsiExec.exe
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
8028	MsiExec.exe
7876	I-Record.exe
7876	I-Record.exe
7876	I-Record.exe
7876	I-Record.exe
7876	I-Record.exe
7876	I-Record.exe
7876	I-Record.exe
7876	I-Record.exe
9372	rundll32.exe
9896	MsiExec.exe
9896	MsiExec.exe
9896	MsiExec.exe
9896	MsiExec.exe
9896	MsiExec.exe
9896	MsiExec.exe
9896	MsiExec.exe
9896	MsiExec.exe
9896	MsiExec.exe
9896	MsiExec.exe
6628	installer.exe
9896	MsiExec.exe
9896	MsiExec.exe
9896	MsiExec.exe
4028	MsiExec.exe
9896	MsiExec.exe
7120	mask_svc.exe
7120	mask_svc.exe
7120	mask_svc.exe
7120	mask_svc.exe
7120	mask_svc.exe
7120	mask_svc.exe
7528	161.tmp
7528	161.tmp
9536	MaskVPNUpdate.exe
9536	MaskVPNUpdate.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

befeduce.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Media Player\\Roqaewaebyjy.exe\""	befeduce.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exeinstaller.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

126 ip-api.com

flow	ioc
126	ip-api.com

Drops file in System32 directory 16 IoCs

Processes:

tapinstall.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{067b1a61-f1a6-2644-a85b-43a136f44355}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{067b1a61-f1a6-2644-a85b-43a136f44355}\SETE045.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{067b1a61-f1a6-2644-a85b-43a136f44355}\SETE045.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{067b1a61-f1a6-2644-a85b-43a136f44355}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{067b1a61-f1a6-2644-a85b-43a136f44355}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{067b1a61-f1a6-2644-a85b-43a136f44355}\SETE033.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{067b1a61-f1a6-2644-a85b-43a136f44355}\SETE033.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{067b1a61-f1a6-2644-a85b-43a136f44355}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{067b1a61-f1a6-2644-a85b-43a136f44355}\SETE034.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{067b1a61-f1a6-2644-a85b-43a136f44355}\SETE034.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf	DrvInst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

mask_svc.exemask_svc.exemask_svc.exe

pid process

2968 mask_svc.exe
1652 mask_svc.exe
7120 mask_svc.exe

pid	process
2968	mask_svc.exe
1652	mask_svc.exe
7120	mask_svc.exe

Drops file in Program Files directory 64 IoCs

Processes:

161.tmpsetup.exeirecord.tmpmsiexec.exeMaskVPNUpdate.exehandselfdiy_0.exebefeduce.exe

description	ioc	process
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-FN67H.tmp	161.tmp
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\87e215ba-27c2-43a8-bf80-020fd30772a9.tmp	setup.exe
File created	C:\Program Files (x86)\i-record\is-U570K.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\mask_svc.exe	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\MaskVPN.exe	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-BA2CC.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-3339J.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-E0MVG.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-TVRRR.tmp	161.tmp
File opened for modification	C:\Program Files (x86)\i-record\postproc-52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\swscale-2.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-1E6R9.tmp	161.tmp
File created	C:\Program Files (x86)\i-record\is-QMI3F.tmp	irecord.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-8ENUU.tmp	161.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files (x86)\i-record\is-KBMNG.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\version	MaskVPNUpdate.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\ssleay32.dll	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-R6SRI.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-8E8GB.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-2HQPU.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-7CAVD.tmp	161.tmp
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	handselfdiy_0.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	handselfdiy_0.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	handselfdiy_0.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\libCommon.dll	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-09SDI.tmp	161.tmp
File opened for modification	C:\Program Files (x86)\i-record\I-Record.exe	irecord.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\ipseccmd.exe	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\tunnle.exe	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-Q37DE.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-T52ET.tmp	161.tmp
File opened for modification	C:\Program Files (x86)\i-record\avcodec-53.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-866J2.tmp	irecord.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win764\is-OMP3L.tmp	161.tmp
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	handselfdiy_0.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	handselfdiy_0.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220617082556.pma	setup.exe
File opened for modification	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\MaskVPN\is-JJAFD.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-BT13C.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp32\is-F1TB6.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-113UE.tmp	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\libeay32.dll	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-UG6IA.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-3SO1D.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\winxp64\is-542LQ.tmp	161.tmp
File created	C:\Program Files (x86)\MaskVPN\is-P9FC9.tmp	161.tmp
File created	C:\Program Files\Windows Media Player\URXBTVLOMK\irecord.exe.config	befeduce.exe
File opened for modification	C:\Program Files (x86)\i-record\avdevice-53.dll	irecord.tmp
File created	C:\Program Files (x86)\MaskVPN\driver\win732\is-FIDK8.tmp	161.tmp
File created	C:\Program Files (x86)\i-record\is-HQAMU.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-T3NBV.tmp	irecord.tmp
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	handselfdiy_0.exe
File created	C:\Program Files (x86)\Windows Media Player\Roqaewaebyjy.exe	befeduce.exe
File created	C:\Program Files (x86)\Windows Media Player\Roqaewaebyjy.exe.config	befeduce.exe
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll	irecord.tmp
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	handselfdiy_0.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	handselfdiy_0.exe
File opened for modification	C:\Program Files (x86)\MaskVPN\polstore.dll	161.tmp
File opened for modification	C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe	161.tmp

Drops file in Windows directory 33 IoCs

Processes:

msiexec.exeDrvInst.exeDrvInst.exetapinstall.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e56ca98.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDAF7.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE86E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDCBE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFEE.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF6A.tmp	msiexec.exe
File created	C:\Windows\Installer\e56ca9b.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\Installer\MSIDA58.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\Installer\MSIDA98.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDAD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDDF8.tmp	msiexec.exe
File created	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIEED9.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e56ca98.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDCDE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDEE3.tmp	msiexec.exe
File opened for modification	C:\Windows\inf\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIE176.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE80F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC38.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
8552	7508	WerFault.exe	gcleaner.exe
9652	9372	WerFault.exe	rundll32.exe
9660	9368	WerFault.exe	rmaa1045.exe
5780	7508	WerFault.exe	gcleaner.exe
2136	7508	WerFault.exe	gcleaner.exe
2788	7508	WerFault.exe	gcleaner.exe
4156	7508	WerFault.exe	gcleaner.exe
4232	7508	WerFault.exe	gcleaner.exe
4728	7508	WerFault.exe	gcleaner.exe
6424	7508	WerFault.exe	gcleaner.exe
6776	7508	WerFault.exe	gcleaner.exe

Checks SCSI registry key(s) 3 TTPs 38 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

tapinstall.exeDrvInst.exeDrvInst.exetapinstall.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

9912 taskkill.exe
5952 taskkill.exe
4936 taskkill.exe

pid	process
9912	taskkill.exe
5952	taskkill.exe
4936	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

mask_svc.exeDrvInst.exemsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-152 = "Central America Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2322 = "Sakhalin Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2942 = "Sao Tome Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2431 = "Cuba Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-292 = "Central European Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-262 = "GMT Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time"	mask_svc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	mask_svc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time"	mask_svc.exe

Modifies registry class 30 IoCs

Processes:

msiexec.exe161.tmpmsedge.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	161.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "B4475F7B84C01E149A118600075FE4C1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}"	161.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Yonatan.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32	161.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	161.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}	161.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe

Modifies system certificate store 2 TTPs 18 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

installer.exe161.tmpLojulaevaewi.exehandselfdiy_0.exetapinstall.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be	161.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f	161.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Lojulaevaewi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	handselfdiy_0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC	161.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Lojulaevaewi.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA	161.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	handselfdiy_0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

9696 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 107 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
9696	PING.EXE

description	flow	ioc
HTTP User-Agent header	107	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Naewaexofoxi.exe

pid	process
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe
4692	Naewaexofoxi.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exechrome.exe

pid	process
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

befeduce.exeLojulaevaewi.exeNaewaexofoxi.exemsiexec.exeinstaller.exe161.tmp

description	pid	process
Token: SeDebugPrivilege	4112	befeduce.exe
Token: SeDebugPrivilege	4676	Lojulaevaewi.exe
Token: SeDebugPrivilege	4692	Naewaexofoxi.exe
Token: SeSecurityPrivilege	7364	msiexec.exe
Token: SeCreateTokenPrivilege	6628	installer.exe
Token: SeAssignPrimaryTokenPrivilege	6628	installer.exe
Token: SeLockMemoryPrivilege	6628	installer.exe
Token: SeIncreaseQuotaPrivilege	6628	installer.exe
Token: SeMachineAccountPrivilege	6628	installer.exe
Token: SeTcbPrivilege	6628	installer.exe
Token: SeSecurityPrivilege	6628	installer.exe
Token: SeTakeOwnershipPrivilege	6628	installer.exe
Token: SeLoadDriverPrivilege	6628	installer.exe
Token: SeSystemProfilePrivilege	6628	installer.exe
Token: SeSystemtimePrivilege	6628	installer.exe
Token: SeProfSingleProcessPrivilege	6628	installer.exe
Token: SeIncBasePriorityPrivilege	6628	installer.exe
Token: SeCreatePagefilePrivilege	6628	installer.exe
Token: SeCreatePermanentPrivilege	6628	installer.exe
Token: SeBackupPrivilege	6628	installer.exe
Token: SeRestorePrivilege	6628	installer.exe
Token: SeShutdownPrivilege	6628	installer.exe
Token: SeDebugPrivilege	6628	installer.exe
Token: SeAuditPrivilege	6628	installer.exe
Token: SeSystemEnvironmentPrivilege	6628	installer.exe
Token: SeChangeNotifyPrivilege	6628	installer.exe
Token: SeRemoteShutdownPrivilege	6628	installer.exe
Token: SeUndockPrivilege	6628	installer.exe
Token: SeSyncAgentPrivilege	6628	installer.exe
Token: SeEnableDelegationPrivilege	6628	installer.exe
Token: SeManageVolumePrivilege	6628	installer.exe
Token: SeImpersonatePrivilege	6628	installer.exe
Token: SeCreateGlobalPrivilege	6628	installer.exe
Token: SeDebugPrivilege	7528	161.tmp
Token: SeCreateTokenPrivilege	6628	installer.exe
Token: SeAssignPrimaryTokenPrivilege	6628	installer.exe
Token: SeLockMemoryPrivilege	6628	installer.exe
Token: SeIncreaseQuotaPrivilege	6628	installer.exe
Token: SeMachineAccountPrivilege	6628	installer.exe
Token: SeTcbPrivilege	6628	installer.exe
Token: SeSecurityPrivilege	6628	installer.exe
Token: SeTakeOwnershipPrivilege	6628	installer.exe
Token: SeLoadDriverPrivilege	6628	installer.exe
Token: SeSystemProfilePrivilege	6628	installer.exe
Token: SeSystemtimePrivilege	6628	installer.exe
Token: SeProfSingleProcessPrivilege	6628	installer.exe
Token: SeIncBasePriorityPrivilege	6628	installer.exe
Token: SeCreatePagefilePrivilege	6628	installer.exe
Token: SeCreatePermanentPrivilege	6628	installer.exe
Token: SeBackupPrivilege	6628	installer.exe
Token: SeRestorePrivilege	6628	installer.exe
Token: SeShutdownPrivilege	6628	installer.exe
Token: SeDebugPrivilege	6628	installer.exe
Token: SeAuditPrivilege	6628	installer.exe
Token: SeSystemEnvironmentPrivilege	6628	installer.exe
Token: SeChangeNotifyPrivilege	6628	installer.exe
Token: SeRemoteShutdownPrivilege	6628	installer.exe
Token: SeUndockPrivilege	6628	installer.exe
Token: SeSyncAgentPrivilege	6628	installer.exe
Token: SeEnableDelegationPrivilege	6628	installer.exe
Token: SeManageVolumePrivilege	6628	installer.exe
Token: SeImpersonatePrivilege	6628	installer.exe
Token: SeCreateGlobalPrivilege	6628	installer.exe
Token: SeCreateTokenPrivilege	6628	installer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeinstaller.exeirecord.tmp161.tmp

pid	process
4284	msedge.exe
4284	msedge.exe
4284	msedge.exe
6628	installer.exe
7204	irecord.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp
7528	161.tmp

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe
1156	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

random.exerandom.exeMaskVPNUpdate.exe

pid process

7860 random.exe
7860 random.exe
8560 random.exe
8560 random.exe
9536 MaskVPNUpdate.exe

pid	process
7860	random.exe
7860	random.exe
8560	random.exe
8560	random.exe
9536	MaskVPNUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

984cdc0f7f2bc6dabccc5da23de60d32.exe984cdc0f7f2bc6dabccc5da23de60d32.tmpbefeduce.exeLojulaevaewi.exemsedge.exe

description	pid	process	target process
PID 2324 wrote to memory of 3380	2324	984cdc0f7f2bc6dabccc5da23de60d32.exe	984cdc0f7f2bc6dabccc5da23de60d32.tmp
PID 2324 wrote to memory of 3380	2324	984cdc0f7f2bc6dabccc5da23de60d32.exe	984cdc0f7f2bc6dabccc5da23de60d32.tmp
PID 2324 wrote to memory of 3380	2324	984cdc0f7f2bc6dabccc5da23de60d32.exe	984cdc0f7f2bc6dabccc5da23de60d32.tmp
PID 3380 wrote to memory of 4112	3380	984cdc0f7f2bc6dabccc5da23de60d32.tmp	befeduce.exe
PID 3380 wrote to memory of 4112	3380	984cdc0f7f2bc6dabccc5da23de60d32.tmp	befeduce.exe
PID 4112 wrote to memory of 4676	4112	befeduce.exe	Lojulaevaewi.exe
PID 4112 wrote to memory of 4676	4112	befeduce.exe	Lojulaevaewi.exe
PID 4112 wrote to memory of 4692	4112	befeduce.exe	Naewaexofoxi.exe
PID 4112 wrote to memory of 4692	4112	befeduce.exe	Naewaexofoxi.exe
PID 4676 wrote to memory of 4284	4676	Lojulaevaewi.exe	msedge.exe
PID 4676 wrote to memory of 4284	4676	Lojulaevaewi.exe	msedge.exe
PID 4284 wrote to memory of 208	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 208	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9360	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9396	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 9396	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 6052	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 6052	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 6052	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 6052	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 6052	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 6052	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 6052	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 6052	4284	msedge.exe	msedge.exe
PID 4284 wrote to memory of 6052	4284	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\984cdc0f7f2bc6dabccc5da23de60d32.exe
"C:\Users\Admin\AppData\Local\Temp\984cdc0f7f2bc6dabccc5da23de60d32.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Users\Admin\AppData\Local\Temp\is-JMDN5.tmp\984cdc0f7f2bc6dabccc5da23de60d32.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JMDN5.tmp\984cdc0f7f2bc6dabccc5da23de60d32.tmp" /SL5="$501C4,506127,422400,C:\Users\Admin\AppData\Local\Temp\984cdc0f7f2bc6dabccc5da23de60d32.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3380

C:\Users\Admin\AppData\Local\Temp\is-C8ADC.tmp\befeduce.exe
"C:\Users\Admin\AppData\Local\Temp\is-C8ADC.tmp\befeduce.exe" /S /UID=Irecch4
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112

C:\Users\Admin\AppData\Local\Temp\a0-0148c-c03-a0684-a898c9f7a450e\Lojulaevaewi.exe
"C:\Users\Admin\AppData\Local\Temp\a0-0148c-c03-a0684-a898c9f7a450e\Lojulaevaewi.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8b3f646f8,0x7ff8b3f64708,0x7ff8b3f64718
6⤵
PID:208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
6⤵
PID:9360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
6⤵
PID:9396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
6⤵
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
6⤵
PID:6764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
6⤵
PID:6784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 /prefetch:8
6⤵
PID:7092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
6⤵
PID:7340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
6⤵
PID:7552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
6⤵
PID:7984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
6⤵
PID:8468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
6⤵
PID:8508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6276 /prefetch:8
6⤵
PID:10224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
6⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
6⤵
PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6704 /prefetch:8
6⤵
PID:7896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
6⤵
- Drops file in Program Files directory
PID:8280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff671ea5460,0x7ff671ea5470,0x7ff671ea5480
7⤵
PID:8516

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6704 /prefetch:8
6⤵
PID:8268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6896 /prefetch:8
6⤵
PID:9172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:8
6⤵
PID:9688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3981427923591221652,11966393245887336456,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6140 /prefetch:2
6⤵
PID:9940

C:\Users\Admin\AppData\Local\Temp\cc-77207-279-5f9a1-1b9961bf956a8\Naewaexofoxi.exe
"C:\Users\Admin\AppData\Local\Temp\cc-77207-279-5f9a1-1b9961bf956a8\Naewaexofoxi.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\r0rookwb.bxa\installer.exe /qn CAMPAIGN= & exit
5⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\r0rookwb.bxa\installer.exe
C:\Users\Admin\AppData\Local\Temp\r0rookwb.bxa\installer.exe /qn CAMPAIGN=
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6628

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN="" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\r0rookwb.bxa\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\r0rookwb.bxa\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1655213762 /qn CAMPAIGN= " CAMPAIGN=""
7⤵
PID:9208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ajxgtqil.flp\161.exe /silent /subid=798 & exit
5⤵
PID:7228

C:\Users\Admin\AppData\Local\Temp\ajxgtqil.flp\161.exe
C:\Users\Admin\AppData\Local\Temp\ajxgtqil.flp\161.exe /silent /subid=798
6⤵
- Executes dropped EXE
PID:7420

C:\Users\Admin\AppData\Local\Temp\is-CR4P5.tmp\161.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CR4P5.tmp\161.tmp" /SL5="$2021A,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ajxgtqil.flp\161.exe" /silent /subid=798
7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:7528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
8⤵
PID:9772

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe remove tap0901
9⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:9972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
8⤵
PID:10100

C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
tapinstall.exe install OemVista.inf tap0901
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:10188

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2968

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2gfm1n1i.aa4\gcleaner.exe /mixfive & exit
5⤵
PID:7372

C:\Users\Admin\AppData\Local\Temp\2gfm1n1i.aa4\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\2gfm1n1i.aa4\gcleaner.exe /mixfive
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:7508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 456
7⤵
- Program crash
PID:8552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 768
7⤵
- Program crash
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 776
7⤵
- Program crash
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 820
7⤵
- Program crash
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 828
7⤵
- Program crash
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 984
7⤵
- Program crash
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 1012
7⤵
- Program crash
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 1360
7⤵
- Program crash
PID:6424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2gfm1n1i.aa4\gcleaner.exe" & exit
7⤵
PID:6600

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
8⤵
- Kills process with taskkill
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7508 -s 1280
7⤵
- Program crash
PID:6776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rgtpzcxr.2ns\random.exe & exit
5⤵
PID:7796

C:\Users\Admin\AppData\Local\Temp\rgtpzcxr.2ns\random.exe
C:\Users\Admin\AppData\Local\Temp\rgtpzcxr.2ns\random.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:7860

C:\Users\Admin\AppData\Local\Temp\rgtpzcxr.2ns\random.exe
"C:\Users\Admin\AppData\Local\Temp\rgtpzcxr.2ns\random.exe" help
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:8560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\asyf4xyi.vdz\file.exe & exit
5⤵
PID:8124

C:\Users\Admin\AppData\Local\Temp\asyf4xyi.vdz\file.exe
C:\Users\Admin\AppData\Local\Temp\asyf4xyi.vdz\file.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
PID:8272

C:\Users\Admin\AppData\Roaming\00000029..exe
"C:\Users\Admin\AppData\Roaming\00000029..exe"
7⤵
- Executes dropped EXE
PID:9068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\asyf4xyi.vdz\file.exe" >> NUL
7⤵
PID:9392

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
8⤵
- Runs ping.exe
PID:9696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q012jd2c.mcq\handselfdiy_0.exe & exit
5⤵
PID:8576

C:\Users\Admin\AppData\Local\Temp\q012jd2c.mcq\handselfdiy_0.exe
C:\Users\Admin\AppData\Local\Temp\q012jd2c.mcq\handselfdiy_0.exe
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies system certificate store
PID:8956

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:9816

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:9912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
7⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b20d4f50,0x7ff8b20d4f60,0x7ff8b20d4f70
8⤵
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1656 /prefetch:2
8⤵
PID:5212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1980 /prefetch:8
8⤵
PID:5240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2344 /prefetch:8
8⤵
PID:5432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
8⤵
PID:5560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
8⤵
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
8⤵
PID:6180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
8⤵
PID:6252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:8
8⤵
PID:6388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4824 /prefetch:8
8⤵
PID:6492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:8
8⤵
PID:6500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4936 /prefetch:8
8⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
8⤵
PID:7064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
8⤵
PID:7156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5592 /prefetch:8
8⤵
PID:7104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:8
8⤵
PID:7184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
8⤵
PID:7360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
8⤵
PID:6924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
8⤵
PID:8536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:8
8⤵
PID:8752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
8⤵
PID:6724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
8⤵
PID:8740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
8⤵
PID:9388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1100 /prefetch:8
8⤵
PID:8920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1536 /prefetch:8
8⤵
PID:9532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,1833590657966804557,4360841595184981590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1696 /prefetch:8
8⤵
PID:9832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tzitwscv.gjl\wDzAUYj.exe & exit
5⤵
PID:8900

C:\Users\Admin\AppData\Local\Temp\tzitwscv.gjl\wDzAUYj.exe
C:\Users\Admin\AppData\Local\Temp\tzitwscv.gjl\wDzAUYj.exe
6⤵
- Executes dropped EXE
PID:8984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c0xweed1.idw\rmaa1045.exe & exit
5⤵
PID:9272

C:\Users\Admin\AppData\Local\Temp\c0xweed1.idw\rmaa1045.exe
C:\Users\Admin\AppData\Local\Temp\c0xweed1.idw\rmaa1045.exe
6⤵
- Executes dropped EXE
PID:9368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 9368 -s 348
7⤵
- Program crash
PID:9660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tcnxb5rw.w0k\installer.exe /qn CAMPAIGN=654 & exit
5⤵
PID:9452

C:\Users\Admin\AppData\Local\Temp\tcnxb5rw.w0k\installer.exe
C:\Users\Admin\AppData\Local\Temp\tcnxb5rw.w0k\installer.exe /qn CAMPAIGN=654
6⤵
- Executes dropped EXE
PID:9548

C:\Program Files\Windows Media Player\URXBTVLOMK\irecord.exe
"C:\Program Files\Windows Media Player\URXBTVLOMK\irecord.exe" /VERYSILENT
4⤵
- Executes dropped EXE
PID:7108

C:\Users\Admin\AppData\Local\Temp\is-FPE8M.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FPE8M.tmp\irecord.tmp" /SL5="$3023C,5808768,66560,C:\Program Files\Windows Media Player\URXBTVLOMK\irecord.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:7204

C:\Program Files (x86)\i-record\I-Record.exe
"C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2816

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:7364

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E2D030A317B1E60612AD269CEFE9C58B C
2⤵
- Loads dropped DLL
PID:8028

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0B2818CDB6A98762E3CA3A7F4C9B8DD3
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:9896

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:5952

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 289972A2EB93B47FE7A234C44B2034A8 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7508 -ip 7508
1⤵
PID:8176

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:9176

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Loads dropped DLL
PID:9372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9372 -s 604
3⤵
- Program crash
PID:9652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 9372 -ip 9372
1⤵
PID:9500

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 9368 -ip 9368
1⤵
PID:9540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7508 -ip 7508
1⤵
PID:5740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3332

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{b03ed4c8-47d3-6345-93d8-6ad57193a443}\oemvista.inf" "9" "4d14a44ff" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1536

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000148"
2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 7508 -ip 7508
1⤵
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7508 -ip 7508
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7508 -ip 7508
1⤵
PID:940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7508 -ip 7508
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 7508 -ip 7508
1⤵
PID:4116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7508 -ip 7508
1⤵
PID:6368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 7508 -ip 7508
1⤵
PID:376

C:\Program Files (x86)\MaskVPN\mask_svc.exe
"C:\Program Files (x86)\MaskVPN\mask_svc.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:7120

C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
MaskVPNUpdate.exe /silent
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:9536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll
Filesize
60KB

MD5
5f60669a79e4c4285325284ab662a0c0

SHA1
5b83f8f2799394df3751799605e9292b21b78504

SHA256
3f6aa370d70259dc55241950d669d2bf3dc7b57a0c45c6a2f8dec0d8c8cc35b0

SHA512
6ec9fe576daa4fde11a39a929dd23ab44297521c4d23352af1a78716cc3ec7927aa6949d5f7af638148e58e5b6d1d16043ad1a7b0dabb8103acc07d0d4c8a42f

Download Submit
C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll
Filesize
60KB

MD5
5f60669a79e4c4285325284ab662a0c0

SHA1
5b83f8f2799394df3751799605e9292b21b78504

SHA256
3f6aa370d70259dc55241950d669d2bf3dc7b57a0c45c6a2f8dec0d8c8cc35b0

SHA512
6ec9fe576daa4fde11a39a929dd23ab44297521c4d23352af1a78716cc3ec7927aa6949d5f7af638148e58e5b6d1d16043ad1a7b0dabb8103acc07d0d4c8a42f

Download Submit
C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll
Filesize
60KB

MD5
5f60669a79e4c4285325284ab662a0c0

SHA1
5b83f8f2799394df3751799605e9292b21b78504

SHA256
3f6aa370d70259dc55241950d669d2bf3dc7b57a0c45c6a2f8dec0d8c8cc35b0

SHA512
6ec9fe576daa4fde11a39a929dd23ab44297521c4d23352af1a78716cc3ec7927aa6949d5f7af638148e58e5b6d1d16043ad1a7b0dabb8103acc07d0d4c8a42f

Download Submit
C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll
Filesize
60KB

MD5
5f60669a79e4c4285325284ab662a0c0

SHA1
5b83f8f2799394df3751799605e9292b21b78504

SHA256
3f6aa370d70259dc55241950d669d2bf3dc7b57a0c45c6a2f8dec0d8c8cc35b0

SHA512
6ec9fe576daa4fde11a39a929dd23ab44297521c4d23352af1a78716cc3ec7927aa6949d5f7af638148e58e5b6d1d16043ad1a7b0dabb8103acc07d0d4c8a42f

Download Submit
C:\Program Files (x86)\i-record\I-Record.exe
Filesize
873KB

MD5
13c3ba689a19b325a19ab62cbe4c313c

SHA1
8b0ba8fc4eab09e5aa958699411479a1ce201a18

SHA256
696822fcdd3382ba02dfcce45ec4784d65ef44adf7d1fac2520b81f8ce007cf9

SHA512
387095ec1ccfd7f4e2dac8522fd72b3199447ad750133bf3719810952262321845f6590457ab4c950f5cf9c5fda93377710e7b8d940b04d6c80252f1ccf8033e

Download Submit
C:\Program Files (x86)\i-record\I-Record.exe
Filesize
873KB

MD5
13c3ba689a19b325a19ab62cbe4c313c

SHA1
8b0ba8fc4eab09e5aa958699411479a1ce201a18

SHA256
696822fcdd3382ba02dfcce45ec4784d65ef44adf7d1fac2520b81f8ce007cf9

SHA512
387095ec1ccfd7f4e2dac8522fd72b3199447ad750133bf3719810952262321845f6590457ab4c950f5cf9c5fda93377710e7b8d940b04d6c80252f1ccf8033e

Download Submit
C:\Program Files (x86)\i-record\I-Record.exe.config
Filesize
196B

MD5
871947926c323ad2f2148248d9a46837

SHA1
0a70fe7442e14ecfadd2932c2fb46b8ddc04ba7a

SHA256
f3d7125a0e0f61c215f80b1d25e66c83cd20ed3166790348a53e0b7faf52550e

SHA512
58d9687495c839914d3aa6ae16677f43a0fa9a415dbd8336b0fcacd0c741724867b27d62a640c09828b902c69ac8f5d71c64cdadf87199e7637681a5b87da3b7

Download Submit
C:\Program Files (x86)\i-record\avcodec-53.dll
Filesize
13.1MB

MD5
65f639a2eda8db2a1ea40b5ddb5a2ed4

SHA1
3f32853740928c5e88b15fdc86c95a2ebd8aeb37

SHA256
e4e41c0c1c85e2aeaff1bea914880d2cb01b153a1a9ceddccaf05f8b5362210d

SHA512
980b6a5511716073d5eeb8b5437c6f23bda300402c64d05d2a54da614e3ef1412743ec5bb4100e54699d7a74f8c437560cb9faa67824cbbabdf1f9399945e21b

Download Submit
C:\Program Files (x86)\i-record\avformat-53.dll
Filesize
2.4MB

MD5
11340a55f155a904596bf3a13788a93a

SHA1
92a2f79717f71696ebde3c400aa52804eda5984e

SHA256
b26b2df18537b3df6706aa9e743d1a1e511a6fd21f7f7815f15ef96bb09a85e9

SHA512
2dc2bb8b0b4a38ddee62d85fdf7c551b0b77f5b9c7791cf82a00eea847f86006df5139874381dd6db739bb77ec008be9f32185ec71ca8be603f7fe515662c78b

Download Submit
C:\Program Files (x86)\i-record\avutil-51.dll
Filesize
136KB

MD5
78128217a6151041fc8f7f29960bdd2a

SHA1
a6fe2fa059334871181f60b626352e8325cbdda8

SHA256
678ca4d9f4d4ad1703006026afe3df5490664c05bb958b991c028ce9314757f7

SHA512
5f534a8b186797046526cfb29f95e89e90c555cf54cc8e99a801dfe9327433c9c0fd2cb63a335ade606075c9fab5173c1ad805242ceb04bc1fd78f37da166d84

Download Submit
C:\Program Files (x86)\i-record\swscale-2.dll
Filesize
295KB

MD5
564dca64680d608517721cdbe324b1d6

SHA1
f2683fa13772fc85c3ea4cffa3d896373a603ad3

SHA256
f9550ace57ce5b19add143e507179dc601a832b054963d1c3b5c003f1a8149cc

SHA512
1d80e9de29320201c988e8b11036c423d83620e99bcadec5142eb14b6513e49d9b41904e92154139e327cd5cc6f058b4bb467ee4fbb342794296e0dfe774dc75

Download Submit
C:\Program Files (x86)\i-record\swscale-2.dll
Filesize
295KB

MD5
564dca64680d608517721cdbe324b1d6

SHA1
f2683fa13772fc85c3ea4cffa3d896373a603ad3

SHA256
f9550ace57ce5b19add143e507179dc601a832b054963d1c3b5c003f1a8149cc

SHA512
1d80e9de29320201c988e8b11036c423d83620e99bcadec5142eb14b6513e49d9b41904e92154139e327cd5cc6f058b4bb467ee4fbb342794296e0dfe774dc75

Download Submit
C:\Program Files\Windows Media Player\URXBTVLOMK\irecord.exe
Filesize
5.8MB

MD5
f3e69396bfcb70ee59a828705593171a

SHA1
d4df6a67e0f7af5385613256dbf485e1f2886c55

SHA256
c970b8146afbd7347f5488fd821ae6ade4f355dcb29d764b7834ce8a1754105f

SHA512
4743b9bf562c1b8616f794493123160de95ba15451affacf286aff6d2af023a07d7942a8753c3fdccf8d294f99b46adee8ac58f6a29d42dea973a9de6a77d22f

Download Submit
C:\Program Files\Windows Media Player\URXBTVLOMK\irecord.exe
Filesize
5.8MB

MD5
f3e69396bfcb70ee59a828705593171a

SHA1
d4df6a67e0f7af5385613256dbf485e1f2886c55

SHA256
c970b8146afbd7347f5488fd821ae6ade4f355dcb29d764b7834ce8a1754105f

SHA512
4743b9bf562c1b8616f794493123160de95ba15451affacf286aff6d2af023a07d7942a8753c3fdccf8d294f99b46adee8ac58f6a29d42dea973a9de6a77d22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gfm1n1i.aa4\gcleaner.exe
Filesize
361KB

MD5
a5793627dd8932fdecc46a17ba0498e7

SHA1
cf4d6b33505077e535e52cfd432b6ba4d128760d

SHA256
495d645c70d4c894e00eea8e1be33469f070d44ec3d0f915c00fa20ee459c398

SHA512
614a6fb56ceff18471a9855aa40911225a97c33d323a2cae264ab8d4a451ebbb8237581e4853e2ab6567c78f02f8b397de74d15da9b5da4f1c6da518c8abae2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gfm1n1i.aa4\gcleaner.exe
Filesize
361KB

MD5
a5793627dd8932fdecc46a17ba0498e7

SHA1
cf4d6b33505077e535e52cfd432b6ba4d128760d

SHA256
495d645c70d4c894e00eea8e1be33469f070d44ec3d0f915c00fa20ee459c398

SHA512
614a6fb56ceff18471a9855aa40911225a97c33d323a2cae264ab8d4a451ebbb8237581e4853e2ab6567c78f02f8b397de74d15da9b5da4f1c6da518c8abae2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\INA9669.tmp
Filesize
789KB

MD5
dd1f93eb81e6c99ba9be55b0c12e8bb4

SHA1
1d767983aaa4eb5c9e19409cf529969142033850

SHA256
f55b853958f07b15f0dae7a871c1ebe2ec117ef54ba3811d31cec4c8ae471d9b

SHA512
7968839ca3e7337b2e7774d92c4a3666e9b7d8d76000475b39c2bda6db3320fc9b2100322505997798af5631a007787fbd8d0d6fe0b51949c545c67e696aaf1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9D9E.tmp
Filesize
524KB

MD5
6ea65025106536eb75f026e46643b099

SHA1
d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

SHA256
dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

SHA512
062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9D9E.tmp
Filesize
524KB

MD5
6ea65025106536eb75f026e46643b099

SHA1
d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

SHA256
dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

SHA512
062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA560.tmp
Filesize
914KB

MD5
91d4a8c2c296ef53dd8c01b9af69b735

SHA1
ad2e5311a0f2dbba988fbdb6fcf70034fda3920d

SHA256
a787e7a1ad12783fcbf3f853940590329e0ff0dddf17282324f2d95ed6408f23

SHA512
63c5506a55dea2b3bd1c99b79b5668f5afc0104564e92f07afb42f2f2b67eae9d0e0174cb36e6095a27a6c71496206042079b6e5a2b2ff787f3cb9ef20995e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA560.tmp
Filesize
914KB

MD5
91d4a8c2c296ef53dd8c01b9af69b735

SHA1
ad2e5311a0f2dbba988fbdb6fcf70034fda3920d

SHA256
a787e7a1ad12783fcbf3f853940590329e0ff0dddf17282324f2d95ed6408f23

SHA512
63c5506a55dea2b3bd1c99b79b5668f5afc0104564e92f07afb42f2f2b67eae9d0e0174cb36e6095a27a6c71496206042079b6e5a2b2ff787f3cb9ef20995e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0-0148c-c03-a0684-a898c9f7a450e\Lojulaevaewi.exe
Filesize
575KB

MD5
b78cd54e9952b21140da7471ad414416

SHA1
6d017b99742c9af216189bc38f06661bfc9d37f3

SHA256
3168662154acbaad4d0d633d3c64756422447251ca2040bdce74487a7500a067

SHA512
51b12a58894a9e45b8f8e19667c207f06ea8f5ce1978e1564606a1558ad0fb0a4ed69b1504a42f423e811316f7b1d95d5f64d4a38f76c81f45696712db9bd374

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0-0148c-c03-a0684-a898c9f7a450e\Lojulaevaewi.exe
Filesize
575KB

MD5
b78cd54e9952b21140da7471ad414416

SHA1
6d017b99742c9af216189bc38f06661bfc9d37f3

SHA256
3168662154acbaad4d0d633d3c64756422447251ca2040bdce74487a7500a067

SHA512
51b12a58894a9e45b8f8e19667c207f06ea8f5ce1978e1564606a1558ad0fb0a4ed69b1504a42f423e811316f7b1d95d5f64d4a38f76c81f45696712db9bd374

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0-0148c-c03-a0684-a898c9f7a450e\Lojulaevaewi.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajxgtqil.flp\161.exe
Filesize
15.0MB

MD5
6e10487b382380bb4527d3f68866c527

SHA1
7719fb5ff96dc830a1d0fe5cc1135d3b2edd0893

SHA256
0f111d69c1d1ce4895b0be5d99d5a4e8ba9dd3d58599c979370100bbc410264c

SHA512
aed182b236658edcd8d7ac190f619e5be712fd9efafe112b07d87e1fffb8c8fe5cd4f64064caf7566028eeee7755266ffceded4fa25de7f9dc340ded6d490400

Download Submit
C:\Users\Admin\AppData\Local\Temp\ajxgtqil.flp\161.exe
Filesize
15.0MB

MD5
6e10487b382380bb4527d3f68866c527

SHA1
7719fb5ff96dc830a1d0fe5cc1135d3b2edd0893

SHA256
0f111d69c1d1ce4895b0be5d99d5a4e8ba9dd3d58599c979370100bbc410264c

SHA512
aed182b236658edcd8d7ac190f619e5be712fd9efafe112b07d87e1fffb8c8fe5cd4f64064caf7566028eeee7755266ffceded4fa25de7f9dc340ded6d490400

Download Submit
C:\Users\Admin\AppData\Local\Temp\asyf4xyi.vdz\file.exe
Filesize
78KB

MD5
5fc39c07d52df3c37daf63750bb7bf09

SHA1
1bafed7312e19dc0cd7570f328102489e4d8179b

SHA256
1bd29bb75f07fe3d123df928e3d92477c7cff8cfa4684d25c8a077b62914be64

SHA512
cc7ce25de9d9fcf3b16c19bf01b626872e4e5d0327fbc9955432094ca9c0469d77cd1070be3288ff53758d6f2217209952a12ae1e7b92e1d9b8dae67a458f76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\asyf4xyi.vdz\file.exe
Filesize
78KB

MD5
5fc39c07d52df3c37daf63750bb7bf09

SHA1
1bafed7312e19dc0cd7570f328102489e4d8179b

SHA256
1bd29bb75f07fe3d123df928e3d92477c7cff8cfa4684d25c8a077b62914be64

SHA512
cc7ce25de9d9fcf3b16c19bf01b626872e4e5d0327fbc9955432094ca9c0469d77cd1070be3288ff53758d6f2217209952a12ae1e7b92e1d9b8dae67a458f76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc-77207-279-5f9a1-1b9961bf956a8\Kenessey.txt
Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc-77207-279-5f9a1-1b9961bf956a8\Naewaexofoxi.exe
Filesize
763KB

MD5
d7bf25d301f074b4b654bdd4a9a40fdf

SHA1
7e52b609b3a96b36cd6a064a3ba54b6733745a7d

SHA256
16312779077ce3e48eb29d11226d87d705aa176aab68adc2cb232ebe495fd956

SHA512
e05b20be918d81a2dd600d955a20fb59820613073a3655c5d4a66936679bb0109740c0b5a4e25316c2066949a6ddc34fe5dd1aca76e628ed62788b58c4e64bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc-77207-279-5f9a1-1b9961bf956a8\Naewaexofoxi.exe
Filesize
763KB

MD5
d7bf25d301f074b4b654bdd4a9a40fdf

SHA1
7e52b609b3a96b36cd6a064a3ba54b6733745a7d

SHA256
16312779077ce3e48eb29d11226d87d705aa176aab68adc2cb232ebe495fd956

SHA512
e05b20be918d81a2dd600d955a20fb59820613073a3655c5d4a66936679bb0109740c0b5a4e25316c2066949a6ddc34fe5dd1aca76e628ed62788b58c4e64bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc-77207-279-5f9a1-1b9961bf956a8\Naewaexofoxi.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C8ADC.tmp\befeduce.exe
Filesize
413KB

MD5
7d38a8db8def31081984d8900625aa84

SHA1
66836a20128acb5f5835450871fc582b25e23848

SHA256
09317e478bd11c9ad852301f489321e3db89a5a7fbc02039218456eb71b291b6

SHA512
86462202ef9138f798428e09c14fc9f8f13264c4b9c3f79597a3424200bf55e8b2da0770e3442e4dc3d75aeb21ad065181e66c52fb32f20690dff80f9fc5ff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C8ADC.tmp\befeduce.exe
Filesize
413KB

MD5
7d38a8db8def31081984d8900625aa84

SHA1
66836a20128acb5f5835450871fc582b25e23848

SHA256
09317e478bd11c9ad852301f489321e3db89a5a7fbc02039218456eb71b291b6

SHA512
86462202ef9138f798428e09c14fc9f8f13264c4b9c3f79597a3424200bf55e8b2da0770e3442e4dc3d75aeb21ad065181e66c52fb32f20690dff80f9fc5ff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-C8ADC.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CR4P5.tmp\161.tmp
Filesize
1.7MB

MD5
bf7c5877f0a34f96cc6026073fab2ff0

SHA1
951178542fef9d527963d46a1b89ffa38d47af5d

SHA256
0610f14b53c591111639ed9c8b993e97e1c2a4b0d614866d7871bf4a29d25eff

SHA512
77c4ae011f212ce0d304f74e82e0be26e84147633886b39fd20ffaedf518c9caf8d1445df07ee898aec4fbef346da54fcbee7dacd523aef79e561c8be1ecfdee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPE8M.tmp\irecord.tmp
Filesize
704KB

MD5
b5ffb69c517bd2ee5411f7a24845c829

SHA1
1a470a89a3f03effe401bb77b246ced24f5bc539

SHA256
b09d330ec5fce569bc7ce5068ad6cafdb0d947fcc779b3362a424db1a2fa29be

SHA512
5a771ad4237a7ec0159bbba2179fadf067e6d09d80e9f1fb701ffd62ed0203192d20adbe9dd4df4bfb0191cdccecadaf71ecec4a52de06f8ef338905cbea3465

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FPE8M.tmp\irecord.tmp
Filesize
704KB

MD5
b5ffb69c517bd2ee5411f7a24845c829

SHA1
1a470a89a3f03effe401bb77b246ced24f5bc539

SHA256
b09d330ec5fce569bc7ce5068ad6cafdb0d947fcc779b3362a424db1a2fa29be

SHA512
5a771ad4237a7ec0159bbba2179fadf067e6d09d80e9f1fb701ffd62ed0203192d20adbe9dd4df4bfb0191cdccecadaf71ecec4a52de06f8ef338905cbea3465

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JMDN5.tmp\984cdc0f7f2bc6dabccc5da23de60d32.tmp
Filesize
1.0MB

MD5
1cfdf3c33f022257ec99354fb628f15b

SHA1
6a33446e5c3cd676ab6da31fdf2659d997720052

SHA256
bb698e512539c47b4886c82e39a41fcd1e53eb51f460bfa27c94850dd7cca73c

SHA512
08ea0945d396f61da356eba96c3d8e497c7e38b9b592d771336d2a9823fb0c5bdd960dc3c888dbdbc214869b536f10f5256ebafcfa391e874b6240d1f6e2a49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T3DGM.tmp\ApiTool.dll
Filesize
959KB

MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T3DGM.tmp\ApiTool.dll
Filesize
959KB

MD5
b5e330f90e1bab5e5ee8ccb04e679687

SHA1
3360a68276a528e4b651c9019b6159315c3acca8

SHA256
2900d536923740fe530891f481e35e37262db5283a4b98047fe5335eacaf3441

SHA512
41ab8f239cfff8e5ddcff95cdf2ae11499d57b2ebe8f0786757a200047fd022bfd6975be95e9cfcc17c405e631f069b9951591cf74faf3e6a548191e63a8439c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T3DGM.tmp\InnoCallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T3DGM.tmp\InnoCallback.dll
Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T3DGM.tmp\botva2.dll
Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T3DGM.tmp\botva2.dll
Filesize
41KB

MD5
ef899fa243c07b7b82b3a45f6ec36771

SHA1
4a86313cc8766dcad1c2b00c2b8f9bbe0cf8bbbe

SHA256
da7d0368712ee419952eb2640a65a7f24e39fb7872442ed4d2ee847ec4cfde77

SHA512
3f98b5ad9adfad2111ebd1d8cbab9ae423d624d1668cc64c0bfcdbfedf30c1ce3ea6bc6bcf70f7dd1b01172a4349e7c84fb75d395ee5af73866574c1d734c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T3DGM.tmp\libMaskVPN.dll
Filesize
2.3MB

MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T3DGM.tmp\libMaskVPN.dll
Filesize
2.3MB

MD5
3d88c579199498b224033b6b66638fb8

SHA1
6f6303288e2206efbf18e4716095059fada96fc4

SHA256
5bccb86319fc90210d065648937725b14b43fa0c96f9da56d9984e027adebbc3

SHA512
9740c521ed38643201ed4c2574628454723b9213f12e193c11477e64a2c03daa58d2a48e70df1a7e9654c50a80049f3cf213fd01f2b74e585c3a86027db19ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\r0rookwb.bxa\installer.exe
Filesize
4.5MB

MD5
4113cbe4628131ffe796cda8314b9d0c

SHA1
cf7be74c1ebb054ec30ee39bd4de66aad8e06bd7

SHA256
4fd44841e621e1e59bea1e6cd326555bca489440646f6e3e0a6f94ade6b28ade

SHA512
870f51a8fbbce701c2f52cb7faaf3633ddbdebca233c57b8330e54f1ce772ad4c0d2df819bf58b96fc57e0faf16253ffcee787c93a5e04b414fde957705a3c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\r0rookwb.bxa\installer.exe
Filesize
4.5MB

MD5
4113cbe4628131ffe796cda8314b9d0c

SHA1
cf7be74c1ebb054ec30ee39bd4de66aad8e06bd7

SHA256
4fd44841e621e1e59bea1e6cd326555bca489440646f6e3e0a6f94ade6b28ade

SHA512
870f51a8fbbce701c2f52cb7faaf3633ddbdebca233c57b8330e54f1ce772ad4c0d2df819bf58b96fc57e0faf16253ffcee787c93a5e04b414fde957705a3c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgtpzcxr.2ns\random.exe
Filesize
312KB

MD5
164ff6df27d04a4fe61269392498799d

SHA1
da125280f285d999ebad98f680c6f27f03685725

SHA256
a6eb6107a005fe888ffbb2f6497e82019625c1bbb8c546301716e79327b35b2a

SHA512
fc7678078f5868f79f47303b69f13d3581b88ce44e7cb0d6eb40be182063517bc9862e39d5d9fcab9cc333d20ebd6bb9d9d46cb3aca495b533e678dc3e8cf40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgtpzcxr.2ns\random.exe
Filesize
312KB

MD5
164ff6df27d04a4fe61269392498799d

SHA1
da125280f285d999ebad98f680c6f27f03685725

SHA256
a6eb6107a005fe888ffbb2f6497e82019625c1bbb8c546301716e79327b35b2a

SHA512
fc7678078f5868f79f47303b69f13d3581b88ce44e7cb0d6eb40be182063517bc9862e39d5d9fcab9cc333d20ebd6bb9d9d46cb3aca495b533e678dc3e8cf40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgtpzcxr.2ns\random.exe
Filesize
312KB

MD5
164ff6df27d04a4fe61269392498799d

SHA1
da125280f285d999ebad98f680c6f27f03685725

SHA256
a6eb6107a005fe888ffbb2f6497e82019625c1bbb8c546301716e79327b35b2a

SHA512
fc7678078f5868f79f47303b69f13d3581b88ce44e7cb0d6eb40be182063517bc9862e39d5d9fcab9cc333d20ebd6bb9d9d46cb3aca495b533e678dc3e8cf40f

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
Filesize
206KB

MD5
8a3f1a0da39530dcb8962dd0fadb187f

SHA1
d5294f6be549ec1f779da78d903683bab2835d1a

SHA256
c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f

SHA512
1e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
Filesize
206KB

MD5
8a3f1a0da39530dcb8962dd0fadb187f

SHA1
d5294f6be549ec1f779da78d903683bab2835d1a

SHA256
c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f

SHA512
1e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d

Download Submit
\??\pipe\LOCAL\crashpad_4284_ILLQXRDXWCWKXTHL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/208-151-0x0000000000000000-mapping.dmp

Download
memory/1412-309-0x0000000000000000-mapping.dmp

Download
memory/1536-306-0x0000000000000000-mapping.dmp

Download
memory/1652-316-0x0000000000000000-mapping.dmp

Download
memory/1652-319-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/1652-321-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2324-156-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2324-130-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2324-180-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2324-132-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2968-311-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2968-313-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/2968-310-0x0000000000000000-mapping.dmp

Download
memory/3208-160-0x0000000000000000-mapping.dmp

Download
memory/3380-133-0x0000000000000000-mapping.dmp

Download
memory/4028-308-0x0000000000000000-mapping.dmp

Download
memory/4112-136-0x0000000000000000-mapping.dmp

Download
memory/4112-139-0x00007FF8B4BE0000-0x00007FF8B5616000-memory.dmp

Filesize
10.2MB

Download
memory/4284-150-0x0000000000000000-mapping.dmp

Download
memory/4676-144-0x00007FF8B4BE0000-0x00007FF8B5616000-memory.dmp

Filesize
10.2MB

Download
memory/4676-140-0x0000000000000000-mapping.dmp

Download
memory/4692-145-0x0000000000000000-mapping.dmp

Download
memory/4692-149-0x00007FF8B4BE0000-0x00007FF8B5616000-memory.dmp

Filesize
10.2MB

Download
memory/4936-315-0x0000000000000000-mapping.dmp

Download
memory/5764-302-0x0000000000000000-mapping.dmp

Download
memory/5788-304-0x0000000000000000-mapping.dmp

Download
memory/5952-305-0x0000000000000000-mapping.dmp

Download
memory/6052-159-0x0000000000000000-mapping.dmp

Download
memory/6600-314-0x0000000000000000-mapping.dmp

Download
memory/6628-161-0x0000000000000000-mapping.dmp

Download
memory/6764-164-0x0000000000000000-mapping.dmp

Download
memory/6784-166-0x0000000000000000-mapping.dmp

Download
memory/7092-171-0x0000000000000000-mapping.dmp

Download
memory/7108-174-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/7108-172-0x0000000000000000-mapping.dmp

Download
memory/7108-181-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/7120-331-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/7120-329-0x0000000034530000-0x0000000034588000-memory.dmp

Filesize
352KB

Download
memory/7120-327-0x00000000343D0000-0x0000000034528000-memory.dmp

Filesize
1.3MB

Download
memory/7120-326-0x00000000335B0000-0x0000000033776000-memory.dmp

Filesize
1.8MB

Download
memory/7120-325-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/7120-322-0x0000000000400000-0x00000000015D7000-memory.dmp

Filesize
17.8MB

Download
memory/7204-177-0x0000000000000000-mapping.dmp

Download
memory/7228-179-0x0000000000000000-mapping.dmp

Download
memory/7340-183-0x0000000000000000-mapping.dmp

Download
memory/7372-184-0x0000000000000000-mapping.dmp

Download
memory/7420-188-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/7420-192-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/7420-332-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/7420-275-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/7420-186-0x0000000000000000-mapping.dmp

Download
memory/7508-191-0x0000000000000000-mapping.dmp

Download
memory/7508-199-0x00000000007ED000-0x0000000000813000-memory.dmp

Filesize
152KB

Download
memory/7508-210-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/7508-200-0x0000000002270000-0x00000000022AF000-memory.dmp

Filesize
252KB

Download
memory/7508-278-0x0000000002270000-0x00000000022AF000-memory.dmp

Filesize
252KB

Download
memory/7508-283-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/7508-317-0x00000000007ED000-0x0000000000813000-memory.dmp

Filesize
152KB

Download
memory/7508-318-0x0000000000400000-0x0000000000677000-memory.dmp

Filesize
2.5MB

Download
memory/7508-277-0x00000000007ED000-0x0000000000813000-memory.dmp

Filesize
152KB

Download
memory/7528-227-0x00000000038D0000-0x00000000038DF000-memory.dmp

Filesize
60KB

Download
memory/7528-193-0x0000000000000000-mapping.dmp

Download
memory/7528-232-0x0000000003A60000-0x0000000003A75000-memory.dmp

Filesize
84KB

Download
memory/7528-235-0x0000000005BF0000-0x0000000005FF0000-memory.dmp

Filesize
4.0MB

Download
memory/7528-204-0x0000000003240000-0x0000000003520000-memory.dmp

Filesize
2.9MB

Download
memory/7552-198-0x0000000000000000-mapping.dmp

Download
memory/7796-201-0x0000000000000000-mapping.dmp

Download
memory/7860-205-0x0000000000000000-mapping.dmp

Download
memory/7876-271-0x0000000006910000-0x0000000006B81000-memory.dmp

Filesize
2.4MB

Download
memory/7876-272-0x000000006AB00000-0x000000006AB51000-memory.dmp

Filesize
324KB

Download
memory/7876-270-0x0000000065EC0000-0x0000000067271000-memory.dmp

Filesize
19.7MB

Download
memory/7876-267-0x0000000006910000-0x0000000006B81000-memory.dmp

Filesize
2.4MB

Download
memory/7876-250-0x0000000071CF0000-0x00000000722A1000-memory.dmp

Filesize
5.7MB

Download
memory/7876-264-0x0000000006910000-0x0000000006B81000-memory.dmp

Filesize
2.4MB

Download
memory/7876-298-0x0000000071CF0000-0x00000000722A1000-memory.dmp

Filesize
5.7MB

Download
memory/7876-307-0x0000000065EC0000-0x0000000067271000-memory.dmp

Filesize
19.7MB

Download
memory/7876-207-0x0000000000000000-mapping.dmp

Download
memory/7984-215-0x0000000000000000-mapping.dmp

Download
memory/8028-216-0x0000000000000000-mapping.dmp

Download
memory/8124-217-0x0000000000000000-mapping.dmp

Download
memory/8272-220-0x0000000000000000-mapping.dmp

Download
memory/8468-229-0x0000000000000000-mapping.dmp

Download
memory/8508-236-0x0000000000000000-mapping.dmp

Download
memory/8560-239-0x0000000000000000-mapping.dmp

Download
memory/8576-241-0x0000000000000000-mapping.dmp

Download
memory/8900-259-0x0000000000000000-mapping.dmp

Download
memory/8956-260-0x0000000000000000-mapping.dmp

Download
memory/8984-261-0x0000000000000000-mapping.dmp

Download
memory/8984-262-0x00000000008B0000-0x00000000008B9000-memory.dmp

Filesize
36KB

Download
memory/8984-263-0x00000000008E0000-0x00000000008ED000-memory.dmp

Filesize
52KB

Download
memory/9068-265-0x0000000000000000-mapping.dmp

Download
memory/9068-268-0x0000000005600000-0x0000000005650000-memory.dmp

Filesize
320KB

Download
memory/9068-269-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/9068-274-0x0000000005DA0000-0x0000000005E32000-memory.dmp

Filesize
584KB

Download
memory/9068-284-0x00000000063F0000-0x0000000006994000-memory.dmp

Filesize
5.6MB

Download
memory/9208-273-0x0000000000000000-mapping.dmp

Download
memory/9272-276-0x0000000000000000-mapping.dmp

Download
memory/9360-154-0x0000000000000000-mapping.dmp

Download
memory/9368-279-0x0000000000000000-mapping.dmp

Download
memory/9368-281-0x0000000140000000-0x0000000140679000-memory.dmp

Filesize
6.5MB

Download
memory/9372-280-0x0000000000000000-mapping.dmp

Download
memory/9392-286-0x0000000000000000-mapping.dmp

Download
memory/9396-155-0x0000000000000000-mapping.dmp

Download
memory/9452-288-0x0000000000000000-mapping.dmp

Download
memory/9548-289-0x0000000000000000-mapping.dmp

Download
memory/9696-290-0x0000000000000000-mapping.dmp

Download
memory/9772-291-0x0000000000000000-mapping.dmp

Download
memory/9816-292-0x0000000000000000-mapping.dmp

Download
memory/9896-293-0x0000000000000000-mapping.dmp

Download
memory/9912-294-0x0000000000000000-mapping.dmp

Download
memory/9972-295-0x0000000000000000-mapping.dmp

Download
memory/10100-296-0x0000000000000000-mapping.dmp

Download
memory/10188-297-0x0000000000000000-mapping.dmp

Download
memory/10224-300-0x0000000000000000-mapping.dmp

Download