8e36f365aa367d174901b6add2966f4cfac58039a4c6724b3dd07c57b001c8d0

System Information Discovery

Processes:

iobituninstaller.tmpiobituninstaller.tmpiush.exeSetup.exeIObitUninstaler.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	iobituninstaller.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	iobituninstaller.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	iush.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	IObitUninstaler.exe

Executes dropped EXE 22 IoCs

Processes:

iobituninstaller.tmpSetup.exeiobituninstaller.tmpiushrun.exeiush.exeIUService.exeICONPIN64.exeDSPut.exeCrRestore.exeUninstallPromote.exeUninstallMonitor.exeDSPut.exeAutoUpdate.exeIObitUninstaler.exeUninstallMonitor.exeiush.exeAUpdate.exeAutoUpdate.exeuninstaller.exeUn_A.exedefault-browser-agent.exeUn_B.exe

pid	process
4380	iobituninstaller.tmp
3308	Setup.exe
4628	iobituninstaller.tmp
4916	iushrun.exe
756	iush.exe
5056	IUService.exe
4760	ICONPIN64.exe
4768	DSPut.exe
1392	CrRestore.exe
5016	UninstallPromote.exe
4256	UninstallMonitor.exe
4736	DSPut.exe
1416	AutoUpdate.exe
3548	IObitUninstaler.exe
4560	UninstallMonitor.exe
1072	iush.exe
4300	AUpdate.exe
3172	AutoUpdate.exe
1664	uninstaller.exe
4628	Un_A.exe
3636	default-browser-agent.exe
3836	Un_B.exe

Loads dropped DLL 64 IoCs

Processes:

iushrun.exeiush.exeIUService.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeDSPut.exeExplorer.EXECrRestore.exeUninstallPromote.exeUninstallMonitor.exeDSPut.exeAutoUpdate.exe

pid	process
4916	iushrun.exe
4916	iushrun.exe
4916	iushrun.exe
756	iush.exe
756	iush.exe
756	iush.exe
756	iush.exe
5056	IUService.exe
5056	IUService.exe
5056	IUService.exe
5056	IUService.exe
5056	IUService.exe
464	regsvr32.exe
3420	regsvr32.exe
1124	regsvr32.exe
2020	regsvr32.exe
2020	regsvr32.exe
756	iush.exe
756	iush.exe
4768	DSPut.exe
4768	DSPut.exe
4768	DSPut.exe
4768	DSPut.exe
756	iush.exe
4768	DSPut.exe
3132	Explorer.EXE
1392	CrRestore.exe
1392	CrRestore.exe
1392	CrRestore.exe
1392	CrRestore.exe
1392	CrRestore.exe
1392	CrRestore.exe
5016	UninstallPromote.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4736	DSPut.exe
1416	AutoUpdate.exe
1416	AutoUpdate.exe
4736	DSPut.exe
4736	DSPut.exe
4736	DSPut.exe
1416	AutoUpdate.exe
1416	AutoUpdate.exe
4736	DSPut.exe
1416	AutoUpdate.exe
1416	AutoUpdate.exe
4736	DSPut.exe
4736	DSPut.exe
1416	AutoUpdate.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

Change Default File Association

T1042

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUninstaller	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUninstaller\ = "{836AB26C-2DE4-41D3-AC24-4C6C2699B960}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUninstaller	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUninstaller	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUninstaller\ = "{836AB26C-2DE4-41D3-AC24-4C6C2699B960}"	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeUn_A.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\IUMenuRight.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\IUMenuRight.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\UninstallExplorer.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E13E0A72-8B22-47B9-B8B5-C5C8C56BBF1E}\InProcServer32	Un_A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32\ = "C:\\PROGRA~2\\IObit\\IOBITU~1\\UNINST~1.DLL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

Processes:

Un_A.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Un_A.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

IObitUninstaler.exe

description	ioc	process
File opened (read-only)	\??\G:	IObitUninstaler.exe
File opened (read-only)	\??\J:	IObitUninstaler.exe
File opened (read-only)	\??\K:	IObitUninstaler.exe
File opened (read-only)	\??\L:	IObitUninstaler.exe
File opened (read-only)	\??\S:	IObitUninstaler.exe
File opened (read-only)	\??\U:	IObitUninstaler.exe
File opened (read-only)	\??\Z:	IObitUninstaler.exe
File opened (read-only)	\??\B:	IObitUninstaler.exe
File opened (read-only)	\??\I:	IObitUninstaler.exe
File opened (read-only)	\??\P:	IObitUninstaler.exe
File opened (read-only)	\??\R:	IObitUninstaler.exe
File opened (read-only)	\??\Y:	IObitUninstaler.exe
File opened (read-only)	\??\A:	IObitUninstaler.exe
File opened (read-only)	\??\E:	IObitUninstaler.exe
File opened (read-only)	\??\H:	IObitUninstaler.exe
File opened (read-only)	\??\M:	IObitUninstaler.exe
File opened (read-only)	\??\O:	IObitUninstaler.exe
File opened (read-only)	\??\Q:	IObitUninstaler.exe
File opened (read-only)	\??\T:	IObitUninstaler.exe
File opened (read-only)	\??\F:	IObitUninstaler.exe
File opened (read-only)	\??\N:	IObitUninstaler.exe
File opened (read-only)	\??\V:	IObitUninstaler.exe
File opened (read-only)	\??\W:	IObitUninstaler.exe
File opened (read-only)	\??\X:	IObitUninstaler.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}\NewTime = "2023-03-11 19:11:34:515"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}\ = "ExplorerWnd Helper"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}\NoInternetExplorer = "1"	regsvr32.exe

Maps connected drives based on registry 3 TTPs 7 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

IObitUninstaler.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\disk\Enum	IObitUninstaler.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\	IObitUninstaler.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	IObitUninstaler.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	IObitUninstaler.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	IObitUninstaler.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count	IObitUninstaler.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance	IObitUninstaler.exe

Drops file in Program Files directory 64 IoCs

Processes:

iobituninstaller.tmpAutoUpdate.exeUn_A.exeCrRestore.exeIObitUninstaler.exehelper.exeUn_B.exe

description	ioc	process
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-L965Q.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win7_ia64\is-FFF7M.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\update\freeware.ini.tmp	AutoUpdate.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Un_A.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-synch-l1-2-0.dll	Un_A.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-2IKA7.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-AQJ8U.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\History\is-31690.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\History\is-189BO.tmp	iobituninstaller.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win10_ia64\IUFileFilter.sys	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Backup\RegisterCom.dll	CrRestore.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nslC8F.tmp	Un_A.exe
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	Un_A.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-7680T.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\TaskbarPin\is-C1AJL.tmp	iobituninstaller.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent_localized.ini	Un_A.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	Un_A.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-35E5F.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-FA2N7.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-MMIM2.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-913ST.tmp	iobituninstaller.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win10_amd64\IUProcessFilter.sys	iobituninstaller.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\update\ExpSlist.dat.tmp	IObitUninstaler.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\uninstaller.exe	helper.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Un_A.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-Q7V2O.tmp	iobituninstaller.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi	Un_A.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	Un_A.exe
File opened for modification	C:\Program Files\Mozilla Firefox\installation_telemetry.json	Un_A.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nslC8F.tmp\mozwer.dll	Un_A.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-4GKOD.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Database\is-FRPFA.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\History\is-GLART.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-BITP6.tmp	iobituninstaller.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win10_ia64\IUProcessFilter.sys	iobituninstaller.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	Un_A.exe
File opened for modification	C:\Program Files\Mozilla Firefox\	Un_A.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-TS7QF.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-OUSSC.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win10_ia64\is-1J02J.tmp	iobituninstaller.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\osclientcerts.dll	Un_A.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-SMVHQ.tmp	iobituninstaller.tmp
File created	C:\Program Files\Mozilla Firefox\nslC8F.tmp\firefox.exe	Un_A.exe
File created	C:\Program Files\Mozilla Firefox\nslC8F.tmp\AccessibleHandler.dll	Un_A.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\	Un_A.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win7_amd64\is-AL9ES.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-3A01V.tmp	iobituninstaller.tmp
File opened for modification	C:\Program Files (x86)\IObit\IObit Uninstaller\unins000.dat	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Update\Temp\Database\usoft.dbd	AutoUpdate.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll	Un_A.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	Un_A.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\	Un_A.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-D1O91.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Language\is-P6J7N.tmp	iobituninstaller.tmp
File opened for modification	C:\Program Files\Mozilla Firefox\nslC8F.tmp\IA2Marshal.dll	Un_A.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	Un_A.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\is-8RJAF.tmp	iobituninstaller.tmp
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Drivers\win10_x86\is-673E1.tmp	iobituninstaller.tmp
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-uninstall.log.moz-delete	Un_B.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Action Center\is-B0QE8.tmp	iobituninstaller.tmp
File created	C:\Program Files\Mozilla Firefox\nslC8F.tmp\pingsender.exe	Un_A.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi	Un_A.exe
File created	C:\Program Files (x86)\IObit\IObit Uninstaller\Update\Temp\Pub\PDFTRTips.exe	AutoUpdate.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nssckbi.dll	Un_A.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 5 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\is-ONONL.tmp\iush.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\is-ONONL.tmp\Installer\iushrun.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\is-ONONL.tmp\Installer\iushrun.exe	nsis_installer_2
C:\Program Files (x86)\IObit\IObit Uninstaller\iush.exe	nsis_installer_2
C:\Program Files (x86)\IObit\IObit Uninstaller\iush.exe	nsis_installer_2

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeUn_A.exeregsvr32.exeregsvr32.exeExplorer.EXEiush.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_CLASSES\FIREFOXPDF-308046B0AF4A39CB\SHELL\OPEN\DDEEXEC	Un_A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0\FLAGS	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{DCA8D857-1A63-4045-8F36-8809EB093D04}\SYNCHRONOUSINTERFACE	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}\InprocHandler32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\ = "IObitUninstaller Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUninstaller\ = "{836AB26C-2DE4-41D3-AC24-4C6C2699B960}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\Shell\Open\command	iush.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\ShellFolder	iush.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\ = "IObit Uninstaller"	iush.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\IUMenuRight.dll"	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell	Un_A.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\FIREFOXPDF-308046B0AF4A39CB\SHELL\OPEN\DDEEXEC	Un_A.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E13E0A72-8B22-47B9-B8B5-C5C8C56BBF1E}\InProcServer32	Un_A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\IObitUninstaller	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0\0\win64\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\IUMenuRight.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PfShellExtension.DLL	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPLICATIONS\FIREFOX.EXE\SHELL\OPEN\COMMAND	Un_A.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUninstaller	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open	Un_A.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\IObitUninstaller\ = "{836AB26C-2DE4-41D3-AC24-4C6C2699B960}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUninstaller\ = "{836AB26C-2DE4-41D3-AC24-4C6C2699B960}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command	Un_A.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.ogv\OpenWithProgids	Un_A.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\NUMMETHODS	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{CE30F77E-8847-44F0-A648-A9656BD89C0D}\NUMMETHODS	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB	Un_A.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{59A55EF0-525F-4276-AB62-8F7E5F230399}\ = "PfShellExtension"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Un_A.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\{305CA226-D286-468e-B848-2B2E8E697B74} 2 = "8"	iush.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\FIREFOXURL-308046B0AF4A39CB\DEFAULTICON	Un_A.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppUserModelId\FirefoxToast-308046B0AF4A39CB	Un_A.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\IUMenuRight.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DAF0374A-11AB-4E4E-B141-663E77D63E4C}\1.0\0\win64	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}\InprocServer32\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\UninstallExplorer.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\DefaultIcon\ = "C:\\Program Files (x86)\\IObit\\IObit Uninstaller\\IObitUninstaler.exe,0"	iush.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{836AB26C-2DE4-41D3-AC24-4C6C2699B960}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUninstaller	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB	Un_A.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB	Un_A.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\firefox.exe\shell\open	Un_A.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UninstallExplorer.ExplorerBtn\ = "ExplorerWnd Helper"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8DE189EC-C9C8-4D31-9F18-E0B7407019A9}\DefaultIcon	iush.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\firefox.exe	Un_A.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32983FF-EF84-4945-8F86-FB7491B4F57B}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\FirefoxPDF-308046B0AF4A39CB	Un_A.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\IObitUninstaller	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open	Un_A.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPLICATIONS\FIREFOX.EXE\SUPPORTEDTYPES	Un_A.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\FirefoxPDF-308046B0AF4A39CB\shell\open	Un_A.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open	Un_A.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

AutoUpdate.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 1900000001000000100000004fca18b530ab2d3765b8830436884be603000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e87e000000010000000800000000409120d035d9011d00000001000000100000003475b6ae07580528b505a98d7f0fe1f4140000000100000014000000a0c38b44aa37a545bf97805ad1f178a29be95d8d62000000010000002000000088497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba79687997f0000000100000020000000301e06082b0601050507030306082b0601050507030906082b0601050507030153000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d004900290000000f00000001000000140000001b8b713e8748912a4b073db0c8e9e3e5c0962d9820000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442	AutoUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 040000000100000010000000ebf59d290d61f9421f7cc2ba6de315090f00000001000000140000001b8b713e8748912a4b073db0c8e9e3e5c0962d980b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d0049002900000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07f0000000100000020000000301e06082b0601050507030306082b0601050507030906082b0601050507030162000000010000002000000088497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba7968799140000000100000014000000a0c38b44aa37a545bf97805ad1f178a29be95d8d1d00000001000000100000003475b6ae07580528b505a98d7f0fe1f47e000000010000000800000000409120d035d90103000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e81900000001000000100000004fca18b530ab2d3765b8830436884be620000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 5c0000000100000004000000000800001900000001000000100000004fca18b530ab2d3765b8830436884be603000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e87e000000010000000800000000409120d035d9011d00000001000000100000003475b6ae07580528b505a98d7f0fe1f4140000000100000014000000a0c38b44aa37a545bf97805ad1f178a29be95d8d62000000010000002000000088497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba79687997f0000000100000020000000301e06082b0601050507030306082b0601050507030906082b0601050507030153000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d004900290000000f00000001000000140000001b8b713e8748912a4b073db0c8e9e3e5c0962d98040000000100000010000000ebf59d290d61f9421f7cc2ba6de3150920000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AutoUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8\Blob = 0f00000001000000140000001b8b713e8748912a4b073db0c8e9e3e5c0962d980b00000001000000660000004100670065006e00630069006100200043006100740061006c0061006e0061002000640065002000430065007200740069006600690063006100630069006f00200028004e0049004600200051002d0030003800300031003100370036002d0049002900000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07f0000000100000020000000301e06082b0601050507030306082b0601050507030906082b0601050507030162000000010000002000000088497f01602f3154246ae28c4d5aef10f1d87ebb76626f4ae0b7f95ba7968799140000000100000014000000a0c38b44aa37a545bf97805ad1f178a29be95d8d1d00000001000000100000003475b6ae07580528b505a98d7f0fe1f47e000000010000000800000000409120d035d90103000000010000001400000028903a635b5280fae6774c0b6da7d6baa64af2e820000000010000005a050000308205563082043ea0030201020210ee2b3debd421de14a862ac04f3ddc401300d06092a864886f70d01010505003081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d414343301e170d3033303130373233303030305a170d3331303130373232353935395a3081f3310b3009060355040613024553313b3039060355040a13324167656e63696120436174616c616e612064652043657274696669636163696f20284e494620512d303830313137362d492931283026060355040b131f53657276656973205075626c6963732064652043657274696669636163696f31353033060355040b132c56656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20286329303331353033060355040b132c4a657261727175696120456e7469746174732064652043657274696669636163696f20436174616c616e6573310f300d0603550403130645432d41434330820122300d06092a864886f70d01010105000382010f003082010a0282010100b322c74fe297429588478340f61d17f38373241e51f3988ac392b8ff409005708760c900a9b5946519221517c2436c66449a0d043e396fa54b7aaa63b78a449dd963918466e0280fba42e36e8ef714279369ee910ea35f0eb1eb66a2724f121386657a3edb4f07f4a70960da3a4299c7b27fb316951cc7f934b59485d5995ea048a07ee71765b8a275b81ef3e5427dafedf38a48645d821493d8c0e4ffb35072f276f6b35d425079d0943e6b0c00bed86b0e4e2aec3ed2cc82a218653313779e9a5d1a13d8c3db3dc8977aee70eda7e67cdb71cf2d9462df6dd6f538be3fa5850a19b8a8d809754270c4eaefcb0ec834a81222980cb81394b64becf0d090e7270203010001a381e33081e0301d0603551d1104163014811265635f61636340636174636572742e6e6574300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414a0c38b44aa37a545bf97805ad1f178a29be95d8d307f0603551d20047830763074060b2b06010401f5780103010a3065302c06082b06010505070201162068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c303506082b0601050507020230291a2756656765752068747470733a2f2f7777772e636174636572742e6e65742f766572617272656c20300d06092a864886f70d01010505000382010100a0485b8201f64d48b83955359c807a5399d55affb1713bcc3909945ed6daefbe015b5dd31ed8fd7d4fcda041e03493bfcbe2869c379290561cdceb2905e5c49ec735df8a0ccdc52143e9aa88e535c01942635a025ea448183a856fdc9dbc3f9d9cc187b87a6108e9770b7f70ab7addd9972c641e85bfbc7496a1c37a12ec0c1a6e830c3ce872469ffb48d55e97e6b1a1f8e4ef4625949c89db6938beec5c0e56c76551e5508888bf42d52b3de5f9ba9e2eb3caf47392020bbe4c66eb20feb9cbb5997fe6b613faca4b4dd9ee5346063bc64ead935a817e6c2a4b6a05458cf221a43190876c659c9da560953a527ff5d1ab086ef3ee5bf9883d7eb86f6e03e442	AutoUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	AutoUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	AutoUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\28903A635B5280FAE6774C0B6DA7D6BAA64AF2E8	AutoUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.exeiushrun.exeiush.exeIUService.exeDSPut.exeCrRestore.exeiobituninstaller.tmpUninstallPromote.exeUninstallMonitor.exeDSPut.exeAutoUpdate.exe

pid	process
3308	Setup.exe
3308	Setup.exe
3308	Setup.exe
3308	Setup.exe
4916	iushrun.exe
4916	iushrun.exe
4916	iushrun.exe
4916	iushrun.exe
4916	iushrun.exe
4916	iushrun.exe
4916	iushrun.exe
4916	iushrun.exe
756	iush.exe
756	iush.exe
756	iush.exe
756	iush.exe
5056	IUService.exe
5056	IUService.exe
4768	DSPut.exe
4768	DSPut.exe
756	iush.exe
756	iush.exe
1392	CrRestore.exe
1392	CrRestore.exe
1392	CrRestore.exe
1392	CrRestore.exe
5056	IUService.exe
5056	IUService.exe
4628	iobituninstaller.tmp
4628	iobituninstaller.tmp
5016	UninstallPromote.exe
5016	UninstallPromote.exe
5016	UninstallPromote.exe
5016	UninstallPromote.exe
5016	UninstallPromote.exe
5016	UninstallPromote.exe
5056	IUService.exe
5056	IUService.exe
5056	IUService.exe
5056	IUService.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
5056	IUService.exe
5056	IUService.exe
5056	IUService.exe
5056	IUService.exe
5056	IUService.exe
5056	IUService.exe
5056	IUService.exe
5056	IUService.exe
4736	DSPut.exe
4736	DSPut.exe
1416	AutoUpdate.exe
1416	AutoUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

IObitUninstaler.exe

pid process

3548 IObitUninstaler.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

672

pid	process
3548	IObitUninstaler.exe

pid	process
672

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEUninstallMonitor.exeUninstallMonitor.exe

description	pid	process
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeDebugPrivilege	4256	UninstallMonitor.exe
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE
Token: SeDebugPrivilege	4560	UninstallMonitor.exe
Token: SeShutdownPrivilege	3132	Explorer.EXE
Token: SeCreatePagefilePrivilege	3132	Explorer.EXE

Suspicious use of FindShellTrayWindow 20 IoCs

Processes:

Setup.exeiushrun.exeiobituninstaller.tmpiush.exeExplorer.EXECrRestore.exeUninstallMonitor.exeAutoUpdate.exeIObitUninstaler.exeUninstallMonitor.exeiush.exeAutoUpdate.exeUn_A.exe

pid	process
3308	Setup.exe
3308	Setup.exe
4916	iushrun.exe
4628	iobituninstaller.tmp
756	iush.exe
3132	Explorer.EXE
1392	CrRestore.exe
4256	UninstallMonitor.exe
4256	UninstallMonitor.exe
1416	AutoUpdate.exe
1416	AutoUpdate.exe
3548	IObitUninstaler.exe
4560	UninstallMonitor.exe
1072	iush.exe
3172	AutoUpdate.exe
3172	AutoUpdate.exe
3548	IObitUninstaler.exe
4628	Un_A.exe
3132	Explorer.EXE
3132	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

AutoUpdate.exeAutoUpdate.exe

pid process

1416 AutoUpdate.exe
3172 AutoUpdate.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

iush.exeDSPut.exeICONPIN64.exe

pid process

756 iush.exe
4768 DSPut.exe
4760 ICONPIN64.exe

pid	process
1416	AutoUpdate.exe
3172	AutoUpdate.exe

pid	process
756	iush.exe
4768	DSPut.exe
4760	ICONPIN64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iobituninstaller.exeiobituninstaller.tmpSetup.exeiobituninstaller.exeiobituninstaller.tmpiush.exeregsvr32.exeregsvr32.exeICONPIN64.exeIUService.exeIObitUninstaler.exeregsvr32.exe

description	pid	process	target process
PID 636 wrote to memory of 4380	636	iobituninstaller.exe	iobituninstaller.tmp
PID 636 wrote to memory of 4380	636	iobituninstaller.exe	iobituninstaller.tmp
PID 636 wrote to memory of 4380	636	iobituninstaller.exe	iobituninstaller.tmp
PID 4380 wrote to memory of 3308	4380	iobituninstaller.tmp	Setup.exe
PID 4380 wrote to memory of 3308	4380	iobituninstaller.tmp	Setup.exe
PID 4380 wrote to memory of 3308	4380	iobituninstaller.tmp	Setup.exe
PID 3308 wrote to memory of 4688	3308	Setup.exe	iobituninstaller.exe
PID 3308 wrote to memory of 4688	3308	Setup.exe	iobituninstaller.exe
PID 3308 wrote to memory of 4688	3308	Setup.exe	iobituninstaller.exe
PID 4688 wrote to memory of 4628	4688	iobituninstaller.exe	iobituninstaller.tmp
PID 4688 wrote to memory of 4628	4688	iobituninstaller.exe	iobituninstaller.tmp
PID 4688 wrote to memory of 4628	4688	iobituninstaller.exe	iobituninstaller.tmp
PID 4628 wrote to memory of 4916	4628	iobituninstaller.tmp	iushrun.exe
PID 4628 wrote to memory of 4916	4628	iobituninstaller.tmp	iushrun.exe
PID 4628 wrote to memory of 4916	4628	iobituninstaller.tmp	iushrun.exe
PID 4628 wrote to memory of 756	4628	iobituninstaller.tmp	iush.exe
PID 4628 wrote to memory of 756	4628	iobituninstaller.tmp	iush.exe
PID 4628 wrote to memory of 756	4628	iobituninstaller.tmp	iush.exe
PID 756 wrote to memory of 464	756	iush.exe	regsvr32.exe
PID 756 wrote to memory of 464	756	iush.exe	regsvr32.exe
PID 756 wrote to memory of 464	756	iush.exe	regsvr32.exe
PID 756 wrote to memory of 1124	756	iush.exe	regsvr32.exe
PID 756 wrote to memory of 1124	756	iush.exe	regsvr32.exe
PID 756 wrote to memory of 1124	756	iush.exe	regsvr32.exe
PID 464 wrote to memory of 3420	464	regsvr32.exe	regsvr32.exe
PID 464 wrote to memory of 3420	464	regsvr32.exe	regsvr32.exe
PID 1124 wrote to memory of 2020	1124	regsvr32.exe	regsvr32.exe
PID 1124 wrote to memory of 2020	1124	regsvr32.exe	regsvr32.exe
PID 756 wrote to memory of 4760	756	iush.exe	ICONPIN64.exe
PID 756 wrote to memory of 4760	756	iush.exe	ICONPIN64.exe
PID 756 wrote to memory of 4768	756	iush.exe	DSPut.exe
PID 756 wrote to memory of 4768	756	iush.exe	DSPut.exe
PID 756 wrote to memory of 4768	756	iush.exe	DSPut.exe
PID 4760 wrote to memory of 3132	4760	ICONPIN64.exe	Explorer.EXE
PID 4628 wrote to memory of 1392	4628	iobituninstaller.tmp	CrRestore.exe
PID 4628 wrote to memory of 1392	4628	iobituninstaller.tmp	CrRestore.exe
PID 4628 wrote to memory of 1392	4628	iobituninstaller.tmp	CrRestore.exe
PID 4628 wrote to memory of 5016	4628	iobituninstaller.tmp	UninstallPromote.exe
PID 4628 wrote to memory of 5016	4628	iobituninstaller.tmp	UninstallPromote.exe
PID 4628 wrote to memory of 5016	4628	iobituninstaller.tmp	UninstallPromote.exe
PID 5056 wrote to memory of 4256	5056	IUService.exe	UninstallMonitor.exe
PID 5056 wrote to memory of 4256	5056	IUService.exe	UninstallMonitor.exe
PID 5056 wrote to memory of 4256	5056	IUService.exe	UninstallMonitor.exe
PID 5056 wrote to memory of 4736	5056	IUService.exe	DSPut.exe
PID 5056 wrote to memory of 4736	5056	IUService.exe	DSPut.exe
PID 5056 wrote to memory of 4736	5056	IUService.exe	DSPut.exe
PID 5056 wrote to memory of 1416	5056	IUService.exe	AutoUpdate.exe
PID 5056 wrote to memory of 1416	5056	IUService.exe	AutoUpdate.exe
PID 5056 wrote to memory of 1416	5056	IUService.exe	AutoUpdate.exe
PID 3308 wrote to memory of 3548	3308	Setup.exe	IObitUninstaler.exe
PID 3308 wrote to memory of 3548	3308	Setup.exe	IObitUninstaler.exe
PID 3308 wrote to memory of 3548	3308	Setup.exe	IObitUninstaler.exe
PID 3548 wrote to memory of 4560	3548	IObitUninstaler.exe	UninstallMonitor.exe
PID 3548 wrote to memory of 4560	3548	IObitUninstaler.exe	UninstallMonitor.exe
PID 3548 wrote to memory of 4560	3548	IObitUninstaler.exe	UninstallMonitor.exe
PID 3308 wrote to memory of 1072	3308	Setup.exe	iush.exe
PID 3308 wrote to memory of 1072	3308	Setup.exe	iush.exe
PID 3308 wrote to memory of 1072	3308	Setup.exe	iush.exe
PID 3548 wrote to memory of 4900	3548	IObitUninstaler.exe	regsvr32.exe
PID 3548 wrote to memory of 4900	3548	IObitUninstaler.exe	regsvr32.exe
PID 3548 wrote to memory of 4900	3548	IObitUninstaler.exe	regsvr32.exe
PID 4900 wrote to memory of 3112	4900	regsvr32.exe	regsvr32.exe
PID 4900 wrote to memory of 3112	4900	regsvr32.exe	regsvr32.exe
PID 3548 wrote to memory of 4300	3548	IObitUninstaler.exe	AUpdate.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3132

C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe
"C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\is-DCQ08.tmp\iobituninstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DCQ08.tmp\iobituninstaller.tmp" /SL5="$80070,26554143,139264,C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Local\Temp\is-63E9O.tmp\Installer\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-63E9O.tmp\Installer\Setup.exe" /setup "C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe" "" "/Ver=12.3.0.9"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3308

C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe
"C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe" /verysilent /NORESTART /DIR="C:\Program Files (x86)\IObit\IObit Uninstaller\" /TASKS="desktopicon, " /do /dt ""
5⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Users\Admin\AppData\Local\Temp\is-5TGLO.tmp\iobituninstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5TGLO.tmp\iobituninstaller.tmp" /SL5="$201CE,26554143,139264,C:\Users\Admin\AppData\Local\Temp\iobituninstaller.exe" /verysilent /NORESTART /DIR="C:\Program Files (x86)\IObit\IObit Uninstaller\" /TASKS="desktopicon, " /do /dt ""
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4628

C:\Users\Admin\AppData\Local\Temp\is-ONONL.tmp\Installer\iushrun.exe
"C:\Users\Admin\AppData\Local\Temp\is-ONONL.tmp\Installer\iushrun.exe" /ii "C:\Program Files (x86)\IObit\IObit Uninstaller"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4916

C:\Program Files (x86)\IObit\IObit Uninstaller\iush.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\iush.exe" /if "C:\Program Files (x86)\IObit\IObit Uninstaller" /dt /insur=
7⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll"
9⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:3420

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll"
8⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer.dll"
9⤵
- Loads dropped DLL
- Registers COM server for autorun
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2020

C:\Program Files (x86)\IObit\IObit Uninstaller\TaskbarPin\ICONPIN64.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\TaskbarPin\ICONPIN64.exe" Pin "C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760

C:\Program Files (x86)\IObit\IObit Uninstaller\DSPut.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\DSPut.exe" /Now /update /W3sidmVyc2lvbiI6IjAuMC4wLjAiLCJzaG93IjowLCJjbGljayI6MCwibGFzdCI6MH1d
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4768

C:\Program Files (x86)\IObit\IObit Uninstaller\CrRestore.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\CrRestore.exe" /Backup
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1392

C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallPromote.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallPromote.exe" /INSTALL un12
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe" /setup
5⤵
- Checks computer location settings
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3548

C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe" /Set
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4560

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll"
6⤵
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll"
7⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
PID:3112

C:\Program Files (x86)\IObit\IObit Uninstaller\AUpdate.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\AUpdate.exe" /a un12 /p es /v 12.3.0.9 /t 1 /d 7 /un /user
6⤵
- Executes dropped EXE
PID:4300

C:\Program Files (x86)\IObit\IObit Uninstaller\AutoUpdate.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\AutoUpdate.exe" /Nomal
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3172

C:\Program Files\Mozilla Firefox\uninstall\helper.exe
"C:\Program Files\Mozilla Firefox\uninstall\helper.exe"
6⤵
- Drops file in Program Files directory
PID:384

C:\Program Files\Mozilla Firefox\uninstall\uninstaller.exe
"C:\Program Files\Mozilla Firefox\uninstall\uninstaller.exe"
7⤵
- Executes dropped EXE
PID:1664

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Program Files\Mozilla Firefox\uninstall\
8⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4628

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
9⤵
- Registers COM server for autorun
- Modifies registry class
PID:2996

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" uninstall 308046B0AF4A39CB
9⤵
- Executes dropped EXE
PID:3636

C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe" /S
9⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_B.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_B.exe" /S _?=C:\Program Files (x86)\Mozilla Maintenance Service\
10⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" uninstall
11⤵
PID:1412

C:\Program Files (x86)\IObit\IObit Uninstaller\DSPut.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\DSPut.exe"
6⤵
PID:4040

C:\Program Files (x86)\IObit\IObit Uninstaller\PPUninstaller.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\PPUninstaller.exe" /x
6⤵
PID:1144

C:\Program Files (x86)\IObit\IObit Uninstaller\iush.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\iush.exe" /tmpDir="C:\Users\Admin\AppData\Local\Temp\is-63E9O.tmp\"
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1072

C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\IObitUninstaler.exe"
2⤵
PID:2508

C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe" /Set
3⤵
PID:4656

C:\Program Files (x86)\IObit\IObit Uninstaller\DSPut.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\DSPut.exe" /Now /prom /W3sidmVyc2lvbiI6IjEyLjMiLCJsYW5nIjoiZXMiLCJrZXkiOiJuZXcycyJ9XQ==
3⤵
PID:756

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll"
3⤵
PID:4712

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\IObit\IObit Uninstaller\IUMenuRight.dll"
4⤵
PID:4696

C:\Program Files (x86)\IObit\IObit Uninstaller\AUpdate.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\AUpdate.exe" /a un12 /p es /v 12.3.0.9 /t 1 /d 7 /un /user
3⤵
PID:5032

C:\Program Files (x86)\IObit\IObit Uninstaller\AutoUpdate.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\AutoUpdate.exe" /Nomal
3⤵
PID:4232

C:\Program Files (x86)\IObit\IObit Uninstaller\DSPut.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\DSPut.exe"
3⤵
PID:60

C:\Program Files (x86)\IObit\IObit Uninstaller\PPUninstaller.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\PPUninstaller.exe" /x
3⤵
PID:2712

C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\IUService.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5056

C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallMonitor.exe" /srvupt
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4256

C:\Program Files (x86)\IObit\IObit Uninstaller\DSPut.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\DSPut.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4736

C:\Program Files (x86)\IObit\IObit Uninstaller\AutoUpdate.exe
"C:\Program Files (x86)\IObit\IObit Uninstaller\AutoUpdate.exe" /SvcCheck
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery