dcrat | afe2d9fd6e0dc6add700401243c0028d315b88f58ba9510a70e1359c0747aa43

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	0eO6BMV8FYaicpqJNI1m.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	0eO6BMV8FYaicpqJNI1m.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	0eO6BMV8FYaicpqJNI1m.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	0eO6BMV8FYaicpqJNI1m.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	0eO6BMV8FYaicpqJNI1m.exe

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	hlfoIuzNng05RlXh7HYJfBU8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	0RJTRXPtE9fOfF7sQTqY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

Downloads MZ/PE file

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x0006000000016d26-365.dat	net_reactor
behavioral1/files/0x0006000000016d26-484.dat	net_reactor
behavioral1/files/0x0006000000016d26-487.dat	net_reactor
behavioral1/files/0x0006000000016d26-503.dat	net_reactor
behavioral1/memory/2088-509-0x0000000000AD0000-0x0000000000FAA000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hlfoIuzNng05RlXh7HYJfBU8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hlfoIuzNng05RlXh7HYJfBU8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0RJTRXPtE9fOfF7sQTqY.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0RJTRXPtE9fOfF7sQTqY.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 40 IoCs

pid	Process
1308	_k9gZGGvGrt0DIdtWjvwBCze.exe
2768	qM6XeEt2NWmWEAVBZ_LVsVkx.exe
1764	NuMdjg_hEXiJwZ0UTVK1pNTE.exe
1844	xFClu5IyEneXZaEovI6Lf8f1.exe
2708	99PyHXy5BUElKykNr7H1LJ59.exe
1676	FYmrnUINPhcDKBVH0m5G8Acm.exe
3048	ztgomdFnOEO7sxBt0svOuxpQ.exe
796	wmiprvse.exe
664	xInedBS6QFz607xYBFDPRILE.exe
540	vHB2eRqDUE8bIYe3zzMa2VDM.exe
820	DmEbJsJbIJ3rgqR_JwIfJIlf.exe
1320	hlfoIuzNng05RlXh7HYJfBU8.exe
2432	qgi_xecQo0vKLaMdgQQW7X3r.exe
2424	kBNZAwXLhl1u0hMwYgvN5zkZ.exe
2088	LjKOjEvpJLJe36lsvzfFk2iU.exe
2248	vHB2eRqDUE8bIYe3zzMa2VDM.tmp
1660	timeout.exe
1220	jscalendarlib.exe
2964	Letting.pif
1732	821B.exe
1640	0RJTRXPtE9fOfF7sQTqY.exe
2360	A7A8.exe
3004	8CD6.exe
584	BC70.exe
2372	kBNZAwXLhl1u0hMwYgvN5zkZ.exe
1648	InstallSetup4.exe
3032	288c47bbc1871b439df19ff4df68f076.exe
3028	BroomSetup.exe
2324	F923.exe
2352	F923.tmp
2604	11B3.exe
1852	348F.exe
2788	kBNZAwXLhl1u0hMwYgvN5zkZ.exe
1788	qtziroutine.exe
1152	nsz531.tmp
2164	eOdvhTU2rrMQToiohon9.exe
2288	0eO6BMV8FYaicpqJNI1m.exe
1640	0RJTRXPtE9fOfF7sQTqY.exe
1708	7yya1o17xmZDuch5F0T0.exe
2416	z3KGdG1gwh0NuqS8RhTL.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Wine	hlfoIuzNng05RlXh7HYJfBU8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Wine	0RJTRXPtE9fOfF7sQTqY.exe

Loads dropped DLL 47 IoCs

pid	Process
1476	setup.exe
1476	setup.exe
1476	setup.exe
540	vHB2eRqDUE8bIYe3zzMa2VDM.exe
3048	ztgomdFnOEO7sxBt0svOuxpQ.exe
3048	ztgomdFnOEO7sxBt0svOuxpQ.exe
2248	vHB2eRqDUE8bIYe3zzMa2VDM.tmp
2248	vHB2eRqDUE8bIYe3zzMa2VDM.tmp
2248	vHB2eRqDUE8bIYe3zzMa2VDM.tmp
2248	vHB2eRqDUE8bIYe3zzMa2VDM.tmp
1468	cmd.exe
2088	LjKOjEvpJLJe36lsvzfFk2iU.exe
3056	regsvr32.exe
664	xInedBS6QFz607xYBFDPRILE.exe
664	xInedBS6QFz607xYBFDPRILE.exe
1640	0RJTRXPtE9fOfF7sQTqY.exe
3004	8CD6.exe
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe
488	WerFault.exe
584	BC70.exe
584	BC70.exe
584	BC70.exe
1648	InstallSetup4.exe
1648	InstallSetup4.exe
1648	InstallSetup4.exe
2324	F923.exe
2372	kBNZAwXLhl1u0hMwYgvN5zkZ.exe
2352	F923.tmp
2352	F923.tmp
2352	F923.tmp
2352	F923.tmp
2564	WerFault.exe
2564	WerFault.exe
488	WerFault.exe
2352	F923.tmp
2564	WerFault.exe
1648	InstallSetup4.exe
1648	InstallSetup4.exe
1648	InstallSetup4.exe
1320	hlfoIuzNng05RlXh7HYJfBU8.exe
1320	hlfoIuzNng05RlXh7HYJfBU8.exe
1320	hlfoIuzNng05RlXh7HYJfBU8.exe
1320	hlfoIuzNng05RlXh7HYJfBU8.exe
1320	hlfoIuzNng05RlXh7HYJfBU8.exe
1320	hlfoIuzNng05RlXh7HYJfBU8.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
600	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1476-0-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-1-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-10-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-12-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-14-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-15-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-16-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-17-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-18-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-19-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-20-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-64-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-239-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-246-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-255-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-338-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida
behavioral1/memory/1476-639-0x000000013F5E0000-0x0000000140282000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.155.250.90

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	0eO6BMV8FYaicpqJNI1m.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0eO6BMV8FYaicpqJNI1m.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hlfoIuzNng05RlXh7HYJfBU8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hlfoIuzNng05RlXh7HYJfBU8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hlfoIuzNng05RlXh7HYJfBU8.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	qgi_xecQo0vKLaMdgQQW7X3r.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	qgi_xecQo0vKLaMdgQQW7X3r.exe
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	qgi_xecQo0vKLaMdgQQW7X3r.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RageMP1 = "C:\\Users\\Admin\\AppData\\Local\\RageMP1\\RageMP1.exe"	qgi_xecQo0vKLaMdgQQW7X3r.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	qM6XeEt2NWmWEAVBZ_LVsVkx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a7aefbd6-1b1b-4041-9c0f-3c135fbec682\\kBNZAwXLhl1u0hMwYgvN5zkZ.exe\" --AutoStart"	kBNZAwXLhl1u0hMwYgvN5zkZ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	hlfoIuzNng05RlXh7HYJfBU8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
133	iplogger.org

Looks up external IP address via web service 25 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
171	api.2ip.ua
182	ipinfo.io
341	ipinfo.io
12	ipinfo.io
170	api.2ip.ua
275	api.2ip.ua
342	ipinfo.io
5	api.myip.com
6	api.myip.com
181	ipinfo.io
332	ipinfo.io
13	ipinfo.io
295	ipinfo.io
263	ipinfo.io
264	ipinfo.io
288	ipinfo.io
289	ipinfo.io
300	ipinfo.io
328	ipinfo.io
276	api.2ip.ua
299	ipinfo.io
327	ipinfo.io
331	ipinfo.io
193	ipinfo.io
269	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	348F.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000600000001c6c0-1278.dat	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1476	setup.exe
1320	hlfoIuzNng05RlXh7HYJfBU8.exe
1640	0RJTRXPtE9fOfF7sQTqY.exe
2288	0eO6BMV8FYaicpqJNI1m.exe
2288	0eO6BMV8FYaicpqJNI1m.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 3004	1640	0RJTRXPtE9fOfF7sQTqY.exe	73
PID 2424 set thread context of 2372	2424	kBNZAwXLhl1u0hMwYgvN5zkZ.exe	46
PID 2088 set thread context of 2944	2088	LjKOjEvpJLJe36lsvzfFk2iU.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
488	2360	WerFault.exe	72
2564	1732	WerFault.exe	66

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x00060000000160a7-251.dat	nsis_installer_1
behavioral1/files/0x00060000000160a7-251.dat	nsis_installer_2
behavioral1/files/0x00060000000160a7-464.dat	nsis_installer_1
behavioral1/files/0x00060000000160a7-464.dat	nsis_installer_2
behavioral1/files/0x00060000000160a7-520.dat	nsis_installer_1
behavioral1/files/0x00060000000160a7-520.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	NuMdjg_hEXiJwZ0UTVK1pNTE.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	NuMdjg_hEXiJwZ0UTVK1pNTE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	NuMdjg_hEXiJwZ0UTVK1pNTE.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsz531.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsz531.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	xInedBS6QFz607xYBFDPRILE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	xInedBS6QFz607xYBFDPRILE.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	hlfoIuzNng05RlXh7HYJfBU8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	hlfoIuzNng05RlXh7HYJfBU8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	qgi_xecQo0vKLaMdgQQW7X3r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	qgi_xecQo0vKLaMdgQQW7X3r.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2820	schtasks.exe
3636	schtasks.exe
2168	schtasks.exe
2916	schtasks.exe
2456	schtasks.exe
2540	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1660	timeout.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3044	tasklist.exe
1720	tasklist.exe

Modifies system certificate store 2 TTPs 20 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	hlfoIuzNng05RlXh7HYJfBU8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	xFClu5IyEneXZaEovI6Lf8f1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	xFClu5IyEneXZaEovI6Lf8f1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	qgi_xecQo0vKLaMdgQQW7X3r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	xFClu5IyEneXZaEovI6Lf8f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	qgi_xecQo0vKLaMdgQQW7X3r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e419000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	hlfoIuzNng05RlXh7HYJfBU8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1948	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	setup.exe
2708	99PyHXy5BUElKykNr7H1LJ59.exe
1676	FYmrnUINPhcDKBVH0m5G8Acm.exe
1764	NuMdjg_hEXiJwZ0UTVK1pNTE.exe
1764	NuMdjg_hEXiJwZ0UTVK1pNTE.exe
2432	qgi_xecQo0vKLaMdgQQW7X3r.exe
3048	ztgomdFnOEO7sxBt0svOuxpQ.exe
3048	ztgomdFnOEO7sxBt0svOuxpQ.exe
2248	vHB2eRqDUE8bIYe3zzMa2VDM.tmp
2248	vHB2eRqDUE8bIYe3zzMa2VDM.tmp
1320	hlfoIuzNng05RlXh7HYJfBU8.exe
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1764	NuMdjg_hEXiJwZ0UTVK1pNTE.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	tasklist.exe
Token: SeDebugPrivilege	1720	tasklist.exe
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeShutdownPrivilege	1360	Process not Found
Token: SeDebugPrivilege	2288	0eO6BMV8FYaicpqJNI1m.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
2248	vHB2eRqDUE8bIYe3zzMa2VDM.tmp
2964	Letting.pif
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
2964	Letting.pif
2964	Letting.pif
1360	Process not Found
1360	Process not Found
2352	F923.tmp
2164	eOdvhTU2rrMQToiohon9.exe
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
2164	eOdvhTU2rrMQToiohon9.exe
2164	eOdvhTU2rrMQToiohon9.exe
2164	eOdvhTU2rrMQToiohon9.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
2964	Letting.pif
1360	Process not Found
2964	Letting.pif
2964	Letting.pif
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
1360	Process not Found
2164	eOdvhTU2rrMQToiohon9.exe
2164	eOdvhTU2rrMQToiohon9.exe
2164	eOdvhTU2rrMQToiohon9.exe
2164	eOdvhTU2rrMQToiohon9.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3028	BroomSetup.exe
2288	0eO6BMV8FYaicpqJNI1m.exe
1708	7yya1o17xmZDuch5F0T0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 1308	1476	setup.exe	30
PID 1476 wrote to memory of 1308	1476	setup.exe	30
PID 1476 wrote to memory of 1308	1476	setup.exe	30
PID 1476 wrote to memory of 1764	1476	setup.exe	51
PID 1476 wrote to memory of 1764	1476	setup.exe	51
PID 1476 wrote to memory of 1764	1476	setup.exe	51
PID 1476 wrote to memory of 1764	1476	setup.exe	51
PID 1476 wrote to memory of 2708	1476	setup.exe	49
PID 1476 wrote to memory of 2708	1476	setup.exe	49
PID 1476 wrote to memory of 2708	1476	setup.exe	49
PID 1476 wrote to memory of 1844	1476	setup.exe	48
PID 1476 wrote to memory of 1844	1476	setup.exe	48
PID 1476 wrote to memory of 1844	1476	setup.exe	48
PID 1476 wrote to memory of 1844	1476	setup.exe	48
PID 1476 wrote to memory of 2768	1476	setup.exe	50
PID 1476 wrote to memory of 2768	1476	setup.exe	50
PID 1476 wrote to memory of 2768	1476	setup.exe	50
PID 1476 wrote to memory of 2768	1476	setup.exe	50
PID 2768 wrote to memory of 1128	2768	qM6XeEt2NWmWEAVBZ_LVsVkx.exe	47
PID 2768 wrote to memory of 1128	2768	qM6XeEt2NWmWEAVBZ_LVsVkx.exe	47
PID 2768 wrote to memory of 1128	2768	qM6XeEt2NWmWEAVBZ_LVsVkx.exe	47
PID 2768 wrote to memory of 1128	2768	qM6XeEt2NWmWEAVBZ_LVsVkx.exe	47
PID 1476 wrote to memory of 1676	1476	setup.exe	45
PID 1476 wrote to memory of 1676	1476	setup.exe	45
PID 1476 wrote to memory of 1676	1476	setup.exe	45
PID 1476 wrote to memory of 1676	1476	setup.exe	45
PID 1476 wrote to memory of 3048	1476	setup.exe	44
PID 1476 wrote to memory of 3048	1476	setup.exe	44
PID 1476 wrote to memory of 3048	1476	setup.exe	44
PID 1476 wrote to memory of 3048	1476	setup.exe	44
PID 1476 wrote to memory of 540	1476	setup.exe	43
PID 1476 wrote to memory of 540	1476	setup.exe	43
PID 1476 wrote to memory of 540	1476	setup.exe	43
PID 1476 wrote to memory of 540	1476	setup.exe	43
PID 1476 wrote to memory of 540	1476	setup.exe	43
PID 1476 wrote to memory of 540	1476	setup.exe	43
PID 1476 wrote to memory of 540	1476	setup.exe	43
PID 1476 wrote to memory of 796	1476	setup.exe	55
PID 1476 wrote to memory of 796	1476	setup.exe	55
PID 1476 wrote to memory of 796	1476	setup.exe	55
PID 1476 wrote to memory of 796	1476	setup.exe	55
PID 1476 wrote to memory of 820	1476	setup.exe	41
PID 1476 wrote to memory of 820	1476	setup.exe	41
PID 1476 wrote to memory of 820	1476	setup.exe	41
PID 1476 wrote to memory of 820	1476	setup.exe	41
PID 1476 wrote to memory of 664	1476	setup.exe	40
PID 1476 wrote to memory of 664	1476	setup.exe	40
PID 1476 wrote to memory of 664	1476	setup.exe	40
PID 1476 wrote to memory of 664	1476	setup.exe	40
PID 1476 wrote to memory of 1320	1476	setup.exe	37
PID 1476 wrote to memory of 1320	1476	setup.exe	37
PID 1476 wrote to memory of 1320	1476	setup.exe	37
PID 1476 wrote to memory of 1320	1476	setup.exe	37
PID 1476 wrote to memory of 2432	1476	setup.exe	31
PID 1476 wrote to memory of 2432	1476	setup.exe	31
PID 1476 wrote to memory of 2432	1476	setup.exe	31
PID 1476 wrote to memory of 2432	1476	setup.exe	31
PID 1476 wrote to memory of 2424	1476	setup.exe	35
PID 1476 wrote to memory of 2424	1476	setup.exe	35
PID 1476 wrote to memory of 2424	1476	setup.exe	35
PID 1476 wrote to memory of 2424	1476	setup.exe	35
PID 1476 wrote to memory of 2088	1476	setup.exe	34
PID 1476 wrote to memory of 2088	1476	setup.exe	34
PID 1476 wrote to memory of 2088	1476	setup.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hlfoIuzNng05RlXh7HYJfBU8.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hlfoIuzNng05RlXh7HYJfBU8.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\Documents\GuardFox\_k9gZGGvGrt0DIdtWjvwBCze.exe
  "C:\Users\Admin\Documents\GuardFox\_k9gZGGvGrt0DIdtWjvwBCze.exe"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Users\Admin\Documents\GuardFox\qgi_xecQo0vKLaMdgQQW7X3r.exe
  "C:\Users\Admin\Documents\GuardFox\qgi_xecQo0vKLaMdgQQW7X3r.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:2432
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH1\MPGPH1.exe" /tn "MPGPH1 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2168
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH1\MPGPH1.exe" /tn "MPGPH1 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2456
- C:\Users\Admin\Documents\GuardFox\LjKOjEvpJLJe36lsvzfFk2iU.exe
  "C:\Users\Admin\Documents\GuardFox\LjKOjEvpJLJe36lsvzfFk2iU.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    3⤵
    PID:2808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    3⤵
    PID:2944
- C:\Users\Admin\Documents\GuardFox\kBNZAwXLhl1u0hMwYgvN5zkZ.exe
  "C:\Users\Admin\Documents\GuardFox\kBNZAwXLhl1u0hMwYgvN5zkZ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2424
- - C:\Users\Admin\Documents\GuardFox\kBNZAwXLhl1u0hMwYgvN5zkZ.exe
    "C:\Users\Admin\Documents\GuardFox\kBNZAwXLhl1u0hMwYgvN5zkZ.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2372
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\a7aefbd6-1b1b-4041-9c0f-3c135fbec682" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:600
  - - C:\Users\Admin\Documents\GuardFox\kBNZAwXLhl1u0hMwYgvN5zkZ.exe
      "C:\Users\Admin\Documents\GuardFox\kBNZAwXLhl1u0hMwYgvN5zkZ.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:2788
    - - C:\Users\Admin\Documents\GuardFox\kBNZAwXLhl1u0hMwYgvN5zkZ.exe
        
        "C:\Users\Admin\Documents\GuardFox\kBNZAwXLhl1u0hMwYgvN5zkZ.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:948
- C:\Users\Admin\Documents\GuardFox\hlfoIuzNng05RlXh7HYJfBU8.exe
  "C:\Users\Admin\Documents\GuardFox\hlfoIuzNng05RlXh7HYJfBU8.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:1320
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2540
- - C:\Users\Admin\AppData\Local\Temp\jobA4TD4W4yoMRK5ig\eOdvhTU2rrMQToiohon9.exe
    "C:\Users\Admin\AppData\Local\Temp\jobA4TD4W4yoMRK5ig\eOdvhTU2rrMQToiohon9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2164
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account
      4⤵
      PID:1916
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:1212
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
      4⤵
      PID:1936
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:2468
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video
      4⤵
      PID:1664
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:2224
- - C:\Users\Admin\AppData\Local\Temp\jobA4TD4W4yoMRK5ig\0RJTRXPtE9fOfF7sQTqY.exe
    "C:\Users\Admin\AppData\Local\Temp\jobA4TD4W4yoMRK5ig\0RJTRXPtE9fOfF7sQTqY.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\jobA4wcObiaDtPmBmO\iLahCcnO4zfXl75czkKY.exe
      "C:\Users\Admin\AppData\Local\Temp\jobA4wcObiaDtPmBmO\iLahCcnO4zfXl75czkKY.exe"
      4⤵
      PID:4016
    - - C:\Users\Admin\AppData\Local\Temp\jobA4sXGjId8Z6R8c_\Zg3V08VJtGJxqvZP4HsA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jobA4sXGjId8Z6R8c_\Zg3V08VJtGJxqvZP4HsA.exe"
        5⤵
        
        PID:820
    - - C:\Users\Admin\AppData\Local\Temp\jobA4sXGjId8Z6R8c_\k6w1krlLhGzWlAeGKpD4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jobA4sXGjId8Z6R8c_\k6w1krlLhGzWlAeGKpD4.exe"
        5⤵
        
        PID:3552
    - - C:\Users\Admin\AppData\Local\Temp\jobA4sXGjId8Z6R8c_\hqKbtWJ6AmgJH51YFA1I.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jobA4sXGjId8Z6R8c_\hqKbtWJ6AmgJH51YFA1I.exe"
        5⤵
        
        PID:2760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video
        6⤵
        
        PID:3096
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3096 CREDAT:275457 /prefetch:2
        7⤵
        
        PID:3128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
        6⤵
        
        PID:1692
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:275457 /prefetch:2
        7⤵
        
        PID:704
    - - C:\Users\Admin\AppData\Local\Temp\jobA4sXGjId8Z6R8c_\tO0aYdqAbhZvSDKO1MPT.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jobA4sXGjId8Z6R8c_\tO0aYdqAbhZvSDKO1MPT.exe"
        5⤵
        
        PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\jobA4sXGjId8Z6R8c_\stY0RbWMpcCtyKjq1XlO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jobA4sXGjId8Z6R8c_\stY0RbWMpcCtyKjq1XlO.exe"
        5⤵
        
        PID:616
  - - C:\Users\Admin\AppData\Local\Temp\jobA4wcObiaDtPmBmO\tGw1QLR44Ae_tYZMR5cx.exe
      "C:\Users\Admin\AppData\Local\Temp\jobA4wcObiaDtPmBmO\tGw1QLR44Ae_tYZMR5cx.exe"
      4⤵
      PID:3952
  - - C:\Users\Admin\AppData\Local\Temp\jobA4wcObiaDtPmBmO\aMLrvGg5_PNn1EN8cY_p.exe
      "C:\Users\Admin\AppData\Local\Temp\jobA4wcObiaDtPmBmO\aMLrvGg5_PNn1EN8cY_p.exe"
      4⤵
      PID:3532
  - - C:\Users\Admin\AppData\Local\Temp\jobA4wcObiaDtPmBmO\L2_ZNRQrrvfwuAW7s5tT.exe
      "C:\Users\Admin\AppData\Local\Temp\jobA4wcObiaDtPmBmO\L2_ZNRQrrvfwuAW7s5tT.exe"
      4⤵
      PID:3520
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account
        5⤵
        
        PID:3856
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3856 CREDAT:275457 /prefetch:2
        6⤵
        
        PID:3752
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video
        5⤵
        
        PID:2448
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:2
        6⤵
        
        PID:3324
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
        5⤵
        
        PID:972
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:275457 /prefetch:2
        6⤵
        
        PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\jobA4wcObiaDtPmBmO\O4CgYth3UnLKUZjCASdK.exe
      "C:\Users\Admin\AppData\Local\Temp\jobA4wcObiaDtPmBmO\O4CgYth3UnLKUZjCASdK.exe"
      4⤵
      PID:3660
- - C:\Users\Admin\AppData\Local\Temp\jobA4TD4W4yoMRK5ig\7yya1o17xmZDuch5F0T0.exe
    "C:\Users\Admin\AppData\Local\Temp\jobA4TD4W4yoMRK5ig\7yya1o17xmZDuch5F0T0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\jobA4IdvfWlvlXnlfd\8PzbodW593HEN5tca2Vs.exe
      "C:\Users\Admin\AppData\Local\Temp\jobA4IdvfWlvlXnlfd\8PzbodW593HEN5tca2Vs.exe"
      4⤵
      PID:3620
  - - C:\Users\Admin\AppData\Local\Temp\jobA4IdvfWlvlXnlfd\H6Jw25Hv_SbXrpXRi5oh.exe
      "C:\Users\Admin\AppData\Local\Temp\jobA4IdvfWlvlXnlfd\H6Jw25Hv_SbXrpXRi5oh.exe"
      4⤵
      PID:3568
  - - C:\Users\Admin\AppData\Local\Temp\jobA4IdvfWlvlXnlfd\xPnDWqs_Pb7TzJ0aml5K.exe
      "C:\Users\Admin\AppData\Local\Temp\jobA4IdvfWlvlXnlfd\xPnDWqs_Pb7TzJ0aml5K.exe"
      4⤵
      PID:3988
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/account
        5⤵
        
        PID:3492
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3492 CREDAT:275457 /prefetch:2
        6⤵
        
        PID:2848
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video
        5⤵
        
        PID:3080
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3080 CREDAT:275457 /prefetch:2
        6⤵
        
        PID:3956
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
        5⤵
        
        PID:1900
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
        6⤵
        
        PID:1740
  - - C:\Users\Admin\AppData\Local\Temp\jobA4IdvfWlvlXnlfd\xpdCv6DOZm_4ySGRV_ii.exe
      "C:\Users\Admin\AppData\Local\Temp\jobA4IdvfWlvlXnlfd\xpdCv6DOZm_4ySGRV_ii.exe"
      4⤵
      PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\jobA4IdvfWlvlXnlfd\zFvY4j1BEJgHHxDLs2Gs.exe
      "C:\Users\Admin\AppData\Local\Temp\jobA4IdvfWlvlXnlfd\zFvY4j1BEJgHHxDLs2Gs.exe"
      4⤵
      PID:3012
- - C:\Users\Admin\AppData\Local\Temp\jobA4TD4W4yoMRK5ig\0eO6BMV8FYaicpqJNI1m.exe
    "C:\Users\Admin\AppData\Local\Temp\jobA4TD4W4yoMRK5ig\0eO6BMV8FYaicpqJNI1m.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\jobA4TD4W4yoMRK5ig\z3KGdG1gwh0NuqS8RhTL.exe
    "C:\Users\Admin\AppData\Local\Temp\jobA4TD4W4yoMRK5ig\z3KGdG1gwh0NuqS8RhTL.exe"
    3⤵
    - Executes dropped EXE
    PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
      "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
      4⤵
      PID:2780
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3636
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        5⤵
        
        PID:1716
    - - C:\Users\Admin\AppData\Local\Temp\1000817001\leg221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000817001\leg221.exe"
        5⤵
        
        PID:1180
    - - C:\Users\Admin\AppData\Local\Temp\1000817001\leg221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000817001\leg221.exe"
        5⤵
        
        PID:2764
    - - C:\Users\Admin\AppData\Local\Temp\1000817001\leg221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000817001\leg221.exe"
        5⤵
        
        PID:3720
    - - C:\Users\Admin\AppData\Local\Temp\1000817001\leg221.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000817001\leg221.exe"
        5⤵
        
        PID:1956
- C:\Users\Admin\Documents\GuardFox\xInedBS6QFz607xYBFDPRILE.exe
  "C:\Users\Admin\Documents\GuardFox\xInedBS6QFz607xYBFDPRILE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\GuardFox\xInedBS6QFz607xYBFDPRILE.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:356
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Executes dropped EXE
      Delays execution with timeout.exe
      PID:1660
- C:\Users\Admin\Documents\GuardFox\DmEbJsJbIJ3rgqR_JwIfJIlf.exe
  "C:\Users\Admin\Documents\GuardFox\DmEbJsJbIJ3rgqR_JwIfJIlf.exe"
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Users\Admin\Documents\GuardFox\_8Lj0Yuvi2THI3xMk1WHIQFH.exe
  "C:\Users\Admin\Documents\GuardFox\_8Lj0Yuvi2THI3xMk1WHIQFH.exe"
  2⤵
  PID:796
- C:\Users\Admin\Documents\GuardFox\vHB2eRqDUE8bIYe3zzMa2VDM.exe
  "C:\Users\Admin\Documents\GuardFox\vHB2eRqDUE8bIYe3zzMa2VDM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:540
- C:\Users\Admin\Documents\GuardFox\ztgomdFnOEO7sxBt0svOuxpQ.exe
  "C:\Users\Admin\Documents\GuardFox\ztgomdFnOEO7sxBt0svOuxpQ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Users\Admin\Documents\GuardFox\FYmrnUINPhcDKBVH0m5G8Acm.exe
  "C:\Users\Admin\Documents\GuardFox\FYmrnUINPhcDKBVH0m5G8Acm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1676
- C:\Users\Admin\Documents\GuardFox\xFClu5IyEneXZaEovI6Lf8f1.exe
  "C:\Users\Admin\Documents\GuardFox\xFClu5IyEneXZaEovI6Lf8f1.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1844
- C:\Users\Admin\Documents\GuardFox\99PyHXy5BUElKykNr7H1LJ59.exe
  "C:\Users\Admin\Documents\GuardFox\99PyHXy5BUElKykNr7H1LJ59.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2708
- C:\Users\Admin\Documents\GuardFox\qM6XeEt2NWmWEAVBZ_LVsVkx.exe
  "C:\Users\Admin\Documents\GuardFox\qM6XeEt2NWmWEAVBZ_LVsVkx.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2768
- C:\Users\Admin\Documents\GuardFox\NuMdjg_hEXiJwZ0UTVK1pNTE.exe
  "C:\Users\Admin\Documents\GuardFox\NuMdjg_hEXiJwZ0UTVK1pNTE.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /k move Practice Practice.bat & Practice.bat & exit
1⤵
- Loads dropped DLL
PID:1468
- C:\Windows\SysWOW64\findstr.exe
  findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
  2⤵
  PID:2324
- C:\Windows\SysWOW64\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\SysWOW64\findstr.exe
  findstr /I "wrsa.exe"
  2⤵
  PID:940
- C:\Windows\SysWOW64\tasklist.exe
  tasklist
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c md 15598
  2⤵
  PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy /b Trading + Aging + Toys + Omaha + Span 15598\Letting.pif
  2⤵
  PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd /c copy /b Dish + Measures 15598\t
  2⤵
  PID:2224
- C:\Windows\SysWOW64\PING.EXE
  ping -n 5 localhost
  2⤵
  - Runs ping.exe
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\15598\Letting.pif
  15598\Letting.pif 15598\t
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2964

C:\Users\Admin\AppData\Local\Temp\is-LMQDR.tmp\vHB2eRqDUE8bIYe3zzMa2VDM.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LMQDR.tmp\vHB2eRqDUE8bIYe3zzMa2VDM.tmp" /SL5="$B0122,6119060,54272,C:\Users\Admin\Documents\GuardFox\vHB2eRqDUE8bIYe3zzMa2VDM.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2248
- C:\Users\Admin\AppData\Local\JS Calendar lib\jscalendarlib.exe
  "C:\Users\Admin\AppData\Local\JS Calendar lib\jscalendarlib.exe" -i
  2⤵
  PID:1660
- C:\Users\Admin\AppData\Local\JS Calendar lib\jscalendarlib.exe
  "C:\Users\Admin\AppData\Local\JS Calendar lib\jscalendarlib.exe" -s
  2⤵
  - Executes dropped EXE
  PID:1220

C:\Windows\SysWOW64\TapiUnattend.exe
TapiUnattend.exe
1⤵
PID:1128

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Executes dropped EXE
PID:796

C:\Users\Admin\AppData\Local\Temp\821B.exe
C:\Users\Admin\AppData\Local\Temp\821B.exe
1⤵
- Executes dropped EXE
PID:1732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 96
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2564

C:\Users\Admin\AppData\Local\Temp\8CD6.exe
C:\Users\Admin\AppData\Local\Temp\8CD6.exe
1⤵
PID:1640
- C:\Users\Admin\AppData\Local\Temp\8CD6.exe
  C:\Users\Admin\AppData\Local\Temp\8CD6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3004

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\961A.dll
1⤵
PID:2108
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\961A.dll
  2⤵
  - Loads dropped DLL
  PID:3056

C:\Users\Admin\AppData\Local\Temp\A7A8.exe
C:\Users\Admin\AppData\Local\Temp\A7A8.exe
1⤵
- Executes dropped EXE
PID:2360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 96
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:488

C:\Users\Admin\AppData\Local\Temp\BC70.exe
C:\Users\Admin\AppData\Local\Temp\BC70.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584
- C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1648
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:2548
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:972
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:2820
- - C:\Users\Admin\AppData\Local\Temp\nsz531.tmp
    C:\Users\Admin\AppData\Local\Temp\nsz531.tmp
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:1152
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  - Executes dropped EXE
  PID:3032
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    PID:3756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:2896

C:\Users\Admin\AppData\Local\Temp\F923.exe
C:\Users\Admin\AppData\Local\Temp\F923.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324
- C:\Users\Admin\AppData\Local\Temp\is-B2HA1.tmp\F923.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-B2HA1.tmp\F923.tmp" /SL5="$3018A,7212709,54272,C:\Users\Admin\AppData\Local\Temp\F923.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  PID:2352
- - C:\Users\Admin\AppData\Local\QT Zoneinfo Routine\qtziroutine.exe
    "C:\Users\Admin\AppData\Local\QT Zoneinfo Routine\qtziroutine.exe" -i
    3⤵
    - Executes dropped EXE
    PID:1788

C:\Users\Admin\AppData\Local\Temp\11B3.exe
C:\Users\Admin\AppData\Local\Temp\11B3.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Users\Admin\AppData\Local\Temp\348F.exe
C:\Users\Admin\AppData\Local\Temp\348F.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1852

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240201203748.log C:\Windows\Logs\CBS\CbsPersist_20240201203748.cab
1⤵
PID:3372

C:\Windows\system32\taskeng.exe
taskeng.exe {18FC33D4-31A4-41F6-A5A8-E9D9F13EF16D} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
1⤵
PID:4092
- C:\Users\Admin\AppData\Roaming\bdafwga
  C:\Users\Admin\AppData\Roaming\bdafwga
  2⤵
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

Remote System Discovery

T1018

System Information Discovery

Virtualization/Sandbox Evasion