5a4910478aa63cb878997fede6c3590473cc697418cb28740abefdcb571888b4

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	mDNSResponder.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	mDNSResponder.exe

Executes dropped EXE 64 IoCs

pid	Process
3296	imyfone-download.exe
3984	imyfone-download.tmp
5408	LocSpoof.exe
5808	adb.exe
5908	appAutoUpdate.exe
1844	cef_process.exe
8	adb.exe
5588	mDNSResponder.exe
2004	LocSpoof-20240104-27.exe
5612	LocSpoof-20240104-27.tmp
2636	Process not Found
6004	xdelta-x64.exe
6064	xdelta-x64.exe
6080	xdelta-x64.exe
6120	xdelta-x64.exe
3968	adb.exe
2748	xdelta-x64.exe
5812	mDNSResponder.exe
5008	adb.exe
5972	AppleMobileDeviceService.exe
2596	LocSpoof.exe
908	AppleMobileDeviceService.exe
1612	adb.exe
2952	appAutoUpdate.exe
5856	cef_process.exe
6060	adb.exe
3396	adb.exe
6040	adb.exe
3048	adb.exe
5148	adb.exe
5524	adb.exe
5548	adb.exe
3888	cef_process.exe
5916	adb.exe
3256	adb.exe
2824	adb.exe
6044	adb.exe
1980	adb.exe
2408	adb.exe
5732	adb.exe
4272	adb.exe
2004	adb.exe
5780	adb.exe
4632	adb.exe
5072	adb.exe
5968	adb.exe
5184	adb.exe
5696	adb.exe
3520	adb.exe
5692	adb.exe
4948	adb.exe
1904	adb.exe
1016	adb.exe
2152	adb.exe
1884	adb.exe
2852	adb.exe
6128	adb.exe
5380	adb.exe
6024	adb.exe
4800	adb.exe
1676	adb.exe
3408	adb.exe
4256	adb.exe
4112	adb.exe

Loads dropped DLL 64 IoCs

pid	Process
3984	imyfone-download.tmp
3984	imyfone-download.tmp
3984	imyfone-download.tmp
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe

Registers COM server for autorun 1 TTPs 19 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12E6A993-AE52-4F99-8B89-41F985E6C952}\InprocServer32\ = "C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\OutlookChangeNotifierAddIn.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12E6A993-AE52-4F99-8B89-41F985E6C952}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12E6A993-AE52-4F99-8B89-41F985E6C952}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ = "C:\\Windows\\system32\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\InprocServer32	msiexec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
109	5960	msiexec.exe
171	5960	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
56	ip-api.com

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\dnssdX.dll	msiexec.exe
File created	C:\Windows\SysWOW64\jdns_sd.dll	msiexec.exe
File created	C:\Windows\system32\jdns_sd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dns-sd.exe	msiexec.exe
File created	C:\Windows\system32\dns-sd.exe	msiexec.exe
File created	C:\Windows\SysWOW64\dnssd.dll	msiexec.exe
File created	C:\Windows\system32\dnssd.dll	msiexec.exe
File created	C:\Windows\SysWOW64\dnssdX.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\iRocket\iRocket LocSpoof\libEGL.dll	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2and3\deprecated\is-1EK4E.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\django-stubs\django-stubs\contrib\messages\is-UB1QC.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\django-stubs\django-stubs\test\is-GPPML.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\stdlib\2\distutils\command\is-9UV41.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2and3\maxminddb\is-RBTED.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\3\is-PQACF.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2and3\cachetools\is-OLHRJ.tmp	imyfone-download.tmp
File created	C:\Program Files\Common Files\Apple\Mobile Device Support\libxml2.dll	msiexec.exe
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\FeedbackRes\skin\gif\submitting\is-GN4IE.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\skin\street\PictureNormal\common\checkbox\is-G85UV.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\USBDebugGuide\more\Android 4.2 to 5.2\is-TNR8U.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\USBDebugGuide\oppo\is-5SBS4.tmp	imyfone-download.tmp
File opened for modification	C:\Program Files (x86)\iRocket\iRocket LocSpoof\NcmDriver\x64\apple\api-ms-win-crt-runtime-l1-1-0.dll	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\stdlib\3\concurrent\futures\is-J6RI1.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\is-ITT1R.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\Map\Leaflet\js\thirdlib\is-G2HQK.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\django-stubs\django-stubs\db\models\is-UBN12.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2and3\werkzeug\is-KRK8G.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\skin\street\PictureNormal\Images\DeviceSelectList\is-J4KT5.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\is-GNVLL.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\NcmDriver\x64\apple\is-7D0JS.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\django-stubs\django-stubs\utils\is-5GGKG.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\stdlib\2and3\is-RNR0N.tmp	imyfone-download.tmp
File created	C:\Program Files\Common Files\Apple\Mobile Device Support\CoreFoundation.resources\pt.lproj\Error.strings	msiexec.exe
File created	C:\Program Files\Common Files\Apple\Mobile Device Support\CFNetwork.resources\German.lproj\Localizable.strings	msiexec.exe
File created	C:\Program Files (x86)\imyfone_down\irocket-locspoof_setup\language\ChineseTW\pr_3.png	irocket-locspoof_setup.exe
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\domain	irocket-locspoof_setup.exe
File created	C:\Program Files (x86)\Bonjour\Bonjour.Resources\es.lproj\About Bonjour.rtf	msiexec.exe
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\skin\street\PictureNormal\Images\is-RVPE3.tmp	imyfone-download.tmp
File opened for modification	C:\Program Files (x86)\iRocket\iRocket LocSpoof\api-ms-win-crt-string-l1-1-0.dll	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\is-J8P4U.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\language\qm\is-EL1CQ.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\stdlib\3\asyncio\is-9BIJP.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2\kazoo\is-48QAE.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2\six\moves\is-NO5MN.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\3\freezegun\is-JPBGN.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\imyfone_down\irocket-locspoof_setup\language\Korean\text.ini	irocket-locspoof_setup.exe
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\django-stubs\django-stubs\db\models\is-2CSLM.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\django-stubs\django-stubs\http\is-DDQ8I.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2and3\characteristic\is-IQ0MA.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\skin\street\PictureNormal\Images\FunctionGuide\is-13CFJ.tmp	imyfone-download.tmp
File created	C:\Program Files\Bonjour\mDNSResponder.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\iRocket\iRocket LocSpoof\ServiceManagerDll.dll	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\FeedbackRes\skin\gif\submitting\is-8VNKT.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\language\qm\is-KKAMA.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\NcmDriver\x64\apple\is-UFLDG.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\stdlib\2and3\lib2to3\is-85FD1.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2and3\chardet\is-26LIS.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2and3\flask\is-IL3EN.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\django-stubs\django-stubs\views\is-QDONH.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2\routes\is-36BLG.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2and3\google\protobuf\compiler\is-3ULQM.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2and3\flask\is-A0RT3.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\third_party\2and3\google\protobuf\compiler\is-OPLIQ.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\skin\street\PictureNormal\Member\is-S5OVF.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\imyfone_down\irocket-locspoof_setup\language\French\pr_3.png	irocket-locspoof_setup.exe
File created	C:\Program Files (x86)\imyfone_down\irocket-locspoof_setup\language\Italian\text.ini	irocket-locspoof_setup.exe
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\stdlib\2\is-UILQ4.tmp	imyfone-download.tmp
File opened for modification	C:\Program Files (x86)\iRocket\iRocket LocSpoof\imageformats\qico.dll	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\django-stubs\django-stubs\core\management\is-883HN.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\stdlib\2and3\is-57F6I.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\jedi\third_party\typeshed\stdlib\3\distutils\command\is-ULRIP.tmp	imyfone-download.tmp
File created	C:\Program Files (x86)\iRocket\iRocket LocSpoof\redBullquic\_internal\is-DHQ9S.tmp	imyfone-download.tmp

Drops file in Windows directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\msvcp140.dll.BC0B92F1_D156_35A8_A565_6689E8DDDA1F	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\vcruntime140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\vcruntime140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0A6E968F20D84712.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI875.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFACE4D04DD65CB0AE.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\vccorlib140.dll.BC0B92F1_D156_35A8_A565_6689E8DDDA1F	msiexec.exe
File created	C:\Windows\Installer\SourceHash{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE34CC267974FA791.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE119CF5277BBAB7E.TMP	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\vccorlib140.dll.BC0B92F1_D156_35A8_A565_6689E8DDDA1F	msiexec.exe
File created	C:\Windows\Installer\e5cfe4d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\Bonjour.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3534.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\msvcp140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\vcruntime140.dll.BC0B92F1_D156_35A8_A565_6689E8DDDA1F	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3EF.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF13C548104A26E66D.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3BF2.tmp	msiexec.exe
File created	C:\Windows\Installer\{527DD209-8A66-482F-8779-C7B3BACCA8F1}\Installer.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e5cfe53.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI34E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3661.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\vccorlib140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI14B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5cfe53.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35F0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3601.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5cfe4d.msi	msiexec.exe
File created	C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\RichText.ico	msiexec.exe
File created	C:\Windows\Installer\SourceHash{527DD209-8A66-482F-8779-C7B3BACCA8F1}	msiexec.exe
File opened for modification	C:\Windows\Installer\{527DD209-8A66-482F-8779-C7B3BACCA8F1}\Installer.ico	msiexec.exe
File created	C:\Windows\SystemTemp\~DFFB0E2BF1FEC9B0B2.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B74.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{527DD209-8A66-482F-8779-C7B3BACCA8F1}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\RichText.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\msvcp140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3A30D71AE33C5767.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3CE.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\concrt140.dll.BC0B92F1_D156_35A8_A565_6689E8DDDA1F	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\concrt140.dll.BC0B92F1_D156_35A8_A565_6689E8DDDA1F	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\msvcp140.dll.BC0B92F1_D156_35A8_A565_6689E8DDDA1F	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\vccorlib140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2D3.tmp	msiexec.exe
File created	C:\Windows\Installer\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}\Bonjour.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3650.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5288.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI57F8.tmp	msiexec.exe
File created	C:\Windows\Installer\e5cfe52.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F	msiexec.exe
File created	C:\Windows\Installer\e5cfe57.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\vcruntime140.dll.BC0B92F1_D156_35A8_A565_6689E8DDDA1F	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5387F3A4B3F053B1.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI398E.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\concrt140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\902DD72566A8F28478977C3BABCC8A1F\15.0.0\concrt140.dll.B796D14F_AD8C_3A96_B2B8_3D8FF8499DA8	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	LocSpoof.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	LocSpoof.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	LocSpoof.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	LocSpoof.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	LocSpoof.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	LocSpoof.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	LocSpoof.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	LocSpoof.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	LocSpoof.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	LocSpoof.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	LocSpoof.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	LocSpoof.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	LocSpoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	LocSpoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	LocSpoof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	LocSpoof.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
3964	taskkill.exe
4152	taskkill.exe
5104	taskkill.exe
1404	taskkill.exe
2228	taskkill.exe
1720	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Internet Explorer\GPU	WebExperienceHostApp.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	WebExperienceHostApp.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Apple Inc.	AppleMobileDeviceService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	WebExperienceHostApp.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Environment	AppleMobileDeviceService.exe
Key created	\REGISTRY\USER\S-1-5-19	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Apple Inc.\ASL\filenames	AppleMobileDeviceService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Apple Inc.\ASL\filenames\asl.log = "asl.122552_12Mar24.log"	AppleMobileDeviceService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Apple Inc.\ASL\filenames\asl.log = "asl.122559_12Mar24.log"	AppleMobileDeviceService.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography	WebExperienceHostApp.exe
Key created	\REGISTRY\USER\.DEFAULT\Environment	AppleMobileDeviceService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	AppleMobileDeviceService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Apple Inc.\ASL	AppleMobileDeviceService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Apple Inc.\ASL\filenames	AppleMobileDeviceService.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ = "ITXTRecord"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDRecord\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "IDNSSDEventManager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OutlookChangeNotifier.Connect.1\CLSID\ = "{12E6A993-AE52-4F99-8B89-41F985E6C952}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29DE265F-8402-474F-833A-D4653B23458F}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{8FA0889C-5973-4FC9-970B-EC15C925D0CE}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDService.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\NumMethods\ = "9"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\TypeLib\ = "{18FBED6D-F2B7-4EC8-A4A4-46282E635308}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\Bonjour.DLL	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "IDNSSDEventManager"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.TXTRecord\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Bonjour.DNSSDEventManager\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\SourceList\LastUsedSource = "n;1;C:\\iMyfone\\Anyto\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\902DD72566A8F28478977C3BABCC8A1F\PackageCode = "5B71085F43284B8499D5871922748FCF"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Bonjour.DNSSDEventManager.1\CLSID\ = "{BEEB932A-8D4A-4619-AEFE-A836F988B221}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ = "DNSSDService Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\dnssdX.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ = "PSFactoryBuffer"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{B80C6976-50C0-4110-BC85-44EB975CDCA0}\1.0\HELPDIR	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win64	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\902DD72566A8F28478977C3BABCC8A1F	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{18FBED6D-F2B7-4EC8-A4A4-46282E635308}\1.0\0\win32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\ = "DNSSDService Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\ProgID\ = "Bonjour.TXTRecord.1"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\client.cbs\NumberOfSubdomains = "0"	WebExperienceHostApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\Bonjour.DLL\AppID = "{56608F9C-223B-4CB6-813D-85EDCCADFB4B}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\902DD72566A8F28478977C3BABCC8A1F\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{7FD72324-63E1-45AD-B337-4D525BD98DAD}\ProxyStubClsid	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib\Version = "1.0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B80C6976-50C0-4110-BC85-44EB975CDCA0}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	WebExperienceHostApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{12E6A993-AE52-4F99-8B89-41F985E6C952}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B80C6976-50C0-4110-BC85-44EB975CDCA0}\1.0\HELPDIR\	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E93C5A9-7516-4259-A67B-41A656F6E01C}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24CD4DE9-FF84-4701-9DC1-9B69E0D1090A}\VersionIndependentProgID\ = "Bonjour.DNSSDService"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\902DD72566A8F28478977C3BABCC8A1F\SourceList\Net\1 = "C:\\iMyfone\\Anyto\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{BEEB932A-8D4A-4619-AEFE-A836F988B221}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AFEE063C-05BA-4248-A26E-168477F49734}\VersionIndependentProgID\ = "Bonjour.TXTRecord"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\902DD72566A8F28478977C3BABCC8A1F\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{21AE8D7F-D5FE-45CF-B632-CFA2C2C6B498}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9CE603A0-3365-4DA0-86D1-3F780ECBA110}\TypeLib	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8BFDDD6597F70844985D521E5FA22BF8\Language = "1033"	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	LocSpoof.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0280f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	LocSpoof.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	LocSpoof.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
5408	LocSpoof.exe
5908	appAutoUpdate.exe
2596	LocSpoof.exe
2952	appAutoUpdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4960	irocket-locspoof_setup.exe
4960	irocket-locspoof_setup.exe
3984	imyfone-download.tmp
3984	imyfone-download.tmp
3984	imyfone-download.tmp
3984	imyfone-download.tmp
4960	irocket-locspoof_setup.exe
4960	irocket-locspoof_setup.exe
2576	msedge.exe
2576	msedge.exe
2864	msedge.exe
2864	msedge.exe
2768	identity_helper.exe
2768	identity_helper.exe
5048	msedge.exe
5048	msedge.exe
4960	irocket-locspoof_setup.exe
4960	irocket-locspoof_setup.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5908	appAutoUpdate.exe
5908	appAutoUpdate.exe
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp
5612	LocSpoof-20240104-27.tmp

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5408	LocSpoof.exe
2596	LocSpoof.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	5104	taskkill.exe
Token: SeDebugPrivilege	5408	LocSpoof.exe
Token: SeShutdownPrivilege	5408	LocSpoof.exe
Token: SeIncreaseQuotaPrivilege	5408	LocSpoof.exe
Token: SeSecurityPrivilege	5960	msiexec.exe
Token: SeCreateTokenPrivilege	5408	LocSpoof.exe
Token: SeAssignPrimaryTokenPrivilege	5408	LocSpoof.exe
Token: SeLockMemoryPrivilege	5408	LocSpoof.exe
Token: SeIncreaseQuotaPrivilege	5408	LocSpoof.exe
Token: SeMachineAccountPrivilege	5408	LocSpoof.exe
Token: SeTcbPrivilege	5408	LocSpoof.exe
Token: SeSecurityPrivilege	5408	LocSpoof.exe
Token: SeTakeOwnershipPrivilege	5408	LocSpoof.exe
Token: SeLoadDriverPrivilege	5408	LocSpoof.exe
Token: SeSystemProfilePrivilege	5408	LocSpoof.exe
Token: SeSystemtimePrivilege	5408	LocSpoof.exe
Token: SeProfSingleProcessPrivilege	5408	LocSpoof.exe
Token: SeIncBasePriorityPrivilege	5408	LocSpoof.exe
Token: SeCreatePagefilePrivilege	5408	LocSpoof.exe
Token: SeCreatePermanentPrivilege	5408	LocSpoof.exe
Token: SeBackupPrivilege	5408	LocSpoof.exe
Token: SeRestorePrivilege	5408	LocSpoof.exe
Token: SeShutdownPrivilege	5408	LocSpoof.exe
Token: SeDebugPrivilege	5408	LocSpoof.exe
Token: SeAuditPrivilege	5408	LocSpoof.exe
Token: SeSystemEnvironmentPrivilege	5408	LocSpoof.exe
Token: SeChangeNotifyPrivilege	5408	LocSpoof.exe
Token: SeRemoteShutdownPrivilege	5408	LocSpoof.exe
Token: SeUndockPrivilege	5408	LocSpoof.exe
Token: SeSyncAgentPrivilege	5408	LocSpoof.exe
Token: SeEnableDelegationPrivilege	5408	LocSpoof.exe
Token: SeManageVolumePrivilege	5408	LocSpoof.exe
Token: SeImpersonatePrivilege	5408	LocSpoof.exe
Token: SeCreateGlobalPrivilege	5408	LocSpoof.exe
Token: SeRestorePrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeRestorePrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeRestorePrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeRestorePrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeRestorePrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeRestorePrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeRestorePrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeRestorePrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeRestorePrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeRestorePrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeRestorePrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeRestorePrivilege	5960	msiexec.exe
Token: SeTakeOwnershipPrivilege	5960	msiexec.exe
Token: SeRestorePrivilege	5960	msiexec.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4960	irocket-locspoof_setup.exe
3984	imyfone-download.tmp
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe
2864	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3528	WebExperienceHostApp.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5908	appAutoUpdate.exe
5908	appAutoUpdate.exe
5808	adb.exe
5908	appAutoUpdate.exe
5908	appAutoUpdate.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5908	appAutoUpdate.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5908	appAutoUpdate.exe
1844	cef_process.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
8	adb.exe
2004	LocSpoof-20240104-27.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5612	LocSpoof-20240104-27.tmp
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
3968	adb.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5408	LocSpoof.exe
5008	adb.exe
2596	LocSpoof.exe
2596	LocSpoof.exe
2596	LocSpoof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 3296	4960	irocket-locspoof_setup.exe	81
PID 4960 wrote to memory of 3296	4960	irocket-locspoof_setup.exe	81
PID 4960 wrote to memory of 3296	4960	irocket-locspoof_setup.exe	81
PID 3296 wrote to memory of 3984	3296	imyfone-download.exe	82
PID 3296 wrote to memory of 3984	3296	imyfone-download.exe	82
PID 3296 wrote to memory of 3984	3296	imyfone-download.exe	82
PID 3984 wrote to memory of 4068	3984	imyfone-download.tmp	83
PID 3984 wrote to memory of 4068	3984	imyfone-download.tmp	83
PID 3984 wrote to memory of 4068	3984	imyfone-download.tmp	83
PID 4068 wrote to memory of 1404	4068	cmd.exe	85
PID 4068 wrote to memory of 1404	4068	cmd.exe	85
PID 4068 wrote to memory of 1404	4068	cmd.exe	85
PID 3984 wrote to memory of 1556	3984	imyfone-download.tmp	87
PID 3984 wrote to memory of 1556	3984	imyfone-download.tmp	87
PID 3984 wrote to memory of 1556	3984	imyfone-download.tmp	87
PID 1556 wrote to memory of 2228	1556	cmd.exe	89
PID 1556 wrote to memory of 2228	1556	cmd.exe	89
PID 1556 wrote to memory of 2228	1556	cmd.exe	89
PID 3984 wrote to memory of 3884	3984	imyfone-download.tmp	90
PID 3984 wrote to memory of 3884	3984	imyfone-download.tmp	90
PID 3984 wrote to memory of 3884	3984	imyfone-download.tmp	90
PID 3884 wrote to memory of 1720	3884	cmd.exe	92
PID 3884 wrote to memory of 1720	3884	cmd.exe	92
PID 3884 wrote to memory of 1720	3884	cmd.exe	92
PID 3984 wrote to memory of 1904	3984	imyfone-download.tmp	93
PID 3984 wrote to memory of 1904	3984	imyfone-download.tmp	93
PID 3984 wrote to memory of 1904	3984	imyfone-download.tmp	93
PID 1904 wrote to memory of 3964	1904	cmd.exe	95
PID 1904 wrote to memory of 3964	1904	cmd.exe	95
PID 1904 wrote to memory of 3964	1904	cmd.exe	95
PID 3984 wrote to memory of 1036	3984	imyfone-download.tmp	96
PID 3984 wrote to memory of 1036	3984	imyfone-download.tmp	96
PID 3984 wrote to memory of 1036	3984	imyfone-download.tmp	96
PID 1036 wrote to memory of 4152	1036	cmd.exe	98
PID 1036 wrote to memory of 4152	1036	cmd.exe	98
PID 1036 wrote to memory of 4152	1036	cmd.exe	98
PID 3984 wrote to memory of 2864	3984	imyfone-download.tmp	99
PID 3984 wrote to memory of 2864	3984	imyfone-download.tmp	99
PID 3984 wrote to memory of 2864	3984	imyfone-download.tmp	99
PID 2864 wrote to memory of 5104	2864	cmd.exe	101
PID 2864 wrote to memory of 5104	2864	cmd.exe	101
PID 2864 wrote to memory of 5104	2864	cmd.exe	101
PID 4960 wrote to memory of 2864	4960	irocket-locspoof_setup.exe	103
PID 4960 wrote to memory of 2864	4960	irocket-locspoof_setup.exe	103
PID 2864 wrote to memory of 2036	2864	msedge.exe	104
PID 2864 wrote to memory of 2036	2864	msedge.exe	104
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105
PID 2864 wrote to memory of 4676	2864	msedge.exe	105

C:\Users\Admin\AppData\Local\Temp\irocket-locspoof_setup.exe
"C:\Users\Admin\AppData\Local\Temp\irocket-locspoof_setup.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Program Files (x86)\imyfone_down\irocket-locspoof_setup\imyfone-download.exe
  /verysilent /imyfone_down /wait_run /path="C:\Program Files (x86)\" /progress="C:\Program Files (x86)\imyfone_down\irocket-locspoof_setup\temp.progress"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3296
- - C:\Users\Admin\AppData\Local\Temp\is-2DDJC.tmp\imyfone-download.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-2DDJC.tmp\imyfone-download.tmp" /SL5="$90030,251597750,125952,C:\Program Files (x86)\imyfone_down\irocket-locspoof_setup\imyfone-download.exe" /verysilent /imyfone_down /wait_run /path="C:\Program Files (x86)\" /progress="C:\Program Files (x86)\imyfone_down\irocket-locspoof_setup\temp.progress"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /t /im AppleMobileService.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im AppleMobileService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /t /im adb.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im adb.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /t /im appAutoUpdate.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3884
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im appAutoUpdate.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /t /im Feedback.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im Feedback.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /t /im NcmdriverInstaller.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im NcmdriverInstaller.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c taskkill /f /t /im pymobiledevice3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im pymobiledevice3.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://apipdm.irocketvpn.com/producturl?key=installed&pid=100371&lang=English&custom=com_english
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffb1c63cb8,0x7fffb1c63cc8,0x7fffb1c63cd8
    3⤵
    PID:2036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2896130738467049330,5627716733543222648,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
    3⤵
    PID:4676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,2896130738467049330,5627716733543222648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,2896130738467049330,5627716733543222648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
    3⤵
    PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2896130738467049330,5627716733543222648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2896130738467049330,5627716733543222648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
    3⤵
    PID:3428
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,2896130738467049330,5627716733543222648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,2896130738467049330,5627716733543222648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2896130738467049330,5627716733543222648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
    3⤵
    PID:4552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2896130738467049330,5627716733543222648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
    3⤵
    PID:752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2896130738467049330,5627716733543222648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:3284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2896130738467049330,5627716733543222648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2896130738467049330,5627716733543222648,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3132 /prefetch:2
    3⤵
    PID:5920
- C:\Program Files (x86)\iRocket\iRocket LocSpoof\LocSpoof.exe
  "C:\Program Files (x86)\iRocket\iRocket LocSpoof\LocSpoof.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5408
- - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
    "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb" kill-server
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5808
- - C:\Program Files (x86)\iRocket\iRocket LocSpoof\appAutoUpdate.exe
    "C:\Program Files (x86)\iRocket\iRocket LocSpoof\appAutoUpdate.exe" "--skinPath=C:/Program Files (x86)/iRocket/iRocket LocSpoof/skin/street" --autoInstall=true --silent=true
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5908
  - - C:\Users\Admin\AppData\Local\Temp\LocSpoof-20240104-27.exe
      C:\Users\Admin\AppData\Local\Temp\LocSpoof-20240104-27.exe /VERYSILENT /SUPPRESSMSGBOXES "/DIR=C:\Program Files (x86)\iRocket\iRocket LocSpoof"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\is-6P8V0.tmp\LocSpoof-20240104-27.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6P8V0.tmp\LocSpoof-20240104-27.tmp" /SL5="$11028E,959757,121344,C:\Users\Admin\AppData\Local\Temp\LocSpoof-20240104-27.exe" /VERYSILENT /SUPPRESSMSGBOXES "/DIR=C:\Program Files (x86)\iRocket\iRocket LocSpoof"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5612
      - C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\xdelta-x64.exe
        
        C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\xdelta-x64.exe -d -f -s "C:\Program Files (x86)\iRocket\iRocket LocSpoof\Backup\LeafletMapDll.dll" "C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\PatchData\LeafletMapDll.dll.xdelta" "C:\Program Files (x86)\iRocket\iRocket LocSpoof\LeafletMapDll.dll"
        6⤵
        Executes dropped EXE
        
        PID:6004
      - C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\xdelta-x64.exe
        
        C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\xdelta-x64.exe -d -f -s "C:\Program Files (x86)\iRocket\iRocket LocSpoof\Backup\LocSpoof.exe" "C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\PatchData\LocSpoof.exe.xdelta" "C:\Program Files (x86)\iRocket\iRocket LocSpoof\LocSpoof.exe"
        6⤵
        Executes dropped EXE
        
        PID:6064
      - C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\xdelta-x64.exe
        
        C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\xdelta-x64.exe -d -f -s "C:\Program Files (x86)\iRocket\iRocket LocSpoof\Backup\patch" "C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\PatchData\patch.xdelta" "C:\Program Files (x86)\iRocket\iRocket LocSpoof\patch"
        6⤵
        Executes dropped EXE
        
        PID:6080
      - C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\xdelta-x64.exe
        
        C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\xdelta-x64.exe -d -f -s "C:\Program Files (x86)\iRocket\iRocket LocSpoof\Backup\Map\Leaflet\js\bridge.js" "C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\PatchData\Map\Leaflet\js\bridge.js.xdelta" "C:\Program Files (x86)\iRocket\iRocket LocSpoof\Map\Leaflet\js\bridge.js"
        6⤵
        Executes dropped EXE
        
        PID:6120
      - C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\xdelta-x64.exe
        
        C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\xdelta-x64.exe -d -f -s "C:\Program Files (x86)\iRocket\iRocket LocSpoof\Backup\Map\Leaflet\js\operate.js" "C:\Users\Admin\AppData\Local\Temp\is-1HCR9.tmp\PatchData\Map\Leaflet\js\operate.js.xdelta" "C:\Program Files (x86)\iRocket\iRocket LocSpoof\Map\Leaflet\js\operate.js"
        6⤵
        Executes dropped EXE
        
        PID:2748
  - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\LocSpoof.exe
      "C:\Program Files (x86)\iRocket\iRocket LocSpoof\LocSpoof.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Modifies system certificate store
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of SetWindowsHookEx
      PID:2596
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb" kill-server
        5⤵
        Executes dropped EXE
        
        PID:1612
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\appAutoUpdate.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\appAutoUpdate.exe" "--skinPath=C:/Program Files (x86)/iRocket/iRocket LocSpoof/skin/street" --autoInstall=true --silent=true
        5⤵
        Executes dropped EXE
        Suspicious behavior: AddClipboardFormatListener
        
        PID:2952
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\cef_process.exe
        
        "C:/Program Files (x86)/iRocket/iRocket LocSpoof/cef_process.exe" --type=renderer --disable-gpu-compositing --no-sandbox --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\iRocket\iRocket LocSpoof\debug.log" --user-agent="Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" --disable-extensions --disable-pdf-extension --disable-spell-checking --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="2596.0.1375643025\437122352" /prefetch:1
        5⤵
        Executes dropped EXE
        
        PID:5856
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:6060
      - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        adb -L tcp:5037 fork-server server --reply-fd 588
        6⤵
        Executes dropped EXE
        
        PID:3396
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb" connect
        5⤵
        Executes dropped EXE
        
        PID:6040
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:3048
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:5148
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:5524
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:5548
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\cef_process.exe
        
        "C:/Program Files (x86)/iRocket/iRocket LocSpoof/cef_process.exe" --type=utility --channel="2596.1.1518435881\141658694" --lang=en-US --no-sandbox --no-sandbox --lang=en-US --log-file="C:\Program Files (x86)\iRocket\iRocket LocSpoof\debug.log" --user-agent="Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" /prefetch:8
        5⤵
        Executes dropped EXE
        
        PID:3888
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:5916
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:3256
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:2824
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:6044
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:1980
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:2408
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:5732
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:4272
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:2004
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:5780
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:4632
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:5072
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:5968
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:5184
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:5696
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:3520
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:5692
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:4948
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:1904
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:1016
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:2152
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:1884
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:2852
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:6128
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:5380
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:6024
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:4800
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:1676
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:3408
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:4256
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        Executes dropped EXE
        
        PID:4112
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4260
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5552
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5124
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4392
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5884
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3276
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:752
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5796
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3048
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2360
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2040
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:716
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:564
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3444
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5336
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1296
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5688
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5328
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1304
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1616
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1284
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5384
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5176
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3236
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2120
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2384
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1944
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6036
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2820
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3344
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5484
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6064
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3532
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5348
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5864
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3468
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4588
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5012
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2244
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4816
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:656
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3260
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3348
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4776
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5428
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:104
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2960
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5808
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5084
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2200
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2624
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3884
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2696
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5092
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5224
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5140
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3496
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2704
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4996
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:580
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2012
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1044
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1820
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3716
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1612
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4536
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1636
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6072
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2736
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5204
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5000
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3700
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4244
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2412
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:656
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2040
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1892
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4776
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5512
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3196
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2196
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1520
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3232
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5008
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5688
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3888
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5880
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1616
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2852
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5180
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6092
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3376
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5532
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6024
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2572
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5332
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:472
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4808
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3408
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1120
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2328
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:448
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4392
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2740
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3468
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1832
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6120
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5680
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5020
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4244
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3940
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3556
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5088
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1236
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5608
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6108
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5324
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5104
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1520
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3232
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4152
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1984
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:788
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:940
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4036
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5712
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5648
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6048
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3448
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1508
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2060
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4472
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2288
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1980
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6032
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6008
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6080
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2952
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4892
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5612
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4084
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4264
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3468
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4584
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1444
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5572
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5524
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2448
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1412
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5432
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3596
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2824
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1284
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2624
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4808
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2836
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3692
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1912
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1104
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4816
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4568
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3272
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3968
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1620
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4908
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3704
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5712
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5648
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4472
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5708
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4740
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4040
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2748
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1820
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1992
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1400
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4084
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5400
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5684
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5512
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4324
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1332
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2424
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1444
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5068
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1676
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4948
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4244
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5772
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2700
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1984
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4640
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3472
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3732
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2824
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4752
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5648
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3040
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6132
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2900
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3748
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5828
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5912
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4536
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3404
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3808
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1876
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1636
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2740
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6016
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5324
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4776
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1488
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2480
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1980
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6108
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:4616
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3700
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5084
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2120
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5092
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5664
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5328
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:6112
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5932
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3960
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5044
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:2128
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5844
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:5960
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:580
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:1720
    - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
        
        "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
        5⤵
        
        PID:3816
- - C:\Program Files (x86)\iRocket\iRocket LocSpoof\cef_process.exe
    "C:/Program Files (x86)/iRocket/iRocket LocSpoof/cef_process.exe" --type=renderer --disable-gpu-compositing --no-sandbox --lang=en-US --lang=en-US --log-file="C:\Program Files (x86)\iRocket\iRocket LocSpoof\debug.log" --user-agent="Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko" --disable-extensions --disable-pdf-extension --disable-spell-checking --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="5408.0.164753307\1801927772" /prefetch:1
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1844
- - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
    "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:8
  - - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
      adb -L tcp:5037 fork-server server --reply-fd 588
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3968
- - C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe
    "C:\Program Files (x86)\iRocket\iRocket LocSpoof\MFADB\32\adb.exe" devices
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:468

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WebExperienceHostApp.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WebExperienceHostApp.exe" -ServerName:WebExperienceHost.AppXpahb3h9jz84zbzgmz4ndmjv3nas4ah73.mca
1⤵
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Registers COM server for autorun
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5960
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E26A087BB814100A7FF6D7D61A1B10E7
  2⤵
  PID:932
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6418A6DDACFD6A12B790F67CEF0EE767
  2⤵
  PID:5248
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ECCC0524CCA75EAF76E2F895621C263B E Global\MSI0000
  2⤵
  PID:5356
- C:\Windows\System32\MsiExec.exe
  "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll"
  2⤵
  PID:4272
- C:\Windows\syswow64\MsiExec.exe
  "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll"
  2⤵
  PID:5592
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 401DE5B7DC70537975EF38A88355F899
  2⤵
  PID:5380
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding D9061A5695A3DFEFA888BCE2A5292BC1
  2⤵
  PID:6112
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 31D8F97B9335B34A74BECFB5EF3988BA E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  PID:4992

C:\Program Files\Bonjour\mDNSResponder.exe
"C:\Program Files\Bonjour\mDNSResponder.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:5588

C:\Program Files\Bonjour\mDNSResponder.exe
"C:\Program Files\Bonjour\mDNSResponder.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:5812

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
"C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5972

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
"C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery