hxxp://filecr[.]com

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMChameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	mbamservice.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mbamservice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mbamservice.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	_iu14D2N.tmp

Executes dropped EXE 18 IoCs

pid	Process
4660	Patch_AP.24.xx.exe
1700	7z2201.exe
2840	uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).exe
3012	uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).tmp
1524	Patch_MB_5.x.exe
4572	7z2201.exe
4444	7z.exe
4312	7z.exe
4488	rs.exe
1260	rs.tmp
4440	mbamservice.exe
1996	mbamservice.exe
4888	mbamtray.exe
4460	unins000.exe
4228	_iu14D2N.tmp
980	MBAMWsc.exe
2952	mbamservice.exe
4812	mbamwsc.exe

Loads dropped DLL 64 IoCs

pid	Process
3012	uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).tmp
3012	uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).tmp
3012	uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).tmp
3012	uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).tmp
4444	7z.exe
4312	7z.exe
1260	rs.tmp
1260	rs.tmp
1260	rs.tmp
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
3552	Process not Found
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbshlext.dll"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\""	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	mbamservice.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Y:	mbamservice.exe
File opened (read-only)	\??\H:	mbamservice.exe
File opened (read-only)	\??\L:	mbamservice.exe
File opened (read-only)	\??\P:	mbamservice.exe
File opened (read-only)	\??\U:	mbamservice.exe
File opened (read-only)	\??\X:	mbamservice.exe
File opened (read-only)	\??\Q:	mbamservice.exe
File opened (read-only)	\??\R:	mbamservice.exe
File opened (read-only)	\??\T:	mbamservice.exe
File opened (read-only)	\??\A:	mbamservice.exe
File opened (read-only)	\??\B:	mbamservice.exe
File opened (read-only)	\??\E:	mbamservice.exe
File opened (read-only)	\??\G:	mbamservice.exe
File opened (read-only)	\??\J:	mbamservice.exe
File opened (read-only)	\??\Z:	mbamservice.exe
File opened (read-only)	\??\S:	mbamservice.exe
File opened (read-only)	\??\I:	mbamservice.exe
File opened (read-only)	\??\K:	mbamservice.exe
File opened (read-only)	\??\M:	mbamservice.exe
File opened (read-only)	\??\N:	mbamservice.exe
File opened (read-only)	\??\O:	mbamservice.exe
File opened (read-only)	\??\V:	mbamservice.exe
File opened (read-only)	\??\W:	mbamservice.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CA4458E7366E94A3C3A9C1FE548B6D21_C2C3D990B393462F0B24251F41DF0EF5	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CA4458E7366E94A3C3A9C1FE548B6D21_C2C3D990B393462F0B24251F41DF0EF5	mbamservice.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	mbamservice.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	mbamservice.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EE44ECA143B76F2B9F2A5AA75B5D1EC6_847118BE2683F0C241D1D702F3A3F5F9	mbamservice.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\is-T3V9H.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-51920.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-04JH7.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\va.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7z.exe	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sw.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\Private\is-0E9H7.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-U28Q0.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-TAV53.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-4A013.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\7-zip.chm	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mn.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\is.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-QSMQS.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\ServiceConfig.json	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\ast.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\uz-cyrl.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sk.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-KSAGU.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-LI424.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-56P7F.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\nl.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\tg.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-97CTG.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\MBAMSwissArmy.tmf	mbamservice.exe
File opened for modification	C:\Program Files (x86)\7-Zip\History.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\is-LM9OB.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-96O0K.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ps.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\yo.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fi.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-9A385.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\sdk\farflt.sys	mbamservice.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ms.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\pt.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ta.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-23CNE.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-95TM2.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\sr-spl.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\gu.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\et.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\lt.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\da.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-ITB8F.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-VBQJM.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-G8RPS.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\be.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\mng2.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\sr-spc.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\is-NS6BO.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Dialogs\is-CVNAK.tmp	rs.tmp
File created	C:\Program Files\Malwarebytes\Anti-Malware\Languages\is-RVKIP.tmp	rs.tmp
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\gu.txt	7z2201.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ky.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\7zG.exe	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ta.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\io.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ar.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ko.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\fur.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\hy.txt	7z2201.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\QtQuick\Window.2\is-A0KS6.tmp	rs.tmp
File created	C:\Program Files (x86)\7-Zip\Lang\ku.txt	7z2201.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ro.txt	7z2201.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ELAMBKUP	mbamservice.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	mbamservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mbamservice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mbamservice.exe

Delays execution with timeout.exe 19 IoCs

evasion

pid	Process
1984	timeout.exe
4108	timeout.exe
3252	timeout.exe
4672	timeout.exe
432	timeout.exe
2180	timeout.exe
3576	timeout.exe
2716	timeout.exe
3360	timeout.exe
432	timeout.exe
1696	timeout.exe
1852	timeout.exe
4752	timeout.exe
1796	timeout.exe
720	timeout.exe
4084	timeout.exe
1744	timeout.exe
5104	timeout.exe
1008	timeout.exe

Enumerates processes with tasklist 1 TTPs 54 IoCs

Process Discovery

T1057

pid	Process
4492	tasklist.exe
3148	tasklist.exe
4812	tasklist.exe
1648	tasklist.exe
624	tasklist.exe
1344	tasklist.exe
3288	tasklist.exe
2384	tasklist.exe
1436	tasklist.exe
4864	tasklist.exe
1816	tasklist.exe
1396	tasklist.exe
4696	tasklist.exe
1824	tasklist.exe
2032	tasklist.exe
2980	tasklist.exe
5028	tasklist.exe
1672	tasklist.exe
4100	tasklist.exe
2432	tasklist.exe
1884	tasklist.exe
3112	tasklist.exe
2080	tasklist.exe
4748	tasklist.exe
4296	tasklist.exe
3964	tasklist.exe
3032	tasklist.exe
3116	tasklist.exe
3296	tasklist.exe
4200	tasklist.exe
2832	tasklist.exe
772	tasklist.exe
412	tasklist.exe
2968	tasklist.exe
4892	tasklist.exe
2124	tasklist.exe
2748	tasklist.exe
4660	tasklist.exe
1472	tasklist.exe
1256	tasklist.exe
2704	tasklist.exe
1632	tasklist.exe
4244	tasklist.exe
3756	tasklist.exe
3452	tasklist.exe
3620	tasklist.exe
4024	tasklist.exe
4752	tasklist.exe
4492	tasklist.exe
4696	tasklist.exe
2448	tasklist.exe
4984	tasklist.exe
1700	tasklist.exe
400	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	rs.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	rs.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	rs.tmp

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\MY	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	mbamservice.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	mbamservice.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	mbamservice.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\ProgID\ = "MB.TelemetryController.1"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2FB37514-21FA-4B2C-94DA-1562126E9F5F}\ = "_IArwControllerEventsV3"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7DD05E6E-FF07-4CD3-A7BA-200BEC812A5C}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.PoliciesController.1\ = "PoliciesController Class"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\ProgID\ = "MB.UpdateController.1"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014D0CF7-ACC9-4004-B999-7BDBAAD274B7}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4AC5360-A581-42A7-8DD6-D63A5C3AA7F1}\TypeLib\Version = "1.0"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79CAE9D0-99AA-4FEB-B6B1-1AC1A2D8F874}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3BD2053F-99D1-4C2B-8B45-635183A8F0BF}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A2D4A69C-14CA-4825-9376-5B4215AF5C5E}\ = "IUpdateControllerV4"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A9108FB-A377-47EC-96E3-3CB8B1FB7272}\TypeLib	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\VersionIndependentProgID	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\Version\ = "1.0"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADCD8BEB-8924-4876-AE14-2438FF14FA17}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014D0CF7-ACC9-4004-B999-7BDBAAD274B7}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3498D9E4-6476-4AC0-B53A-75BC9955EF37}\TypeLib\ = "{783B187E-360F-419C-B6DA-592892764A01}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EF16D72-5906-4045-86BC-16826F6212FE}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A9108FB-A377-47EC-96E3-3CB8B1FB7272}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4215DAB-7574-44DE-8BE9-78CC62597C95}\TypeLib\Version = "1.0"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{226C1698-A075-4315-BB5D-9C164A96ACE7}\1.0\0\win64	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{49F6AC60-2104-42C6-8F71-B3916D5AA732}\1.0\0\win64\ = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe\\8"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B1F1EB48-7803-4D84-B07F-255FE87083F4}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E2870643-0645-41F9-BCCB-F5969386162C}\ = "_IRTPControllerEventsV4"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F14F58B-B908-4644-830F-5ACF8542D27F}\TypeLib\Version = "1.0"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2D1C2BC-3427-478E-A903-ADFBCF5711CD}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.SPController.1\CLSID\ = "{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3F656FD9-2597-4587-8F05-781C11710867}\TypeLib\ = "{5709DEEB-F05E-4D5C-8DC4-3B0D924EE08F}"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61DF8ACF-EC61-4D69-A543-20EA450E1A84}\TypeLib	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81541635-736E-4460-81AA-86118F313CD5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A0101B90-FD0B-40CF-90E4-33650F09A80F}\ = "ICleanControllerV3"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6EC225D5-FD37-4F9B-B80F-09FAE36103AE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4215DAB-7574-44DE-8BE9-78CC62597C95}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7BCC13C-47B9-4DC0-8FC6-B2A489EF60EF}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E96FEF0-48F7-4ECB-B010-501044575477}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81701AB9-0B9C-49FE-9C79-C3C4DCA91E7B}\ = "ICleanControllerV7"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F927AD37-BA5F-4B86-AE22-FE2371B12955}\TypeLib	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{237E618C-D739-4C8A-9F72-5CD4EF91CBE5}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0D8223D-D594-4147-BAD8-1E2B54ED1990}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\Version\ = "1.0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B471ACFB-E67A-4BE9-A328-F6A906DDDEAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C0CEAFA7-4F65-418C-8A61-92B2048115EE}\TypeLib\Version = "1.0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6357A98F-CE03-4C67-9410-00907FB21BC7}\ = "_IArwControllerEventsV2"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{893E5593-9490-4E90-9F1E-0B786EC41470}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{21EA9E3C-6507-4725-8F4F-ED4DDDE7A709}\TypeLib\Version = "1.0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.LicenseController.1\CLSID\ = "{580243BF-3CEE-4131-A599-C6FED66BEB1B}"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AC5390D0-3831-4D42-BD1D-8151A5A1742C}\ = "IScanControllerEvents"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78E69E6F-EC12-4B84-8431-1D68572C7A61}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ADA09B8D-A536-4429-8331-49808442D24B}\ = "_IScanControllerEventsV4"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6EC225D5-FD37-4F9B-B80F-09FAE36103AE}\ = "IMWACControllerV2"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4215DAB-7574-44DE-8BE9-78CC62597C95}\ = "IUpdateControllerV9"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6C1047E9-9ADC-4F8A-8594-036375F53103}\TypeLib\Version = "1.0"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4E0987E3-3699-4C92-8E76-CAEDA00FA44C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{239C7555-993F-4071-9081-D2AE0B590D63}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{090D2E82-C71B-414E-AF6A-6681A92FF2B3}	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F77B440A-6CBC-4AFD-AA22-444552960E50}\ = "IScanController"	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F1E58D1A-2918-4508-908A-601219B2CCC6}\ = "IArwControllerEventsV4"	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1BA0B73-14BD-4C9D-98CA-99355BD4EB24}\ProxyStubClsid32	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C842243-BDAD-4A93-B282-93E3FCBC1CA4}\ProxyStubClsid32	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{08932AD2-C415-4DE8-821D-5AF7A5658483}	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0E2822AB-0447-4F28-AF4C-FFDB1E8595AE}	mbamservice.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C5B86F3-CEB8-44E3-9B83-6F6AF035E872}\ProxyStubClsid32	mbamservice.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.CloudController\CurVer\ = "MB.CloudController.1"	mbamservice.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc250f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df020000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mbamservice.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a80300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc32000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	mbamservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mbamservice.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a80300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	mbamtray.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df0030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4740f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	mbamtray.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4888	mbamtray.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4076	chrome.exe
4076	chrome.exe
4288	chrome.exe
4288	chrome.exe
900	powershell.exe
900	powershell.exe
4196	powershell.exe
4196	powershell.exe
4196	powershell.exe
4196	powershell.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
4888	mbamtray.exe
4888	mbamtray.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
1996	mbamservice.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3280	7zFM.exe
1444	7zFM.exe
1596	7zFM.exe

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe
Token: SeShutdownPrivilege	4076	chrome.exe
Token: SeCreatePagefilePrivilege	4076	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe
4076	chrome.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4044	OpenWith.exe
4660	Patch_AP.24.xx.exe
1700	7z2201.exe
2840	uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).exe
3012	uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).tmp
1524	Patch_MB_5.x.exe
4572	7z2201.exe
4444	7z.exe
4312	7z.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
4888	mbamtray.exe
1744	OpenWith.exe
1744	OpenWith.exe
1744	OpenWith.exe
1744	OpenWith.exe
1744	OpenWith.exe
1744	OpenWith.exe
1744	OpenWith.exe
1744	OpenWith.exe
1744	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 2240	4076	chrome.exe	82
PID 4076 wrote to memory of 2240	4076	chrome.exe	82
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1128	4076	chrome.exe	84
PID 4076 wrote to memory of 1696	4076	chrome.exe	85
PID 4076 wrote to memory of 1696	4076	chrome.exe	85
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86
PID 4076 wrote to memory of 4392	4076	chrome.exe	86

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
396	attrib.exe
3348	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://filecr.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9aba4ab58,0x7ff9aba4ab68,0x7ff9aba4ab78
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:2
  2⤵
  PID:1128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2992 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3600 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4296 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:8
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4788 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5108 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5164 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5372 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5228 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5488 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5688 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5720 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5200 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1888 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5528 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4912 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=1552 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=1712 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=2432 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5588 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6356 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6428 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=6448 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5844 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=6764 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=6496 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6256 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5516 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=4728 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=5632 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=4912 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=6296 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=7204 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=7380 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=6676 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=7728 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=6400 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=7832 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7640 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 --field-trial-handle=1912,i,13546990005394513999,1457483764956771302,131072 /prefetch:8
  2⤵
  PID:1348

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:644

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual [FileCR].zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3280

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual [FileCR].zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1444

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\" -an -ai#7zMap3175:206:7zEvent16465
1⤵
PID:2384

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\Patch_AP.24.xx.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1596

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\a01.7z"
1⤵
PID:4488

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\avas.7z"
1⤵
PID:2904

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\cnf"
1⤵
PID:4476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4044
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\cnf
  2⤵
  PID:4976

C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\Patch_AP.24.xx.exe
"C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\Patch_AP.24.xx.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4660
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4253H7D4.bat" "C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\Patch_AP.24.xx.exe" "
  2⤵
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\qbE5D7439.66\7z2201.exe
    "C:\Users\Admin\AppData\Local\Temp\qbE5D7439.66\7z2201.exe" /S
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Please install program "
    3⤵
    PID:752
- - C:\Windows\system32\msg.exe
    msg *
    3⤵
    PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path win32_LocalTime Get Day,Month,Year /value
    3⤵
    PID:3156
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_LocalTime Get Day,Month,Year /value
      4⤵
      PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
    3⤵
    PID:3212
  - - C:\Windows\system32\tasklist.exe
      tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
      4⤵
      Enumerates processes with tasklist
      PID:4752
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
    3⤵
    PID:3712
- - C:\Windows\system32\reg.exe
    reg Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
    3⤵
    PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
    3⤵
    PID:1676
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
      4⤵
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
    3⤵
    PID:3756
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
      4⤵
      PID:3768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x338
1⤵
PID:2492

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable) [FileCR].zip"
1⤵
PID:3152

C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).exe
"C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2840
- C:\Users\Admin\AppData\Local\Temp\is-PI8EN.tmp\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PI8EN.tmp\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).tmp" /SL5="$403AE,35465855,215552,C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable).exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Malwarebytes Premium 5.1.1.106 Multilingual [FileCR].zip"
1⤵
PID:1796

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\Malwarebytes Premium 5.1.1.106 Multilingual\" -an -ai#7zMap8351:410:7zEvent1104
1⤵
PID:1292

C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\Malwarebytes Premium 5.1.1.106 Multilingual\Patch_MB_5.x.exe
"C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\Malwarebytes Premium 5.1.1.106 Multilingual\Patch_MB_5.x.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\46XAQ2JL.bat" "C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\Malwarebytes Premium 5.1.1.106 Multilingual\Patch_MB_5.x.exe" "
  2⤵
  - Drops file in Drivers directory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\qbE657FF9.38\7z2201.exe
    "C:\Users\Admin\AppData\Local\Temp\qbE657FF9.38\7z2201.exe" /S
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:4572
- - C:\Windows\system32\attrib.exe
    attrib -r C:\Windows\System32\drivers\etc\hosts
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c findstr "keystone" "C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3076
  - - C:\Windows\system32\findstr.exe
      findstr "keystone" "C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c findstr "holocron" "C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2416
  - - C:\Windows\system32\findstr.exe
      findstr "holocron" "C:\Windows\System32\drivers\etc\hosts"
      4⤵
      PID:996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\pb.cmd"
    3⤵
    PID:2052
  - - C:\Windows\system32\mode.com
      mode con:cols=86 lines=36
      4⤵
      PID:3336
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3292
  - - C:\Windows\system32\mode.com
      mode 70,4
      4⤵
      PID:1196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy/Z "C:\Users\Admin\AppData\Local\Temp\pb.cmd" nul
      4⤵
      PID:1880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c echo prompt $H|cmd
      4⤵
      PID:4836
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo prompt $H"
        5⤵
        
        PID:3024
    - - C:\Windows\system32\cmd.exe
        
        cmd
        5⤵
        
        PID:1128
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:1696
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:432
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:4084
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:1852
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:2180
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:3576
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:4752
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:1796
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:2716
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:3360
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:4108
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:720
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:3252
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:1744
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:5104
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:4672
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:1008
  - - C:\Windows\system32\timeout.exe
      timeout.exe 5
      4⤵
      Delays execution with timeout.exe
      PID:432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3268
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2400
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2180
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2536
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:624
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4036
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3516
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2968
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1020
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3528
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3296
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4368
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3904
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1932
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4304
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:780
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2232
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1984
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2960
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2416
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3600
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2272
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4496
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1368
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3636
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:752
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2412
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1860
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2248
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4672
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1776
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2996
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4412
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:840
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3448
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1304
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4688
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2376
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4928
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3308
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:464
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3928
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:2468
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4236
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:2080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3200
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1696
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:3756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3792
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1992
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3168
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:3076
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:4228
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:1256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
      4⤵
      PID:1612
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /fi "imagename eq Malwarebytes.exe" /fo csv /nh
        5⤵
        Enumerates processes with tasklist
        
        PID:4296
- - C:\Program Files (x86)\7-Zip\7z.exe
    "C:\Program Files (x86)\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\qbE657FF9.38\ck.7z" -o"C:\ProgramData" -pDFGkjgdfkjghfdjg7y7fyhdkghdfg -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4444
- - C:\Program Files (x86)\7-Zip\7z.exe
    "C:\Program Files (x86)\7-Zip\7z.exe" x "C:\Users\Admin\AppData\Local\Temp\qbE657FF9.38\rs.7z" -o"C:\Users\Admin\AppData\Local\Temp" -phfgdhgGDFGdfhmjdfh5gf6fdk7hjdf -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start-process -FilePath 'C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe' -ArgumentList '/VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-' -NoNewWindow -Wait
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start-process -FilePath 'C:\Users\Admin\AppData\Local\Temp\rs.exe' -ArgumentList '/VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-' -NoNewWindow -Wait
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4196
  - - C:\Users\Admin\AppData\Local\Temp\rs.exe
      "C:\Users\Admin\AppData\Local\Temp\rs.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
      4⤵
      Executes dropped EXE
      PID:4488
    - - C:\Users\Admin\AppData\Local\Temp\is-F7JM2.tmp\rs.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F7JM2.tmp\rs.tmp" /SL5="$803BA,63820596,239616,C:\Users\Admin\AppData\Local\Temp\rs.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies Internet Explorer settings
        
        PID:1260
      - C:\Windows\system32\certutil.exe
        
        "certutil.exe" -f -addStore root "C:\Users\Admin\AppData\Local\Temp\is-8IDAK.tmp\BaltimoreCyberTrustRoot.crt"
        6⤵
        
        PID:4132
      - C:\Windows\system32\certutil.exe
        
        "certutil.exe" -f -addStore root "C:\Users\Admin\AppData\Local\Temp\is-8IDAK.tmp\DigiCertEVRoot.crt"
        6⤵
        
        PID:1988
      - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe" /service /Protected
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Registers COM server for autorun
        Drops file in System32 directory
        Drops file in Windows directory
        Modifies registry class
        
        PID:4440
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1984
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\ProgramData\tl"
    3⤵
    - Views/modifies file attributes
    PID:3348
- - C:\Windows\system32\xcopy.exe
    xcopy /C /H /Q /R /Y "C:\ProgramData\Malwarebytes\MBAMService\config\LicenseConfig.json" "C:\ProgramData\tl"
    3⤵
    PID:3500
- - C:\Windows\system32\xcopy.exe
    xcopy /C /H /Q /R /Y "C:\ProgramData\Malwarebytes\MBAMService\config\ScanConfig.json" "C:\ProgramData\tl"
    3⤵
    PID:2336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell start-process -FilePath 'C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe' -ArgumentList '/VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-' -NoNewWindow -Wait
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4572
  - - C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe
      "C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
      4⤵
      Executes dropped EXE
      PID:4460
    - - C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\Malwarebytes\Anti-Malware\unins000.exe" /FIRSTPHASEWND=$11023A /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4228
      - C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe" /unregserver
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:2952
      - C:\Program Files\Malwarebytes\Anti-Malware\mbamwsc.exe
        
        "C:\Program Files\Malwarebytes\Anti-Malware\mbamwsc.exe" /uninstall
        6⤵
        Executes dropped EXE
        
        PID:4812
      - C:\Windows\system32\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\Malwarebytes\Anti-Malware\mbshlext.dll"
        6⤵
        
        PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic path win32_LocalTime Get Day,Month,Year /value
    3⤵
    PID:4752
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_LocalTime Get Day,Month,Year /value
      4⤵
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
    3⤵
    PID:2448
  - - C:\Windows\system32\tasklist.exe
      tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
      4⤵
      Enumerates processes with tasklist
      PID:2032
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
    3⤵
    PID:5092

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\Malwarebytes Premium 5.1.1.106 Multilingual\" -an -ai#7zMap21249:426:7zEvent3
1⤵
PID:3648

C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe
"C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:1996
- C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4888
- C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe
  "C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 1 /status off true /updatesubstatus none /scansubstatus recommended /settingssubstatus none
  2⤵
  - Executes dropped EXE
  PID:980

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\Malwarebytes Premium 5.1.1.106 Multilingual\cnf"
1⤵
PID:4904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1744
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\Malwarebytes Premium 5.1.1.106 Multilingual\cnf
  2⤵
  PID:1932

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\Malwarebytes Premium 5.1.1.106 Multilingual\pb.cmd
1⤵
PID:3508

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\Malwarebytes Premium 5.1.1.106 Multilingual\rs.7z"
1⤵
PID:840

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\Malwarebytes Premium 5.1.1.106 Multilingual\licmmm.7z"
1⤵
PID:2328

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Avast Premium Security 24.2.6104 (build 24.2.8904.819) Multilingual\uTorrent Pro 3.6.0 Build 46896 Stable RePack (& Portable)\Malwarebytes Premium 5.1.1.106 Multilingual\ck.7z"
1⤵
PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery