cobaltstrike | ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb

Virtualization/Sandbox Evasion

T1497

Processes:

GlassWire.exeGlassWireSetup.exeGWInstSt.exeGWCtlSrv.exeGWCtlSrv.exeGWCtlSrv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GlassWire.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GlassWireSetup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GWInstSt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GWCtlSrv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GWCtlSrv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GWCtlSrv.exe

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exerundll32.exe

flow pid process

164 1684 msiexec.exe
166 5732 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

flow	pid	process
164	1684	msiexec.exe
166	5732	rundll32.exe

Drops file in Drivers directory 14 IoCs

Processes:

GlassWireSetup.exeRAVEndPointProtection-installer.exeMBSetup.exeMBAMService.exeMBAMService.exeMBAMInstallerService.exe

description	ioc	process
File created	C:\Windows\System32\drivers\gwdrv.cat	GlassWireSetup.exe
File opened for modification	C:\Windows\System32\drivers\gwdrv.cat	GlassWireSetup.exe
File created	C:\Windows\System32\drivers\gwdrv.inf	GlassWireSetup.exe
File created	C:\Windows\system32\drivers\rsKernelEngine.sys	RAVEndPointProtection-installer.exe
File opened for modification	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	MBSetup.exe
File created	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\mbamswissarmy.sys	MBAMService.exe
File created	C:\Windows\system32\DRIVERS\MbamChameleon.sys	MBAMService.exe
File created	C:\Windows\System32\drivers\gwdrv.sys	GlassWireSetup.exe
File opened for modification	C:\Windows\system32\DRIVERS\MbamElam.sys	MBAMService.exe
File created	C:\Windows\system32\drivers\rsCamFilter020502.sys	RAVEndPointProtection-installer.exe
File created	C:\Windows\system32\drivers\mbae64.sys	MBAMInstallerService.exe
File created	C:\Windows\system32\drivers\rsElam.sys	RAVEndPointProtection-installer.exe

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPVerifyIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30\FuncName = "WVTAsn1SpcSigInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\FuncName = "WVTAsn1SealingSignatureAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "EncodeAttrSequence"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.27\FuncName = "WVTAsn1SpcFinancialCriteriaInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11\FuncName = "WVTAsn1SpcStatementTypeEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "GenericChainCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12\FuncName = "WVTAsn1SpcSpOpusInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1\FuncName = "WVTAsn1CatNameValueEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverCleanupPolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.3\DefaultId = "{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000\FuncName = "WVTAsn1SpcSpAgencyInfoDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\FuncName = "WVTAsn1SpcStatementTypeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\FuncName = "WVTAsn1SpcLinkEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\DefaultId = "{573E31F8-AABA-11D0-8CCB-00C04FC295EE}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

11288 takeown.exe
11356 icacls.exe
11396 takeown.exe
11464 icacls.exe
5704 takeown.exe
11840 icacls.exe

pid	process
11288	takeown.exe
11356	icacls.exe
11396	takeown.exe
11464	icacls.exe
5704	takeown.exe
11840	icacls.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

MBAMService.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MBAMSwissArmy\ImagePath = "\\SystemRoot\\System32\\Drivers\\mbamswissarmy.sys"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mbamchameleon\ImagePath = "\\SystemRoot\\System32\\Drivers\\MbamChameleon.sys"	MBAMService.exe

Checks BIOS information in registry 2 TTPs 19 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

GlassWireSetup.exeGWCtlSrv.exeGWCtlSrv.exeGlassWire.exeMBAMService.exersEngineSvc.exeGWInstSt.exeMBSetup.exembupdatrV5.exeGWCtlSrv.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GlassWireSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GWCtlSrv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GWCtlSrv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GlassWire.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rsEngineSvc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GWCtlSrv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GWInstSt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GWCtlSrv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GlassWire.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mbupdatrV5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mbupdatrV5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GlassWireSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GWInstSt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GWCtlSrv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GWCtlSrv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	MBSetup.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

GlassWireSetup.exednplayer.exersAppUI.exersAppUI.exewinzip28.exeGlassWire.exeavg_secure_browser_setup.exeaj6097.exersAppUI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	GlassWireSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	dnplayer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rsAppUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	winzip28.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	GlassWire.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	avg_secure_browser_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	aj6097.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	rsAppUI.exe

Executes dropped EXE 64 IoCs

Processes:

DXSETUP.exeUn_A.exeGlassWireSetup.exevc_redist.x86.exevc_redist.x86.exeGWInstSt.exeGWCtlSrv.exeGWCtlSrv.exeGWCtlSrv.exeGlassWire.exeavg_secure_browser_setup.exeaj6097.exeLDPlayer9_ens_com.robtopx.geometryjump_25567197_ld.exeMBSetup.exeMBAMInstallerService.exeMBVpnTunnelService.exeMBAMService.exeMBAMService.exeMalwarebytes.exersStubActivator.exesaBSI.exetxjzd1me.exeRAVEndPointProtection-installer.exersSyncSvc.exersSyncSvc.exeLDPlayer.exeinstaller.exeinstaller.exednrepairer.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exersWSC.exersWSC.exembupdatrV5.exersClientSvc.exersClientSvc.exersEngineSvc.exersEngineSvc.exersHelper.exeEPP.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersAppUI.exersLitmus.A.exersAppUI.exewinrar-x64-700.exewinrar-x64-700.exewinzip28.exewinzip28.exednplayer.exeLd9BoxSVC.exeLd9BoxHeadless.exe

pid	process
1468	DXSETUP.exe
3536	Un_A.exe
6396	GlassWireSetup.exe
6876	vc_redist.x86.exe
6180	vc_redist.x86.exe
7608	GWInstSt.exe
7696	GWCtlSrv.exe
5392	GWCtlSrv.exe
5404	GWCtlSrv.exe
6852	GlassWire.exe
2460	avg_secure_browser_setup.exe
200	aj6097.exe
8280	LDPlayer9_ens_com.robtopx.geometryjump_25567197_ld.exe
10076	MBSetup.exe
9368	MBAMInstallerService.exe
9916	MBVpnTunnelService.exe
10816	MBAMService.exe
10124	MBAMService.exe
10692	Malwarebytes.exe
10056	rsStubActivator.exe
9256	saBSI.exe
10616	txjzd1me.exe
9624	RAVEndPointProtection-installer.exe
8484	rsSyncSvc.exe
4180	rsSyncSvc.exe
10448	LDPlayer.exe
9236	installer.exe
9936	installer.exe
9504	dnrepairer.exe
9612	Ld9BoxSVC.exe
11408	driverconfig.exe
10912	dnplayer.exe
9972	Ld9BoxSVC.exe
10440	vbox-img.exe
9328	vbox-img.exe
12032	vbox-img.exe
12052	Ld9BoxHeadless.exe
11668	Ld9BoxHeadless.exe
11596	Ld9BoxHeadless.exe
11456	Ld9BoxHeadless.exe
10112	Ld9BoxHeadless.exe
12376	rsWSC.exe
11792	rsWSC.exe
11596	mbupdatrV5.exe
5792	rsClientSvc.exe
11924	rsClientSvc.exe
11912	rsEngineSvc.exe
12584	rsEngineSvc.exe
12932	rsHelper.exe
12976	EPP.exe
13012	rsAppUI.exe
12088	rsAppUI.exe
11200	rsAppUI.exe
11884	rsAppUI.exe
9128	rsAppUI.exe
7112	rsLitmus.A.exe
9684	rsAppUI.exe
10168	winrar-x64-700.exe
9044	winrar-x64-700.exe
9928	winzip28.exe
10924	winzip28.exe
13888	dnplayer.exe
11508	Ld9BoxSVC.exe
6860	Ld9BoxHeadless.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exerundll32.exeMsiExec.exerundll32.exerundll32.exerundll32.exeMsiExec.exerundll32.exeDXSETUP.exeUn_A.exeGlassWireSetup.exevc_redist.x86.exeGWCtlSrv.exeGWCtlSrv.exeGWCtlSrv.exeGlassWire.exeavg_secure_browser_setup.exe

pid	process
6108	MsiExec.exe
6108	MsiExec.exe
6108	MsiExec.exe
5296	rundll32.exe
5296	rundll32.exe
5296	rundll32.exe
5296	rundll32.exe
5296	rundll32.exe
3532	MsiExec.exe
3532	MsiExec.exe
5732	rundll32.exe
5732	rundll32.exe
5732	rundll32.exe
5732	rundll32.exe
5732	rundll32.exe
3532	MsiExec.exe
2192	rundll32.exe
2192	rundll32.exe
2192	rundll32.exe
2192	rundll32.exe
2192	rundll32.exe
3532	MsiExec.exe
5404	rundll32.exe
5404	rundll32.exe
5404	rundll32.exe
5404	rundll32.exe
5404	rundll32.exe
5180	MsiExec.exe
5968	rundll32.exe
5968	rundll32.exe
5968	rundll32.exe
5968	rundll32.exe
5968	rundll32.exe
1468	DXSETUP.exe
1468	DXSETUP.exe
1468	DXSETUP.exe
1468	DXSETUP.exe
3536	Un_A.exe
3536	Un_A.exe
3536	Un_A.exe
6396	GlassWireSetup.exe
6180	vc_redist.x86.exe
6396	GlassWireSetup.exe
6396	GlassWireSetup.exe
6396	GlassWireSetup.exe
6396	GlassWireSetup.exe
6396	GlassWireSetup.exe
6396	GlassWireSetup.exe
6396	GlassWireSetup.exe
7696	GWCtlSrv.exe
6396	GlassWireSetup.exe
5392	GWCtlSrv.exe
5404	GWCtlSrv.exe
5404	GWCtlSrv.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
2460	avg_secure_browser_setup.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

11356 icacls.exe
11396 takeown.exe
11464 icacls.exe
5704 takeown.exe
11840 icacls.exe
11288 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
11356	icacls.exe
11396	takeown.exe
11464	icacls.exe
5704	takeown.exe
11840	icacls.exe
11288	takeown.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

MBAMService.exednrepairer.exeregsvr32.exeMBAMService.exeLd9BoxSVC.exeregsvr32.exeLd9BoxSVC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InprocServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BF474111-9116-45C6-AF53-209E64F1BB53}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11D1E5E8-14E1-4B5B-AE1A-2678CB91E8E5}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9BE31822-FDAD-461B-AD51-BE1D1C159921}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5599B6B-FA0C-45B5-8309-853B003EA412}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{36A65E46-6CC1-4CA2-B51E-F4DD8C993DDC}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F6D29500-933C-447C-9D88-9D814AF73808}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{580243BF-3CEE-4131-A599-C6FED66BEB1B}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{251AD013-20AD-4C3F-8FE2-F66A429B4819}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1AC7139-D1FF-4DE9-84A4-92E2B47F5D2A}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxC.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-26c0-4fe1-bf6f-67f633265bba}\InprocServer32\ThreadingModel = "Free"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8F1C46F8-E697-4175-B240-CDE682A4BA2D}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{376BE474-56D4-4177-BB4E-5610156F36C8}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EE8A9269-9E6E-4683-BCD3-41E9B16696DC}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{17BE78EE-B40A-4B9E-835F-38EC62F9D479}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32	dnrepairer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32\ = "\"C:\\Program Files\\ldplayer9box\\Ld9BoxSVC.exe\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-47b9-4a1e-82b2-07ccd5323c3f}\LocalServer32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\LocalServer32	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{130CD414-6BFD-4F6C-9362-A2264B222E76}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03141A2A-5C3A-458E-ABEC-0812AD7FF497}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F36AD0D0-B5F0-4C69-AF08-603D177FEF0E}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-c9d2-4f11-a384-53f0cf917214}\InprocServer32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DE03E614-112D-43E0-8E15-E7236CC32108}\LocalServer32\ServerExecutable = "C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{57CE581A-0CB6-4266-9CA0-19364C90A0B3}\InprocServer32\ThreadingModel = "Apartment"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ = "C:\\Program Files\\ldplayer9box\\VBoxProxyStub.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F415899A-1576-4C8B-BC9F-4854781F8A20}\LocalServer32\ = "\"C:\\Program Files\\Malwarebytes\\Anti-Malware\\MBAMService.exe\""	MBAMService.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/7608-11367-0x0000000000E20000-0x0000000001416000-memory.dmp	themida
behavioral1/memory/7608-11411-0x0000000000E20000-0x0000000001416000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

DXSETUP.exerundll32.exeGlassWireSetup.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\DXTempFolder = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\DX409F.tmp\\\""	DXSETUP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\GlassWire = "\"C:\\Program Files (x86)\\GlassWire\\glasswire.exe\" -hide"	GlassWireSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Checks for any installed AV software in registry 1 TTPs 4 IoCs

Security Software Discovery

T1518.001

Processes:

avg_secure_browser_setup.exeaj6097.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\SOFTWARE\AVAST Software\Avast	avg_secure_browser_setup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	aj6097.exe
Key opened	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\SOFTWARE\AVAST Software\Avast	aj6097.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

Processes:

GWInstSt.exeGWCtlSrv.exeGWCtlSrv.exeGWCtlSrv.exeGlassWire.exeGlassWireSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GWInstSt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GWCtlSrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GWCtlSrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GWCtlSrv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GlassWire.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GlassWireSetup.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

DXSETUP.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini DXSETUP.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	DXSETUP.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

MBAMInstallerService.exemsiexec.exemsiexec.exeMBAMService.exetakeown.exetakeown.exe

description	ioc	process
File opened (read-only)	\??\W:	MBAMInstallerService.exe
File opened (read-only)	\??\X:	MBAMInstallerService.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	MBAMInstallerService.exe
File opened (read-only)	\??\G:	MBAMInstallerService.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	MBAMService.exe
File opened (read-only)	\??\V:	MBAMService.exe
File opened (read-only)	\??\Z:	MBAMService.exe
File opened (read-only)	\??\K:	MBAMInstallerService.exe
File opened (read-only)	\??\F:	takeown.exe
File opened (read-only)	\??\S:	MBAMService.exe
File opened (read-only)	\??\M:	MBAMInstallerService.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	MBAMInstallerService.exe
File opened (read-only)	\??\N:	MBAMService.exe
File opened (read-only)	\??\R:	MBAMService.exe
File opened (read-only)	\??\N:	MBAMInstallerService.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	MBAMService.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	MBAMService.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	MBAMService.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	MBAMService.exe
File opened (read-only)	\??\O:	MBAMInstallerService.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	MBAMInstallerService.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	MBAMService.exe
File opened (read-only)	\??\P:	MBAMInstallerService.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	MBAMInstallerService.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	MBAMService.exe
File opened (read-only)	\??\H:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMService.exe
File opened (read-only)	\??\X:	MBAMService.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	MBAMService.exe
File opened (read-only)	\??\P:	MBAMService.exe
File opened (read-only)	\??\F:	takeown.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	MBAMInstallerService.exe
File opened (read-only)	\??\Q:	MBAMInstallerService.exe
File opened (read-only)	\??\M:	MBAMService.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	MBAMService.exe
File opened (read-only)	\??\V:	MBAMInstallerService.exe
File opened (read-only)	\??\I:	MBAMInstallerService.exe
File opened (read-only)	\??\V:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

aj6097.exe

description ioc process

File opened for modification \??\PhysicalDrive0 aj6097.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	aj6097.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\ProgramData\ReasonLabs\EPP\SignaturesYFS.dat.tmp	autoit_exe

Drops file in System32 directory 64 IoCs

Processes:

DXSETUP.exeMBVpnTunnelService.exersEngineSvc.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\SysWOW64\SET42A3.tmp	DXSETUP.exe
File created	C:\Windows\System32\DriverStore\FileRepository\nete1g3e.inf_amd64_af58b4e19562a3f9\nete1g3e.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6DB145CFEEC544B1582FED1ADA3370DD	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_EF6C9357BB54DDB629FD2D79F1594F95	rsEngineSvc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netmlx5.inf_amd64_1c5d76930978e302\netmlx5.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mwlu97w8x64.inf_amd64_b3e8bb77ffa9d174\mwlu97w8x64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_d271ba5a9c993ac3\netathr10x.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D96A4C3B75E862E237A6B89F58F74354	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0FD7C8CB35A5508C225BD37696B3744C	rsEngineSvc.exe
File created	C:\Windows\System32\DriverStore\Temp\{549d0c94-41bc-5840-9a8e-feae1ebc323e}\SETAB01.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_686A447EF0220EBC1D36EF897F31F606	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_DC03E45EC7611F50ADAEBABE405A8C4C	rsEngineSvc.exe
File created	C:\Windows\SysWOW64\SET41E7.tmp	DXSETUP.exe
File created	C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_0e1cf7c50ca4ffaa\dc21x4vm.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwns64.inf_amd64_c9c15e7d233d6d5d\netwns64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1c63x64.inf_amd64_4d6630ce07a4fb42\netl1c63x64.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{549d0c94-41bc-5840-9a8e-feae1ebc323e}\SETAB01.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D84E548583BE1EE7DB5A935821009D26_5B98B6CD6E69202676965CF5B0E2A7A7	rsEngineSvc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwwanmp.inf_amd64_c2e5b727d1a623c7\netvwwanmp.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_38924EDF39D8802D6946FB22E5DD0835	rsEngineSvc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwsw00.inf_amd64_24d55504ae3587aa\netwsw00.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtwlane_13.inf_amd64_f3d0d8bd79ab9a02\netrtwlane_13.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rndiscmp.inf_amd64_68ba6e09a25225a9\rndiscmp.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrndis.inf_amd64_b32102a0c2920c07\netrndis.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_ec0c19c95c819b82\net8185.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvf63a.inf_amd64_afddbbd6046998bc\netvf63a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvwifimp.inf_amd64_356b66ad47b23393\netvwifimp.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\Temp\{549d0c94-41bc-5840-9a8e-feae1ebc323e}\SETAB02.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D84E548583BE1EE7DB5A935821009D26_5B98B6CD6E69202676965CF5B0E2A7A7	rsEngineSvc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwew01.inf_amd64_84bf249d7c59a58c\netwew01.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3E3E9689537B6B136ECF210088069D55_A925FAB5FFC3CEDB8E62B2DCCBBBB4F2	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0972B7C417F696E06E186AEB26286F01_30B4D916E12169D9CB0BC7A11DE46EA6	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_C33468BC5883F8C26A2F912726D45EFA	rsEngineSvc.exe
File opened for modification	C:\Windows\SysWOW64\d3dx10_43.dll	DXSETUP.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net1ic64.inf_amd64_5d49cc27a6d05e5c\net1ic64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_bc859d32f3e2f0d5\net8187bv64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netbc64.inf_amd64_6c303885965f99b8\netbc64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netjme.inf_amd64_752bf22f1598bb7e\netjme.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_35bbbe80dec15683\netnvm64.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_E2B2C48F2C378D0C3347FECCD57676BA	rsEngineSvc.exe
File opened for modification	C:\Windows\SysWOW64\SET41F7.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\d3dcsx_43.dll	DXSETUP.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netax88179_178a.inf_amd64_3bab30cbbbda44a6\netax88179_178a.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net7500-x64-n650f.inf_amd64_dff77c5916143290\net7500-x64-n650f.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netvg63a.inf_amd64_9f5493180b1252cf\netvg63a.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAEBE581FCB73249406FC21094EA252E_BC0CE803EF41A748738619ED7838EEFC	rsEngineSvc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwew00.inf_amd64_6174f7431c31c88b\netwew00.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_ede00b448bfe8099\netxex64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netax88772.inf_amd64_d2ca514cf72a9a18\netax88772.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_08f6d3fc478987f0\wceisvista.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FC68FB72D4FBC7E0F151BC2282D75E47_367FA2447481C3DB640CE44BE2E5A181	rsEngineSvc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ykinx64.inf_amd64_9968491cd13abd17\ykinx64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net9500-x64-n650f.inf_amd64_621ce01db587a93c\net9500-x64-n650f.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\net7800-x64-n650f.inf_amd64_387464037c2d56cf\net7800-x64-n650f.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\Temp\{549d0c94-41bc-5840-9a8e-feae1ebc323e}\SETAB03.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6DB145CFEEC544B1582FED1ADA3370DD	rsEngineSvc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_38924EDF39D8802D6946FB22E5DD0835	rsEngineSvc.exe
File opened for modification	C:\Windows\SysWOW64\xinput1_3.dll	DXSETUP.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netwmbclass.inf_amd64_383eaad9c343710d\netwmbclass.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netl1e64.inf_amd64_291f12bd323b3ff3\netl1e64.PNF	MBVpnTunnelService.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ndisimplatformmp.inf_amd64_165de0e69bb420c9\ndisimplatformmp.PNF	MBVpnTunnelService.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	rsEngineSvc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

GlassWireSetup.exeGWInstSt.exeGWCtlSrv.exeGWCtlSrv.exeGWCtlSrv.exeGlassWire.exe

pid	process
6396	GlassWireSetup.exe
7608	GWInstSt.exe
7696	GWCtlSrv.exe
7696	GWCtlSrv.exe
5392	GWCtlSrv.exe
5392	GWCtlSrv.exe
5404	GWCtlSrv.exe
5404	GWCtlSrv.exe
5404	GWCtlSrv.exe
6852	GlassWire.exe

Drops file in Program Files directory 64 IoCs

Processes:

dnrepairer.exemsiexec.exeUn_A.exeMBAMInstallerService.exeinstaller.exeRAVEndPointProtection-installer.exeMBSetup.exe

description	ioc	process
File created	C:\Program Files\ldplayer9box\VBoxRT.dll	dnrepairer.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\lkt.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\ro.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\th_TH.res	msiexec.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll	Un_A.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo	Un_A.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\MbamBgNativeMsg.exe	MBAMInstallerService.exe
File opened for modification	C:\Program Files\McAfee\Temp2944930062\jslang\eula-nb-NO.txt	installer.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\ti_ET.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Slate\Common\ColumnHeader_Hovered.png	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\curr\os.res	msiexec.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.WindowsDesktop.App\6.0.28\ko\WindowsBase.resources.dll	MBAMInstallerService.exe
File created	C:\Program Files\ReasonLabs\EPP\133587249196508541\System.Security.AccessControl.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\sd.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\curr\en_TO.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\coll\ln.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\af.res	msiexec.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_es_plugin.dll	Un_A.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\unit\es_CR.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\sv.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\ps_PK.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\fr_VU.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\lang\ff_Latn_MR.res	msiexec.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\create_stream.html	Un_A.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Security.Cryptography.Cng.dll	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\brkitr\res_index.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\coll\ne.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\ast.res	msiexec.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\	Un_A.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\curr\vai_Latn.res	msiexec.exe
File opened for modification	C:\Program Files\McAfee\Temp2944930062\wa_logo2.png	installer.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\lang\os.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\cy.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\unit\shi_Tfng_MA.res	msiexec.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\cd64c237-d88c-4753-9816-a47473357a9b	MBSetup.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.deps.json	MBAMInstallerService.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\eo.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\es_MX.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\brkitr\sent.brk	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\tg.res	msiexec.exe
File created	C:\Program Files\ldplayer9box\NetAdpUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstSSLCertDownloads.exe	dnrepairer.exe
File created	C:\Program Files\ReasonLabs\EPP\ReasonLabs-EPP.7z	RAVEndPointProtection-installer.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\ak.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\curr\in.res	msiexec.exe
File opened for modification	C:\Program Files\McAfee\Temp2944930062\jslang\wa-res-install-fi-FI.js	installer.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\coll\yue_Hans.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\coll\gu.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\lang\jmc.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\bs_Latn.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\unit\asa.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\curr\en_MU.res	msiexec.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo	Un_A.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\favicon.ico	Un_A.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\	Un_A.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\	Un_A.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\shared\Microsoft.NETCore.App\6.0.28\System.Xml.XPath.dll	MBAMInstallerService.exe
File created	C:\Program Files\ReasonLabs\EPP\133587249196508541\rsEngineSvc.RPC.JSONInterface.dll	RAVEndPointProtection-installer.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\gu.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\lang\mo.res	msiexec.exe
File created	C:\Program Files\ldplayer9box\libcrypto-1_1-x64.dll	dnrepairer.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\ff_GN.res	msiexec.exe
File created	C:\Program Files\ldplayer9box\x86\msvcr120.dll	dnrepairer.exe

Drops file in Windows directory 53 IoCs

Processes:

msiexec.exedism.exeDrvInst.exeMBAMService.exeMicrosoftEdge.exerundll32.exeDXSETUP.exeMicrosoftEdgeCP.exerundll32.exesvchost.exetaskmgr.exerundll32.exeMBVpnTunnelService.exerundll32.exeMicrosoftEdgeCP.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFE3.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\E6AAF58BAA9A556409921E4ADE0CE5A1\1.3.93\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E6AAF58BAA9A556409921E4ADE0CE5A1	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\ELAMBKUP\MbamElam.sys	MBAMService.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSIEA92.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\E6AAF58BAA9A556409921E4ADE0CE5A1\1.3.93\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Logs\DirectX.log	DXSETUP.exe
File opened for modification	C:\Windows\Logs\DXError.log	DXSETUP.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E6AAF58BAA9A556409921E4ADE0CE5A1\1.3.93	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE3BB.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	taskmgr.exe
File opened for modification	C:\Windows\Installer\e5adfa3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2FF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA92.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFE3.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E6AAF58BAA9A556409921E4ADE0CE5A1\1.3.93\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	MBVpnTunnelService.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Installer\MSI1BB8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BB8.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1BB8.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\{B85FAA6E-A9AA-4655-9029-E1A4EDC05E1A}\Installer.ico	msiexec.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File opened for modification	C:\Windows\Installer\MSIE3BB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA92.tmp-\CustomActionManaged.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEA92.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEFE3.tmp-\CustomActionManaged.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E6AAF58BAA9A556409921E4ADE0CE5A1\1.3.93\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E6AAF58BAA9A556409921E4ADE0CE5A1\1.3.93\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED91.tmp	msiexec.exe
File created	C:\Windows\Installer\e5adfa3.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B85FAA6E-A9AA-4655-9029-E1A4EDC05E1A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFE3.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1BB8.tmp-\CustomActionManaged.dll	rundll32.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\Installer\e5adfa5.msi	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	taskmgr.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\E6AAF58BAA9A556409921E4ADE0CE5A1\1.3.93\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Installer\MSIE3BB.tmp-\CustomActionManaged.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE3BB.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\{B85FAA6E-A9AA-4655-9029-E1A4EDC05E1A}\Installer.ico	msiexec.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

11380 sc.exe
10880 sc.exe
14140 sc.exe
14136 sc.exe
11588 sc.exe
11668 sc.exe
11328 sc.exe
11728 sc.exe
11676 sc.exe
9308 sc.exe
4832 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
11380	sc.exe
10880	sc.exe
14140	sc.exe
14136	sc.exe
11588	sc.exe
11668	sc.exe
11328	sc.exe
11728	sc.exe
11676	sc.exe
9308	sc.exe
4832	sc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

svchost.exesvchost.exeDrvInst.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

firefox.exednplayer.exerunonce.exednplayer.exeMBAMService.exerunonce.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MBAMService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

10848 taskkill.exe
8520 taskkill.exe
8764 taskkill.exe
7620 taskkill.exe

pid	process
10848	taskkill.exe
8520	taskkill.exe
8764	taskkill.exe
7620	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

Processes:

MBAMInstallerService.exednplayer.exednplayer.exeMBAMService.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Malwarebytes.exe = "11000"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMInstallerService.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbam.exe = "11000"	MBAMService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\mbamtray.exe = "11000"	MBAMService.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MBAMInstallerService.exeDXSETUP.exeDrvInst.exersEngineSvc.exeMBAMService.exembupdatrV5.exersWSC.exeGWCtlSrv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DXSETUP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\Office\15.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	mbupdatrV5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DXSETUP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	GWCtlSrv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Malwarebytes\FirstRun = "false"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DXSETUP.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\Office\15.0\Common\Security\Trusted Protocols	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0\Common	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	mbupdatrV5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DXSETUP.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "0"	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DXSETUP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DXSETUP.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Malwarebytes	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122 = "Windows Firewall"	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	mbupdatrV5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Office\16.0	MBAMInstallerService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	mbupdatrV5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MBAMService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rsWSC.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	rsEngineSvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MBAMInstallerService.exe

Modifies registry class 64 IoCs

Processes:

MBAMService.exeregsvr32.exeregsvr32.exeMicrosoftEdgeCP.exeLd9BoxSVC.exeMBAMService.exeregsvr32.exeMicrosoftEdge.exeUn_A.exeLd9BoxSVC.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE6A4256-97CD-4DBB-9D4A-3054B0BB0F8B}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{332AFEBA-9341-4CEC-8EA6-DB155A99DF63}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0C60-11EA-A0EA-07EB0D1C4EAD}\NumMethods\ = "49"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-057D-4391-B928-F14B06B710C5}\ProxyStubClsid32	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ldplayer.net\NumberOfSubdoma = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\youtube.com\Total = "410"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.ScanController	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9DAB0CA5-AE19-41AE-955C-41DD44C52697}\Version\ = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-057D-4391-B928-F14B06B710C5}\NumMethods\ = "14"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E9BB-49B3-BFC7-C5171E93EF38}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-81A9-4005-9D52-FC45A78BF3F5}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-9641-4397-854A-040439D0114B}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3B24818-1CC9-4825-96A9-1DB596E079C8}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1691A7E8-B8D1-46D5-BB29-3A4DB2D809C6}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2E404A3-4E3F-4094-AE06-5E38D39B79AE}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B243B0B7-0567-4DA5-B8E4-A4CE22A4F2B6}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFF1A83B-6C83-4342-8E68-1648DE06CB65}\1.0\FLAGS\ = "0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4737-457B-99FC-BC52C851A44F}\NumMethods	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{465E787A-0556-452F-9477-954E4A940003}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MB.AEController	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{562B1FA7-13DE-40A1-8839-AB2C5FA3129C}\TypeLib\ = "{A82129F1-32E1-4D79-A39F-EBFEE53A70BF}"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C2E404A3-4E3F-4094-AE06-5E38D39B79AE}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD3CFEBD-3B8E-4651-BB7C-537D1F03E59C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BF98-47FB-AB2F-B5177533F493}\ = "IStorageController"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2058A31F-5F59-4452-9204-03F588252FFC}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F275D775-3A22-4C5A-B9AD-6FE8008304D0}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4737-457B-99FC-BC52C851A44F}\NumMethods\ = "15"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA6C70E7-6A6D-4F4A-99BF-C8B375CB7E0C}\TypeLib	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{63A6AB57-4679-4529-B78D-143547B22799}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0547-448E-BC7C-94E9E173BF57}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-FEBE-4049-B476-1292A8E45B09}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-477A-2497-6759-88B8292A5AF0}\NumMethods	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{278637DA-FDFB-45C7-8CD8-F2D8A9199AB0}\ = "ArwController Class"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19184D37-6938-4F54-BAFD-3240F0FA75E6}\ProxyStubClsid32	MBAMService.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B860FC17-5606-4F3A-8AE5-E1C139D8BDE3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FC34538A-37CB-44B4-9264-533E9347BB40}\ = "IRTPControllerEventsV2"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-B45C-48AE-8B36-D35E83D207AA}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1640-41f9-bd74-3ef5fd653250}	Ld9BoxSVC.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.cue\shell\Open\command	Un_A.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FA6C70E7-6A6D-4F4A-99BF-C8B375CB7E0C}\ = "ILinker"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6357A98F-CE03-4C67-9410-00907FB21BC7}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97EB7268-0D7B-43F6-9C11-337287F960DF}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E2870643-0645-41F9-BCCB-F5969386162C}\ = "_IRTPControllerEventsV4"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2354-4267-883F-2F417D216519}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D372F21-E6DA-4B82-881A-79F6CA6B6AE1}\ProgID\ = "MB.PoliciesController.1"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B3DFEA6-6514-42CF-A091-C4DFFD9C2158}\ProxyStubClsid32	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C30B7D9-82A1-4068-8A5B-F4C7D5EF75A3}\TypeLib\Version = "1.0"	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-416B-4181-8C4A-45EC95177AEF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-C8E9-466B-9660-45CB3E9979E4}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A2D4A69C-14CA-4825-9376-5B4215AF5C5E}\TypeLib	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7196E77C-8EA5-4824-92C9-BAE8671149FA}\TypeLib\Version = "1.0"	MBAMService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-80F6-4266-8E20-16371F68FA25}\ = "IReusableEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-BF98-47FB-AB2F-B5177533F493}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\ProxyStubClsid32	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{015FAC74-0374-494A-A02D-316D562C0FCE}	MBAMService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.epicgames.launcher\shell\open\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogm\shell\PlayWithVLC\command	Un_A.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D719729-5333-406C-BF12-8DE787FD65E3}\ProxyStubClsid32	regsvr32.exe

Modifies system certificate store 2 TTPs 39 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

DXSETUP.exeMBAMInstallerService.exesaBSI.exersEngineSvc.exersEngineSvc.exednplayer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	DXSETUP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E\Blob = 0300000001000000140000000d44dd8c3c8c1a1a58756481e90f2e2affb3d26e2000000001000000ba010000308201b63082015ba0030201020213066c9fd5749736663f3b0b9ad9e89e7603f24a300a06082a8648ce3d0403023039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412033301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120333059301306072a8648ce3d020106082a8648ce3d030107034200042997a7c6417fc00d9be8011b56c6f252a5ba2db212e8d22ed7fac9c5d8aa6d1f73813b3b986b397c33a5c54e868e8017686245577d44581db337e56708eb66dea3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414abb6dbd7069e37ac3086079170c79cc419b178c0300a06082a8648ce3d0403020349003046022100e08592a317b78df92b06a593ac1a98686172fae1a1d0fb1c7860a64399c5b8c40221009c02eff1949cb396f9ebc62af8b62cfe3a901416d78c6324481cdf307dd5683b	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 5c0000000100000004000000001000001900000001000000100000009f687581f7ef744ecfc12b9cee6238f10f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa2140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2040000000100000010000000be954f16012122448ca8bc279602acf52000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\5A8CEF45D7A69859767A8C8B4496B578CF474B1A\Blob = 0300000001000000140000005a8cef45d7a69859767a8c8b4496b578cf474b1a2000000001000000450500003082054130820329a0030201020213066c9fd29635869f0a0fe58678f85b26bb8a37300d06092a864886f70d01010c05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412032301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203230820222300d06092a864886f70d01010105000382020f003082020a0282020100ad969f2d9c4a4c4a81795199ec8acb6b605113bc4d6d06fcb0088ddd19106ac7260c35d8c06f2084e994b19b8503c35bdb4ae8c8f89076d95b4fe34ce806364dcc9aac3d0c902b92d4061960ac374479858182ad5a37e00dcc9da64c5276ea439db704d150f655e0d5d2a64985e937e9ca7eae5c954d489a3fae205a6d8895d934b8521a4390b0bf6c05b9b678b7ead0e43a3c125362ff4af27bbe3505a91234e3f36474622c3d00495a28fe3244bb87dd652702713bda4af71fdacdf72155904f0fecae82e19f6bd945d3bbf05f87ed3c2c3986da3fdeec7255eb79a3addbdd7cb0ba1ccefcde4f3576cf0ff8781f6a36514627615be99ecff0a2557d7c258a6f2fb4c5cf842e2bfd0d51106cfb5f1bbc1b7ec5ae3b98013192ff0b57f49ab2b957e9abef0d76d1f0eef4ce86a7e06ee9b469a1df69f633c6692e97139ea587b057108137c953b3bb7ff692d19cd018f4926eda834fa663994ca5fb5eef21647a205f6c648515cb37e9620c0b2a16dc012e32da3e4bf59e3af6174094ef9e910886fabe63a85a33eccb744395f96c695236c7296ffc55035c1ffb9fbd47ebe74947950b4e89220949e0f5611ef1bf2e8a726e8059ff573af97532a34e5feced2862d94d73f2cc811760edcdebdcdba7cac57e02bdf2540854fdb42d092c17544a98d154e1516708d2ed6e7e6f3fd22d81592966cb903995111e7427feddebaf0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414b00cf04c30f405580248fd33e552af4b84e36652300d06092a864886f70d01010c05000382020100aaa8808f0e78a3e0a2d4cde6f5987a3bea0003b0970e93bc5aa8f62c8c7287a9b1fc7f73fd637178a58759cf30e10d10b2135a6d82f56ae6809fa0050b68e4476bc76adfb6fd773272e518fa09f4a0932c5dd28c75857665900c0379b7312363ad788309866884cafff9cf269a9279e7cd4bc5e761a717cbf3a91293936ba7e82f5392c46058b0cc0251185b858d625963b6adb4de9afb26f70027c05d55377499c9507fe3592e44e32c25eeec4c3277b49f1ae94b5d20c5dafd1c8716c643e8d4bb269a45705ea90b3753e2467b27fde046f289b7cc42b6cb28266ed9a5c93ac8411360f7508c15aeb26d1a151a5778e6922ad96590823f6c02afae123a27963604d71da28063a99bf1e5bab47c14b04ec9b11f745f38f651ea9bfa2ca211d4a92d271a45b1afb24e710dc05846d66906cb53cbb3fe6b41cd417e7d4c0f7c72797a59cd5e4a0eac9ba99873797cb4f4ccb9b8070cb2745cb8c76f88a190a7f4aaf9bf673af41a15621eb79fbe3db129af67a112f25810195303301bb81a89f69cbd97038ea309f31d8b21f1b4dfe41cd19f650206ea5cd613b384efa2a55c8c7729a768c06bae40d2a8b4eacdf08d4b389c199a1b2854b88990efca75813e1ef26424c718af4eff479e07f63565a4d30a56fff517646cefa822254993b6df0017da587e5deec51bb0d1d15f2110c7f9f3ba020a2707c5f1d6c7d3e0fb09606c	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0D44DD8C3C8C1A1A58756481E90F2E2AFFB3D26E	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE\Blob = 030000000100000014000000f6108407d6f8bb67980cc2e244c2ebae1cef63be2000000001000000f6010000308201f230820178a0030201020213066c9fd7c1bb104c2943e5717b7b2cc81ac10e300a06082a8648ce3d0403033039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412034301e170d3135303532363030303030305a170d3430303532363030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f7420434120343076301006072a8648ce3d020106052b8104002203620004d2ab8a374fa3530dfec18a7b4ba87b464b63b062f62d1bdb087121d200e863bd9a27fbf0396e5dea3da5c981aaa35b2098455d16dbfde8106de39ce0e3bd5f8462f3706433a0cb242f70ba88a12aa075f881ae6206c481db396e29b01efa2e5ca3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414d3ecc73a656ecce1da769a56fb9cf3866d57e581300a06082a8648ce3d040303036800306502303a8b21f1bd7e11add0ef58962fd6eb9d7e908d2bcf6655c32ce328a9700a470ef0375912ff2d9994284e2a4f354d335a023100ea75004e3bc43a941291c958469d211372a7889c8ae44c4adb96d4ac8b6b6b49125333add7e4be24fcb50a76d4a5bc10	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DXSETUP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa22000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 4b0000000100000044000000370035004300410035003800300037003200420039003900320036004600370036003300410039003100460030004300430032003700390038003700300036005f0000005c000000010000000400000000080000040000000100000010000000943b3cc1d311e06f4e4acbf58f289ad214000000010000001400000081b80e638a891218e5fa3b3b50959fe6e59013850300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c19000000010000001000000087513236ba5fcaae2b242962815926f80f00000001000000200000000706b7e834d90e828da6e11374d1253e9254bd252349fd5cada87040945476b118000000010000001000000094ba2a8e68434595d5aff46246c54c122000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8	dnplayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	DXSETUP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F6108407D6F8BB67980CC2E244C2EBAE1CEF63BE	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C\Blob = 0300000001000000140000002ad974a775f73cbdbbd8f5ac3a49255fa8fb1f8c2000000001000000620400003082045e30820346a0030201020213077312380b9d6688a33b1ed9bf9ccda68e0e0f300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3232303832333232323132385a170d3330303832333232323132385a303c310b3009060355040613025553310f300d060355040a1306416d617a6f6e311c301a06035504031313416d617a6f6e205253412032303438204d303130820122300d06092a864886f70d01010105000382010f003082010a0282010100eb712ca9cb1f8828923230af8a570f78b73725955587ac675c97d322c8daa214676b7cf067dae2032ab356125dc6b547f96708a7937a9592180fb4f9f910369a7f2f80b64fba134ec75d531ee0dd96330720d396bc12e4745042a1051373b54f9b4424fe2d7fedbc2285ec362133977506ce271882dce3d9c582078d5e26012626671fd93f13cf32ba6bad7864fcaaff0e023c07df9c0578728cfdea75b7032884dae86e078cd05085ef8154b2716eec6d62ef8f94c35ee9c4a4d091c02e249198caeeba258ed4f671b6fb5b6b38064837478d86dcf2ea06fb76377d9eff424e4d588293cfe271c278b17aab4b5b94378881e4d9af24aef872c565fb4bb451e70203010001a382015a3082015630120603551d130101ff040830060101ff020100300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302301d0603551d0e0416041481b80e638a891218e5fa3b3b50959fe6e5901385301f0603551d230418301680148418cc8534ecbc0c94942e08599cc7b2104e0a08307b06082b06010505070101046f306d302f06082b060105050730018623687474703a2f2f6f6373702e726f6f746361312e616d617a6f6e74727573742e636f6d303a06082b06010505073002862e687474703a2f2f6372742e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e636572303f0603551d1f043830363034a032a030862e687474703a2f2f63726c2e726f6f746361312e616d617a6f6e74727573742e636f6d2f726f6f746361312e63726c30130603551d20040c300a3008060667810c010201300d06092a864886f70d01010b05000382010100ad00de0205232e063262b46bb19416e41140de2bfa59c135efe0aa8f2b41b9d1f38739001df23db5a7470c0606c691f3075702d4edbd17c1909abf4875a2074f30dd4a6a42b50d3d15c00ffe845bc63c99cc5752b1d86e12d59692934b94e507e88982086a7a34d49e64e13d876a92909a63a14bf88fb6ea34d305be20c2de06e28c9f738b9f4d3985cace19369d85c99ec9f8503fb67e88a1efca84068b50b40a5ca61c44f1fdc8614060f26125aa07f4c7c27375e40c0b428d04e55f4448995b7b898196a7889d4b0d62e804c4d7feb4e8b26dcaecc01cbc385b1ddf85ce5b7ae3494b6cb9a7ddf405b249ade1c5146bc2ccebcd7fd65869bac3207e7fb0b8	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\2AD974A775F73CBDBBD8F5AC3A49255FA8FB1F8C	dnplayer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rsEngineSvc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rsEngineSvc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8DA7F965EC5EFC37910F1C6E59FDC1CC6A6EDE16\Blob = 0300000001000000140000008da7f965ec5efc37910f1c6e59fdc1cc6a6ede162000000001000000450300003082034130820229a0030201020213066c9fcf99bf8c0a39e2f0788a43e696365bca300d06092a864886f70d01010b05003039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f742043412031301e170d3135303532363030303030305a170d3338303131373030303030305a3039310b3009060355040613025553310f300d060355040a1306416d617a6f6e3119301706035504031310416d617a6f6e20526f6f74204341203130820122300d06092a864886f70d01010105000382010f003082010a0282010100b2788071ca78d5e371af478050747d6ed8d78876f49968f7582160f97484012fac022d86d3a0437a4eb2a4d036ba01be8ddb48c80717364cf4ee8823c73eeb37f5b519f84968b0ded7b976381d619ea4fe8236a5e54a56e445e1f9fdb416fa74da9c9b35392ffab02050066c7ad080b2a6f9afec47198f503807dca2873958f8bad5a9f948673096ee94785e6f89a351c0308666a14566ba54eba3c391f948dcffd1e8302d7d2d747035d78824f79ec4596ebb738717f2324628b843fab71daacab4f29f240e2d4bf7715c5e69ffea9502cb388aae50386fdbfb2d621bc5c71e54e177e067c80f9c8723d63f40207f2080c4804c3e3b24268e04ae6c9ac8aa0d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604148418cc8534ecbc0c94942e08599cc7b2104e0a08300d06092a864886f70d01010b0500038201010098f2375a4190a11ac57651282036230eaee628bbaaf894ae48a4307f1bfc248d4bb4c8a197f6b6f17a70c85393cc0828e39825cf23a4f9de21d37c8509ad4e9a753ac20b6a897876444718656c8d418e3b7f9acbf4b5a750d7052c37e8034bade961a0026ef5f2f0c5b2ed5bb7dcfa945c779e13a57f52ad95f2f8933bde8b5c5bca5a525b60af14f74befa3fb9f40956d3154fc42d3c7461f23add90f48709ad9757871d1724334756e5759c2025c266029cf2319168e8843a5d4e4cb08fb231143e843297262a1a95d5e08d490aeb8d8ce14c2d055f286f6c49343776661c0b9e841d7977860036e4a72aea5d17dba109e866c1b8ab95933f8ebc490bef1b9	MBAMInstallerService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\1C58A3A8518E8759BF075B76B750D4F2DF264FCD\Blob = 0300000001000000140000001c58a3a8518e8759bf075b76b750d4f2df264fcd2000000001000000c2040000308204be308203a6a003020102021006d8d904d5584346f68a2fa754227ec4300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3231303431343030303030305a170d3331303431333233353935395a304f310b300906035504061302555331153013060355040a130c446967694365727420496e633129302706035504031320446967694365727420544c53205253412053484132353620323032302043413130820122300d06092a864886f70d01010105000382010f003082010a0282010100c14bb3654770bcdd4f58dbec9cedc366e51f311354ad4a66461f2c0aec6407e52edcdcb90a20eddfe3c4d09e9aa97a1d8288e51156db1e9f58c251e72c340d2ed292e156cbf1795fb3bb87ca25037b9a52416610604f571349f0e8376783dfe7d34b674c2251a6df0e9910ed57517426e27dc7ca622e131b7f238825536fc13458008b84fff8bea75849227b96ada2889b15bca07cdfe951a8d5b0ed37e236b4824b62b5499aecc767d6e33ef5e3d6125e44f1bf71427d58840380b18101faf9ca32bbb48e278727c52b74d4a8d697dec364f9cace53a256bc78178e490329aefb494fa415b9cef25c19576d6b79a72ba2272013b5d03d40d321300793ea99f50203010001a38201823082017e30120603551d130101ff040830060101ff020100301d0603551d0e04160414b76ba2eaa8aa848c79eab4da0f98b2c59576b9f4301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b06010505070302307606082b06010505070101046a3068302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304006082b060105050730028634687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63727430420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d2004363034300b06096086480186fd6c02013007060567810c01013008060667810c0102013008060667810c0102023008060667810c010203300d06092a864886f70d01010b050003820101008032ce5e0bdd6e5a0d0aafe1d684cbc08efa8570edda5db30cf72b7540fe850afaf33178b7704b1a8958ba80bdf36b1de97ecf0bba589c59d490d3fd6cfdd0986db771825bcf6d0b5a09d07bdec443d82aa4de9e41265fbb8f99cbddaee1a86f9f87fe74b71f1b20abb14fc6f5675d5d9b3ce9ff69f7616cd6d9f3fd36c6ab038876d24b2e7586e3fcd8557d26c21177df3e02b67cf3ab7b7a86366fb8f7d89371cf86df7330fa7babed2a59c842843b11171a52f3c90e147da25b7267ba71ed574766c5b8024a65345e8bd02a3c209c51994ce7529ef76b112b0d927e1de88aeb36164387ea2a63bf753febdec403bb0a3cf730efebaf4cfc8b3610733ef3a4	MBAMInstallerService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	saBSI.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F40042E2E5F7E8EF8189FED15519AECE42C3BFA2\Blob = 040000000100000010000000be954f16012122448ca8bc279602acf5140000000100000014000000c87ed26a852a1bca1998040727cf50104f68a8a2030000000100000014000000f40042e2e5f7e8ef8189fed15519aece42c3bfa20f000000010000003000000041ce925678dfe0ccaa8089263c242b897ca582089d14e5eb685fca967f36dbd334e97e81fd0e64815f851f914ade1a1e1900000001000000100000009f687581f7ef744ecfc12b9cee6238f12000000001000000d0050000308205cc308203b4a00302010202105498d2d1d45b1995481379c811c08799300d06092a864886f70d01010c05003077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f726974792032303230301e170d3230303431363138333631365a170d3435303431363138343434305a3077310b3009060355040613025553311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e314830460603550403133f4d6963726f736f6674204964656e7469747920566572696669636174696f6e20526f6f7420436572746966696361746520417574686f72697479203230323030820222300d06092a864886f70d01010105000382020f003082020a0282020100b3912a07830667fd9e9de0c7c0b7a4e642047f0fa6db5ffbd55ad745a0fb770bf080f3a66d5a4d7953d8a08684574520c7a254fbc7a2bf8ac76e35f3a215c42f4ee34a8596490dffbe99d814f6bc2707ee429b2bf50b9206e4fd691365a89172f29884eb833d0ee4d771124821cb0dedf64749b79bf9c9c717b6844fffb8ac9ad773674985e386bd3740d02586d4deb5c26d626ad5a978bc2d6f49f9e56c1414fd14c7d3651637decb6ebc5e298dfd629b152cd605e6b9893233a362c7d7d6526708c42ef4562b9e0b87cceca7b4a6aaeb05cd1957a53a0b04271c91679e2d622d2f1ebedac020cb0419ca33fb89be98e272a07235be79e19c836fe46d176f90f33d008675388ed0e0499abbdbd3f830cad55788684d72d3bf6d7f71d8fdbd0dae926448b75b6f7926b5cd9b952184d1ef0f323d7b578cf345074c7ce05e180e35768b6d9ecb3674ab05f8e0735d3256946797250ac6353d9497e7c1448b80fdc1f8f47419e530f606fb21573e061c8b6b158627497b8293ca59e87547e83f38f4c75379a0b6b4e25c51efbd5f38c113e6780c955a2ec5405928cc0f24c0ecba0977239938a6b61cdac7ba20b6d737d87f37af08e33b71db6e731b7d9972b0e486335974b516007b506dc68613dafdc439823d24009a60daba94c005512c34ac50991387bbb30580b24d30025cb826835db46373efae23954f6028be37d55ba50203010001a3543052300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414c87ed26a852a1bca1998040727cf50104f68a8a2301006092b06010401823715010403020100300d06092a864886f70d01010c05000382020100af6adde619e72d9443194ecbe9509564a50391028be236803b15a252c21619b66a5a5d744330f49bff607409b1211e90166dc5248f5c668863f44fcc7df2124c40108b019fdaa9c8aef2951bcf9d05eb493e74a0685be5562c651c827e53da56d94617799245c4103608522917cb2fa6f27ed469248a1e8fb0730dcc1c4aabb2aaeda79163016422a832b87e3228b367732d91b4dc31010bf7470aa6f1d74aed5660c42c08a37b40b0bc74275287d6be88dd378a896e67881df5c95da0feb6ab3a80d71a973c173622411eac4dd583e63c38bd4f30e954a9d3b604c3327661bbb018c52b18b3c080d5b795b05e514d22fcec58aae8d894b4a52eed92dee7187c2157dd5563f7bf6dcd1fd2a6772870c7e25b3a5b08d25b4ec80096b3e18336af860a655c74f6eaec7a6a74a0f04beeef94a3ac50f287edd73a3083c9fb7d57bee5e3f841cae564aeb3a3ec58ec859accefb9eaf35618b95c739aafc577178359db371a187254a541d2b62375a3439ae5777c9679b7418dbfecdc80a09fd17775585f3513e0251a670b7dce25fa070ae46121d8d41ce507c63699f496d0c615fe4ecdd7ae8b9ddb16fd04c692bdd488e6a9a3aabbf764383b5fcc0cd035be741903a6c5aa4ca26136823e1df32bbc975ddb4b783b2df53bef6023e8f5ec0b233695af9866bf53d37bb8694a2a966669c494c6f45f6eac98788880065ca2b2eda2	rsEngineSvc.exe

NTFS ADS 17 IoCs

Processes:

winzip28.exefirefox.exeMBAMInstallerService.exewinzip28.exewinzip28.exewinzip28.exewinzip28.exewinzip28.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\e70b9ff\winzip28.exe\:Zone.Identifier:$DATA	winzip28.exe
File created	C:\Users\Admin\Downloads\avast_free_antivirus_setup_online.exe:Zone.Identifier	firefox.exe
File created	C:\Program Files\Malwarebytes\Anti-Malware\mbuns.exe\:Zone.Identifier:$DATA	MBAMInstallerService.exe
File created	C:\Users\Admin\Downloads\winzip28.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\EpicInstaller-15.17.1.msi:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\SpytrixSkinSwapper.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\e70c22d\winzip28.exe\:Zone.Identifier:$DATA	winzip28.exe
File created	C:\Users\Admin\Downloads\winrar-x64-700.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\e706596\winzip28.exe\:Zone.Identifier:$DATA	winzip28.exe
File created	C:\Users\Admin\AppData\Local\Temp\e70b4fe\winzip28.exe\:Zone.Identifier:$DATA	winzip28.exe
File created	C:\Users\Admin\Downloads\GlassWireSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\MBSetup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Virus_TI_Quickstart.pdf:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\e70cb65\winzip28.exe\:Zone.Identifier:$DATA	winzip28.exe
File created	C:\Users\Admin\Downloads\avg_secure_browser_setup.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\LDPlayer9_ens_com.robtopx.geometryjump_25567197_ld.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\e6f6656\winzip28.exe\:Zone.Identifier:$DATA	winzip28.exe

Runs net.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 2005 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

GlassWire.exe

pid process

6852 GlassWire.exe

description	flow	ioc
HTTP User-Agent header	2005	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
6852	GlassWire.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeMsiExec.exemsiexec.exeavg_secure_browser_setup.exeaj6097.exe

pid	process
4616	powershell.exe
4616	powershell.exe
4616	powershell.exe
3532	MsiExec.exe
3532	MsiExec.exe
3532	MsiExec.exe
3532	MsiExec.exe
3532	MsiExec.exe
3532	MsiExec.exe
5616	msiexec.exe
5616	msiexec.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
200	aj6097.exe
200	aj6097.exe
2460	avg_secure_browser_setup.exe
2460	avg_secure_browser_setup.exe
200	aj6097.exe
200	aj6097.exe
200	aj6097.exe
200	aj6097.exe
2460	avg_secure_browser_setup.exe
200	aj6097.exe
2460	avg_secure_browser_setup.exe
200	aj6097.exe
200	aj6097.exe
200	aj6097.exe
200	aj6097.exe
200	aj6097.exe
2460	avg_secure_browser_setup.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

GlassWire.exetaskmgr.exednplayer.exeOpenWith.exe

pid process

6852 GlassWire.exe
9668 taskmgr.exe
10912 dnplayer.exe
12772 OpenWith.exe
Suspicious behavior: LoadsDriver 32 IoCs

Processes:

pid process

632
4
4
4
4
4
632
4
4
4
4
4
4
4
4
632
632
632
632
632
632
632
632
632
632
632
632
632
632
632
632
632
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

13260 MicrosoftEdgeCP.exe
13260 MicrosoftEdgeCP.exe
13260 MicrosoftEdgeCP.exe
13260 MicrosoftEdgeCP.exe

pid	process
6852	GlassWire.exe
9668	taskmgr.exe
10912	dnplayer.exe
12772	OpenWith.exe

pid	process
632
4
4
4
4
4
632
4
4
4
4
4
4
4
4
632
632
632
632
632
632
632
632
632
632
632
632
632
632
632
632
632

pid	process
13260	MicrosoftEdgeCP.exe
13260	MicrosoftEdgeCP.exe
13260	MicrosoftEdgeCP.exe
13260	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exefirefox.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	4616	powershell.exe
Token: SeDebugPrivilege	4588	firefox.exe
Token: SeDebugPrivilege	4588	firefox.exe
Token: SeDebugPrivilege	4588	firefox.exe
Token: SeDebugPrivilege	4588	firefox.exe
Token: SeDebugPrivilege	4588	firefox.exe
Token: SeDebugPrivilege	4588	firefox.exe
Token: SeShutdownPrivilege	1684	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1684	msiexec.exe
Token: SeSecurityPrivilege	5616	msiexec.exe
Token: SeCreateTokenPrivilege	1684	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1684	msiexec.exe
Token: SeLockMemoryPrivilege	1684	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1684	msiexec.exe
Token: SeMachineAccountPrivilege	1684	msiexec.exe
Token: SeTcbPrivilege	1684	msiexec.exe
Token: SeSecurityPrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeLoadDriverPrivilege	1684	msiexec.exe
Token: SeSystemProfilePrivilege	1684	msiexec.exe
Token: SeSystemtimePrivilege	1684	msiexec.exe
Token: SeProfSingleProcessPrivilege	1684	msiexec.exe
Token: SeIncBasePriorityPrivilege	1684	msiexec.exe
Token: SeCreatePagefilePrivilege	1684	msiexec.exe
Token: SeCreatePermanentPrivilege	1684	msiexec.exe
Token: SeBackupPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeShutdownPrivilege	1684	msiexec.exe
Token: SeDebugPrivilege	1684	msiexec.exe
Token: SeAuditPrivilege	1684	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1684	msiexec.exe
Token: SeChangeNotifyPrivilege	1684	msiexec.exe
Token: SeRemoteShutdownPrivilege	1684	msiexec.exe
Token: SeUndockPrivilege	1684	msiexec.exe
Token: SeSyncAgentPrivilege	1684	msiexec.exe
Token: SeEnableDelegationPrivilege	1684	msiexec.exe
Token: SeManageVolumePrivilege	1684	msiexec.exe
Token: SeImpersonatePrivilege	1684	msiexec.exe
Token: SeCreateGlobalPrivilege	1684	msiexec.exe
Token: SeCreateTokenPrivilege	1684	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1684	msiexec.exe
Token: SeLockMemoryPrivilege	1684	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1684	msiexec.exe
Token: SeMachineAccountPrivilege	1684	msiexec.exe
Token: SeTcbPrivilege	1684	msiexec.exe
Token: SeSecurityPrivilege	1684	msiexec.exe
Token: SeTakeOwnershipPrivilege	1684	msiexec.exe
Token: SeLoadDriverPrivilege	1684	msiexec.exe
Token: SeSystemProfilePrivilege	1684	msiexec.exe
Token: SeSystemtimePrivilege	1684	msiexec.exe
Token: SeProfSingleProcessPrivilege	1684	msiexec.exe
Token: SeIncBasePriorityPrivilege	1684	msiexec.exe
Token: SeCreatePagefilePrivilege	1684	msiexec.exe
Token: SeCreatePermanentPrivilege	1684	msiexec.exe
Token: SeBackupPrivilege	1684	msiexec.exe
Token: SeRestorePrivilege	1684	msiexec.exe
Token: SeShutdownPrivilege	1684	msiexec.exe
Token: SeDebugPrivilege	1684	msiexec.exe
Token: SeAuditPrivilege	1684	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1684	msiexec.exe
Token: SeChangeNotifyPrivilege	1684	msiexec.exe
Token: SeRemoteShutdownPrivilege	1684	msiexec.exe
Token: SeUndockPrivilege	1684	msiexec.exe
Token: SeSyncAgentPrivilege	1684	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exemsiexec.exeGlassWireSetup.exeGlassWire.exeMBSetup.exetaskmgr.exe

pid	process
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
1684	msiexec.exe
1684	msiexec.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
6396	GlassWireSetup.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
4588	firefox.exe
4588	firefox.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
10076	MBSetup.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exeGlassWire.exetaskmgr.exe

pid	process
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
6852	GlassWire.exe
4588	firefox.exe
4588	firefox.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe
9668	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

firefox.exeuninstall.exeUn_A.exeGlassWireSetup.exevc_redist.x86.exevc_redist.x86.exeGWInstSt.exeGWCtlSrv.exeGWCtlSrv.exeGlassWire.exeavg_secure_browser_setup.exeLDPlayer9_ens_com.robtopx.geometryjump_25567197_ld.exeMBSetup.exeLDPlayer.exednrepairer.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid	process
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
5292	uninstall.exe
3536	Un_A.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
6396	GlassWireSetup.exe
6876	vc_redist.x86.exe
6180	vc_redist.x86.exe
7608	GWInstSt.exe
7696	GWCtlSrv.exe
5392	GWCtlSrv.exe
6852	GlassWire.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
2460	avg_secure_browser_setup.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
8280	LDPlayer9_ens_com.robtopx.geometryjump_25567197_ld.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
10076	MBSetup.exe
10448	LDPlayer.exe
9504	dnrepairer.exe
9612	Ld9BoxSVC.exe
11408	driverconfig.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe
10912	dnplayer.exe
9972	Ld9BoxSVC.exe
10440	vbox-img.exe
9328	vbox-img.exe
12032	vbox-img.exe
12052	Ld9BoxHeadless.exe
11668	Ld9BoxHeadless.exe
11596	Ld9BoxHeadless.exe
11456	Ld9BoxHeadless.exe
10112	Ld9BoxHeadless.exe
12848	MicrosoftEdge.exe
13260	MicrosoftEdgeCP.exe
11404	MicrosoftEdgeCP.exe
13260	MicrosoftEdgeCP.exe
4588	firefox.exe
4588	firefox.exe
4588	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2308 wrote to memory of 4588	2308	firefox.exe	firefox.exe
PID 2308 wrote to memory of 4588	2308	firefox.exe	firefox.exe
PID 2308 wrote to memory of 4588	2308	firefox.exe	firefox.exe
PID 2308 wrote to memory of 4588	2308	firefox.exe	firefox.exe
PID 2308 wrote to memory of 4588	2308	firefox.exe	firefox.exe
PID 2308 wrote to memory of 4588	2308	firefox.exe	firefox.exe
PID 2308 wrote to memory of 4588	2308	firefox.exe	firefox.exe
PID 2308 wrote to memory of 4588	2308	firefox.exe	firefox.exe
PID 2308 wrote to memory of 4588	2308	firefox.exe	firefox.exe
PID 2308 wrote to memory of 4588	2308	firefox.exe	firefox.exe
PID 2308 wrote to memory of 4588	2308	firefox.exe	firefox.exe
PID 4588 wrote to memory of 596	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 596	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 4640	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 2776	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 2776	4588	firefox.exe	firefox.exe
PID 4588 wrote to memory of 2776	4588	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.0.2046109205\78348686" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1664 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c019124-5adc-4518-96d2-69f55b6cd733} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 1796 219ff6e8a58 gpu
3⤵
PID:596

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.1.545315082\836997234" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71f0b873-b171-405d-8ebc-80d6d25a4611} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 2152 219f4671658 socket
3⤵
PID:4640

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.2.2088527869\551741154" -childID 1 -isForBrowser -prefsHandle 2972 -prefMapHandle 2968 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12dffcc6-695e-45ac-a547-ad8042a1c00c} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 2984 21983aa1258 tab
3⤵
PID:2776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.3.1720937062\508513130" -childID 2 -isForBrowser -prefsHandle 3528 -prefMapHandle 3524 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad3f089a-4823-411c-9c05-a7ae3e8808bb} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 3532 21982137e58 tab
3⤵
PID:4808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.4.519025735\1547504807" -childID 3 -isForBrowser -prefsHandle 4348 -prefMapHandle 4344 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {09e13172-7602-4b13-a8f6-fbd465cede61} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4360 21985a5cb58 tab
3⤵
PID:4272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.5.852666850\1694675087" -childID 4 -isForBrowser -prefsHandle 4856 -prefMapHandle 4852 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ba97bb2-8380-4695-90b1-4176bf4b1631} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4864 21985a5bf58 tab
3⤵
PID:4468

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.6.1750583585\2070905332" -childID 5 -isForBrowser -prefsHandle 5000 -prefMapHandle 5004 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ea22116-f687-4a8e-82f0-1603c98815a0} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4992 21985f2b458 tab
3⤵
PID:208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.7.1781626885\82240054" -childID 6 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a7e7451-486d-4756-924a-4ffdbb4db1b5} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 5196 21985f2bd58 tab
3⤵
PID:1084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.8.677428084\741935950" -childID 7 -isForBrowser -prefsHandle 2624 -prefMapHandle 2620 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac8ba051-efca-4bef-931e-68c733bc137d} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 2600 21983aa1b58 tab
3⤵
PID:4548

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.9.1380886012\932664117" -childID 8 -isForBrowser -prefsHandle 5788 -prefMapHandle 5792 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {871f1c22-dfe9-41ab-a14c-7239cf885c61} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4844 21985c4b858 tab
3⤵
PID:420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.10.1320803891\2068635450" -childID 9 -isForBrowser -prefsHandle 4544 -prefMapHandle 4676 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e84c7c2-d6bf-4612-8183-741f64e344e5} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4548 21987cae258 tab
3⤵
PID:2248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.11.239845397\1017967483" -childID 10 -isForBrowser -prefsHandle 5060 -prefMapHandle 1616 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03787539-19cc-4a90-b35c-355ce85b0bb3} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 5012 21986b53258 tab
3⤵
PID:3536

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.12.313696761\1202329472" -childID 11 -isForBrowser -prefsHandle 6008 -prefMapHandle 6004 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c55ef1db-8f81-475e-8a8a-9a8a3d6d5dcf} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4676 21986b55658 tab
3⤵
PID:3064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.13.996745328\845148701" -childID 12 -isForBrowser -prefsHandle 4352 -prefMapHandle 5620 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef18bac2-211d-4b6e-b03e-ee74799fa2fe} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4968 219885e8658 tab
3⤵
PID:3688

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.14.1977589344\510927481" -childID 13 -isForBrowser -prefsHandle 5692 -prefMapHandle 5704 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f491d12d-19cc-4a94-8b09-5f5a7c5b6160} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 5680 21984606258 tab
3⤵
PID:4812

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.15.1773502159\1385909178" -childID 14 -isForBrowser -prefsHandle 6932 -prefMapHandle 7132 -prefsLen 27587 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cb8477d-a572-4395-af42-cf45f18cc1e9} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 6956 21984550e58 tab
3⤵
PID:5668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.16.1937514553\16627767" -parentBuildID 20221007134813 -prefsHandle 10964 -prefMapHandle 10968 -prefsLen 27587 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {564e1367-faf9-42fb-9dd9-1cf340eb8e6e} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 5336 2198b224758 rdd
3⤵
PID:2372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.17.681223465\1763955745" -childID 15 -isForBrowser -prefsHandle 6936 -prefMapHandle 10088 -prefsLen 27587 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {396ff0f5-56a0-4318-9586-bebfc3cada92} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 10924 2198b34bb58 tab
3⤵
PID:5744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.18.630298677\735671680" -childID 16 -isForBrowser -prefsHandle 4640 -prefMapHandle 5888 -prefsLen 27587 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97c1b04a-2353-4866-988e-879fd0c837ff} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 2828 2198b670b58 tab
3⤵
PID:3356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.19.1173339547\1038116413" -childID 17 -isForBrowser -prefsHandle 2732 -prefMapHandle 4620 -prefsLen 27587 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56b87bbc-1c9b-4508-baca-677aae6b401f} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4428 2198b761158 tab
3⤵
PID:5356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.20.1804694719\503344967" -childID 18 -isForBrowser -prefsHandle 7012 -prefMapHandle 10656 -prefsLen 27587 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d09efa2-4d13-4289-afd9-4d4048305410} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4260 2198baf6f58 tab
3⤵
PID:3992

C:\Users\Admin\Downloads\GlassWireSetup.exe
"C:\Users\Admin\Downloads\GlassWireSetup.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6396

C:\Users\Admin\AppData\Local\Temp\nsb8F74.tmp\vc_redist.x86.exe
"C:\Users\Admin\AppData\Local\Temp\nsb8F74.tmp\vc_redist.x86.exe" /install /quiet /norestart
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6876

C:\Windows\Temp\{B5321DE7-862C-40C3-B36A-C8C4F760F5C0}\.cr\vc_redist.x86.exe
"C:\Windows\Temp\{B5321DE7-862C-40C3-B36A-C8C4F760F5C0}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\nsb8F74.tmp\vc_redist.x86.exe" -burn.filehandle.attached=616 -burn.filehandle.self=624 /install /quiet /norestart
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6180

C:\Users\Admin\AppData\Local\Temp\nsb8F74.tmp\GWInstSt.exe
"C:\Users\Admin\AppData\Local\Temp\nsb8F74.tmp\GWInstSt.exe" "https://www.glasswire.com/stat/install.php?v=3.3.664&build_type=full&os=Ten&platform=x64&update=0&install_id=5462C5691F0489408F7683B29F8ADC572400B7F33BC6A3D87BA7413544D1C886&referrer=https%3A%2F%2Fwww.google.com%2F&user_agent=Mozilla%2F5.0+%28Windows+NT+10.0%3B+Win64%3B+x64%3B+rv%3A105.0%29+Gecko%2F20100101+Firefox%2F105.0&ga_client_id=1116788471.1714250793" "nsis$$.tmp"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7608

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Windows\system32\drivers\gwdrv.inf
4⤵
- Adds Run key to start application
PID:5460

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
5⤵
- Checks processor information in registry
PID:1324

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
6⤵
PID:2584

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" start gwdrv
4⤵
PID:6028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start gwdrv
5⤵
PID:5936

C:\Windows\SysWOW64\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im "C:\Users\Admin\AppData\Local\Temp\nsb8F74.tmp\eventlog.man" /rf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /mf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll"
4⤵
PID:7728

C:\Windows\System32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im "C:\Users\Admin\AppData\Local\Temp\nsb8F74.tmp\eventlog.man" /rf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /mf:"C:\Program Files (x86)\GlassWire\GWEventLog.dll" /fromwow64
5⤵
PID:7804

C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
"C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-i"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:7696

C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
"C:\Program Files (x86)\GlassWire\GWCtlSrv.exe" "-s"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5392

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" "C:\Program Files (x86)\GlassWire\glasswire.exe"
4⤵
PID:4756

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.21.2107312902\1909877474" -childID 19 -isForBrowser -prefsHandle 4696 -prefMapHandle 2840 -prefsLen 27596 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ed745a1-2e02-4e0a-bfc1-593ca28ffe43} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 6900 2198bdf9e58 tab
3⤵
PID:6340

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.22.1560697541\614083464" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6988 -prefMapHandle 5228 -prefsLen 27596 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e225b8c6-ad89-46c4-9bcb-f44f9e022833} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 10976 219820b7f58 utility
3⤵
PID:5368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.23.1185935394\1424983437" -childID 20 -isForBrowser -prefsHandle 10252 -prefMapHandle 10352 -prefsLen 27596 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a17338f1-68f2-425f-95d0-d5419df392f6} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4412 2198b613158 tab
3⤵
PID:6520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.24.1350282015\211463631" -childID 21 -isForBrowser -prefsHandle 4416 -prefMapHandle 10676 -prefsLen 27596 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e42fa931-35f9-4a35-b5d1-a2d0eddcb135} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4468 219820b5b58 tab
3⤵
PID:2104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.25.106087566\473739686" -childID 22 -isForBrowser -prefsHandle 5824 -prefMapHandle 4400 -prefsLen 27596 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a0a7206-5775-4fe7-8383-48bc2589fb18} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4576 219820b6158 tab
3⤵
PID:6404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.26.1039794558\1749488026" -childID 23 -isForBrowser -prefsHandle 7512 -prefMapHandle 10808 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7c8f00fc-342e-4a1a-a144-3c587b8074a4} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 7492 2198d476e58 tab
3⤵
PID:5932

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.27.1039978036\1660836756" -childID 24 -isForBrowser -prefsHandle 9784 -prefMapHandle 9780 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32c47391-73d7-4792-9c79-e69ef1bea5eb} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9728 2198d7d4458 tab
3⤵
PID:8040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.28.659677742\135742162" -childID 25 -isForBrowser -prefsHandle 7412 -prefMapHandle 7452 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {049b01b2-b8d0-4a45-8911-8ee19292eaea} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 7404 2198d7d5058 tab
3⤵
PID:6164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.29.1821542350\2082836020" -childID 26 -isForBrowser -prefsHandle 7264 -prefMapHandle 7260 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f18d359-893a-43ae-8b7a-a4103f9a349b} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 7272 2198d7d6e58 tab
3⤵
PID:7064

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.30.1816790151\989426782" -childID 27 -isForBrowser -prefsHandle 7172 -prefMapHandle 7176 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {13925b56-c2dd-45a6-b637-a522c6b86a7a} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 6660 2198da1da58 tab
3⤵
PID:8160

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.31.1101965446\2108133869" -childID 28 -isForBrowser -prefsHandle 11048 -prefMapHandle 11052 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d84a19e7-28ea-482d-a1d8-1abc465fc1f9} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 11040 2198da7a858 tab
3⤵
PID:6288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.32.1353441165\590869220" -childID 29 -isForBrowser -prefsHandle 9372 -prefMapHandle 9376 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d519928-c611-4e06-89c3-f4497a040a6f} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 11232 2198bf70f58 tab
3⤵
PID:7760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.33.1588193775\1758856431" -childID 30 -isForBrowser -prefsHandle 7200 -prefMapHandle 7196 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fe7ecd3-f586-43f7-b7c5-5ce205e6faba} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9440 2198da7c658 tab
3⤵
PID:6316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.34.1960746639\1273920473" -childID 31 -isForBrowser -prefsHandle 9120 -prefMapHandle 9124 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc2041a5-ef1f-48d8-8b42-4a1c59e9d387} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9784 2198bf39b58 tab
3⤵
PID:6708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.35.1769272797\1442640354" -childID 32 -isForBrowser -prefsHandle 7212 -prefMapHandle 9616 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1dd34ba-7464-4a5b-a11f-ce904d4b06f3} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9440 2198e18e858 tab
3⤵
PID:8104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.36.981297682\993563878" -childID 33 -isForBrowser -prefsHandle 8748 -prefMapHandle 8744 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd561fb4-f134-4bc1-ba65-02009556be4f} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 8812 2198da0fe58 tab
3⤵
PID:6804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.37.1686996226\234632281" -childID 34 -isForBrowser -prefsHandle 9616 -prefMapHandle 8844 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eacd4f2e-fd75-4569-bbf5-6851984fc18a} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9784 2198da10758 tab
3⤵
PID:8184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.38.2060443501\541022314" -childID 35 -isForBrowser -prefsHandle 8632 -prefMapHandle 8636 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9e40be7-f398-4b93-a6e4-23328765c0f7} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9152 2198da11358 tab
3⤵
PID:8132

C:\Users\Admin\Downloads\avg_secure_browser_setup.exe
"C:\Users\Admin\Downloads\avg_secure_browser_setup.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Users\Admin\AppData\Local\Temp\aj6097.exe
"C:\Users\Admin\AppData\Local\Temp\aj6097.exe" /relaunch=8 /was_elevated=1 /tagdata
4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
PID:200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.39.1693654199\172088832" -childID 36 -isForBrowser -prefsHandle 9056 -prefMapHandle 9040 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {314628a8-b302-4518-977a-1d40d0f456c2} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9064 2198e18eb58 tab
3⤵
PID:7668

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.40.752048505\1662792409" -childID 37 -isForBrowser -prefsHandle 7248 -prefMapHandle 8776 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3f749ba-f2f4-431f-941b-ecaab30b9151} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 7364 2198b721558 tab
3⤵
PID:8156

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.41.321347734\602891283" -childID 38 -isForBrowser -prefsHandle 9116 -prefMapHandle 9780 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db0b9b1e-aafb-4927-a2f6-a9cd9204d35c} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 8788 2198b724e58 tab
3⤵
PID:428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.42.989089951\735510330" -childID 39 -isForBrowser -prefsHandle 9048 -prefMapHandle 9608 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {787c14a5-1fae-4172-ab77-291c6187dab4} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9572 2198b7bf958 tab
3⤵
PID:2016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.43.767576083\1413797661" -childID 40 -isForBrowser -prefsHandle 9644 -prefMapHandle 7284 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b1f14c2-c890-4905-9d3a-4313ccc9da6a} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9396 2198c0f7858 tab
3⤵
PID:6404

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.44.425431319\1365864087" -childID 41 -isForBrowser -prefsHandle 11116 -prefMapHandle 9496 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29c97e7f-4856-4969-8092-68a252f64986} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 8704 219820b7658 tab
3⤵
PID:3216

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.45.230131710\1362447631" -childID 42 -isForBrowser -prefsHandle 9624 -prefMapHandle 8656 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63cb2ee0-87a5-43b1-be4b-1cfa4823d8c3} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9496 2198e270958 tab
3⤵
PID:8144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.46.1293265477\962225840" -childID 43 -isForBrowser -prefsHandle 9964 -prefMapHandle 9812 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8db7414-f05c-491f-9bb5-bb59583934b6} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9884 2198e26e258 tab
3⤵
PID:6032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.47.1926870101\1430557803" -childID 44 -isForBrowser -prefsHandle 3716 -prefMapHandle 10244 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2b5b2bf-c2ac-4231-b889-fca500470cfb} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9672 2198e270358 tab
3⤵
PID:488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.48.2111334077\784021904" -childID 45 -isForBrowser -prefsHandle 9512 -prefMapHandle 9684 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f617708b-ee15-4e9a-a5e6-8e9b31accf40} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 11260 2198f12cb58 tab
3⤵
PID:6420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.49.1169645610\99374683" -childID 46 -isForBrowser -prefsHandle 5080 -prefMapHandle 3900 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e688c37-3149-4b39-be2b-df389aa71920} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 10488 2198f4de058 tab
3⤵
PID:7232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.50.572188901\1633160221" -childID 47 -isForBrowser -prefsHandle 9668 -prefMapHandle 9348 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8595be6e-91a5-4959-8638-4ed4da30d02d} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 8136 2198f4dc558 tab
3⤵
PID:7228

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.51.822529006\2143408820" -childID 48 -isForBrowser -prefsHandle 9252 -prefMapHandle 1616 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2d55aa3-4960-48a9-a2f9-eb3f00f8d8d1} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 10036 2198f4dce58 tab
3⤵
PID:1684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.52.270738969\547090310" -childID 49 -isForBrowser -prefsHandle 7896 -prefMapHandle 7900 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8cda04a-4b76-4b96-84a7-283a175953ba} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 7888 2198871d658 tab
3⤵
PID:7696

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.53.632491148\239998338" -childID 50 -isForBrowser -prefsHandle 9644 -prefMapHandle 8204 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8280f981-f2da-4d43-b28a-0bd70d45ca5b} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 11140 2198fdcb258 tab
3⤵
PID:6164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.54.427602361\1436333763" -childID 51 -isForBrowser -prefsHandle 7476 -prefMapHandle 1564 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34a9ec1e-d021-4175-95c9-1fb4971603c9} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 10648 2198f163858 tab
3⤵
PID:7332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.55.1328460076\1365314104" -childID 52 -isForBrowser -prefsHandle 8232 -prefMapHandle 9716 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {479349bf-c91d-4e37-8ed0-05512fe3eed1} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 6656 2198da42258 tab
3⤵
PID:5680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.56.1998305719\1288375589" -childID 53 -isForBrowser -prefsHandle 4476 -prefMapHandle 8468 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {453b90cf-ea4b-459c-9dd5-20cfb0448c61} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 10460 21991378e58 tab
3⤵
PID:8144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.57.403753012\1281268013" -childID 54 -isForBrowser -prefsHandle 7348 -prefMapHandle 7344 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {261c42dd-8049-42d6-9327-711d724a60a2} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 7356 21990e5ea58 tab
3⤵
PID:7316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.58.379771411\1200002470" -childID 55 -isForBrowser -prefsHandle 6704 -prefMapHandle 6620 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3d7147c-e1a2-4fc2-a352-d4ceae1f318c} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 8988 21991379a58 tab
3⤵
PID:4036

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.59.1033426806\1950683764" -childID 56 -isForBrowser -prefsHandle 6616 -prefMapHandle 6596 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e9f5316-1649-411e-ad2b-4ecee5bde8a4} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9092 21992898358 tab
3⤵
PID:220

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.60.378228390\1171353013" -childID 57 -isForBrowser -prefsHandle 9724 -prefMapHandle 7272 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {41990295-adce-4440-958a-003d18fd0755} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 7800 21992b10158 tab
3⤵
PID:7016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.61.417601540\733259716" -childID 58 -isForBrowser -prefsHandle 8172 -prefMapHandle 8176 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {36742478-64b7-4c65-9354-bbea59a3e0a3} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 8292 21992dd4058 tab
3⤵
PID:5776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.62.2104547455\968181460" -childID 59 -isForBrowser -prefsHandle 6616 -prefMapHandle 8916 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0e33ba7-a3a9-40ac-87ef-b47d011869d4} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 11256 21992dd5b58 tab
3⤵
PID:3972

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.63.1341882999\1689256390" -childID 60 -isForBrowser -prefsHandle 9448 -prefMapHandle 8648 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7965abbd-4052-489f-abb1-3e29ecb77cde} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 8824 21992e7c258 tab
3⤵
PID:8088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.64.419628210\657466221" -childID 61 -isForBrowser -prefsHandle 7868 -prefMapHandle 7864 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5528a348-f4f3-45d5-9ed3-21be193502c1} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 8388 21992aa0958 tab
3⤵
PID:7856

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.65.1733407414\148866062" -childID 62 -isForBrowser -prefsHandle 7672 -prefMapHandle 7668 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {051322fa-f946-4056-ade1-c4907f2e2e22} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 7876 21992aa0658 tab
3⤵
PID:6456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.66.1543037650\361727947" -childID 63 -isForBrowser -prefsHandle 11292 -prefMapHandle 7688 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5240807-7606-4745-a107-89a03977846b} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 11308 21992aa0c58 tab
3⤵
PID:6828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.67.1290717003\2031437910" -childID 64 -isForBrowser -prefsHandle 8716 -prefMapHandle 8400 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f795c6fd-3e5e-4c50-9e5b-b136e1884cb9} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 7328 21992714558 tab
3⤵
PID:6736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.68.707088168\2109779162" -childID 65 -isForBrowser -prefsHandle 11704 -prefMapHandle 8416 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {49982422-089d-4cc2-b769-18d5d3bdfc47} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 8204 21990fa6758 tab
3⤵
PID:704

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.69.494181450\1073150777" -childID 66 -isForBrowser -prefsHandle 7828 -prefMapHandle 8204 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {027d557a-b18e-4e89-a855-2ec32ce97f03} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9504 2198ccacf58 tab
3⤵
PID:7852

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.70.846344518\2013442206" -childID 67 -isForBrowser -prefsHandle 11628 -prefMapHandle 11632 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97191708-029e-424e-9398-abd17ce2168c} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 11620 21993717f58 tab
3⤵
PID:1624

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.71.1883062150\1920843780" -childID 68 -isForBrowser -prefsHandle 7460 -prefMapHandle 6616 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8785ebe-4576-4c5a-bfc1-e167eb39f686} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 8912 2198e270f58 tab
3⤵
PID:7096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.72.694558263\581403388" -childID 69 -isForBrowser -prefsHandle 11944 -prefMapHandle 11656 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9238bba4-8d8e-4a15-9725-f66ad97e48cc} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 8912 21993c6ed58 tab
3⤵
PID:6296

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.73.452872426\1686015174" -childID 70 -isForBrowser -prefsHandle 12240 -prefMapHandle 12244 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b9691ae-8c02-440b-b67e-c1102e96dd5f} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12100 21993b98e58 tab
3⤵
PID:8952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.74.1020075656\1254322131" -childID 71 -isForBrowser -prefsHandle 12416 -prefMapHandle 12420 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {813ff5ab-57ba-44a6-a30b-d3a90d850590} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12408 21993b99d58 tab
3⤵
PID:8960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.75.409666974\1107373497" -childID 72 -isForBrowser -prefsHandle 12612 -prefMapHandle 12616 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b2350df-49c4-439a-abed-32aa9b8a96d7} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12604 21993b9a358 tab
3⤵
PID:8968

C:\Users\Admin\Downloads\LDPlayer9_ens_com.robtopx.geometryjump_25567197_ld.exe
"C:\Users\Admin\Downloads\LDPlayer9_ens_com.robtopx.geometryjump_25567197_ld.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:8280

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnplayer.exe /T
4⤵
- Kills process with taskkill
PID:7620

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayer.exe /T
4⤵
- Kills process with taskkill
PID:10848

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM dnmultiplayerex.exe /T
4⤵
- Kills process with taskkill
PID:8520

C:\Windows\SysWOW64\taskkill.exe
"taskkill" /F /IM bugreport.exe /T
4⤵
- Kills process with taskkill
PID:8764

F:\LDPlayer\LDPlayer9\LDPlayer.exe
"F:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=25567197 -language=en -path="F:\LDPlayer\LDPlayer9\"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:10448

F:\LDPlayer\LDPlayer9\dnrepairer.exe
"F:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=328728
5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:9504

C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
6⤵
PID:10848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
7⤵
PID:9064

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
6⤵
- Manipulates Digital Signatures
PID:8528

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
6⤵
- Manipulates Digital Signatures
PID:5904

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
6⤵
PID:11256

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
6⤵
PID:9924

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
6⤵
PID:9928

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
6⤵
PID:9860

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
6⤵
- Manipulates Digital Signatures
PID:11268

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "F:\LDPlayer\LDPlayer9\vms" /r /d y
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:11288

C:\Windows\SysWOW64\icacls.exe
"icacls" "F:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:11356

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "F:\LDPlayer\LDPlayer9\\system.vmdk"
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Enumerates connected drives
PID:11396

C:\Windows\SysWOW64\icacls.exe
"icacls" "F:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:11464

C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
6⤵
- Drops file in Windows directory
PID:11504

C:\Windows\SysWOW64\sc.exe
sc query HvHost
6⤵
- Launches sc.exe
PID:11588

C:\Windows\SysWOW64\sc.exe
sc query vmms
6⤵
- Launches sc.exe
PID:11668

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
6⤵
- Launches sc.exe
PID:11676

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:9612

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
6⤵
PID:9824

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
6⤵
PID:11280

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
6⤵
- Registers COM server for autorun
- Modifies registry class
PID:11316

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
6⤵
- Modifies registry class
PID:11340

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
6⤵
- Launches sc.exe
PID:11328

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
6⤵
- Launches sc.exe
PID:11380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
6⤵
PID:11436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
6⤵
PID:9528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'F:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
6⤵
PID:11948

F:\LDPlayer\LDPlayer9\driverconfig.exe
"F:\LDPlayer\LDPlayer9\driverconfig.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:11408

C:\Windows\SysWOW64\takeown.exe
"takeown" /f F:\LDPlayer\ldmutiplayer\ /r /d y
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5704

C:\Windows\SysWOW64\icacls.exe
"icacls" F:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:11840

F:\LDPlayer\LDPlayer9\dnplayer.exe
"F:\LDPlayer\LDPlayer9\dnplayer.exe" downloadpackage=com.robtopx.geometryjump|package=com.robtopx.geometryjump
4⤵
- Checks computer location settings
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:10912

C:\Windows\SysWOW64\sc.exe
sc query HvHost
5⤵
- Launches sc.exe
PID:10880

C:\Windows\SysWOW64\sc.exe
sc query vmms
5⤵
- Launches sc.exe
PID:9308

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
5⤵
- Launches sc.exe
PID:4832

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:9936

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "F:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-54d7-bbbb00000000
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:10440

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "F:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-54d7-000000000000
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:9328

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "F:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-54d7-000000000000
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:12032

F:\LDPlayer\LDPlayer9\dnplayer.exe
"F:\LDPlayer\LDPlayer9\dnplayer.exe" index=0|
5⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
PID:13888

C:\Windows\SysWOW64\sc.exe
sc query HvHost
6⤵
- Launches sc.exe
PID:11728

C:\Windows\SysWOW64\sc.exe
sc query vmms
6⤵
- Launches sc.exe
PID:14140

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
6⤵
- Launches sc.exe
PID:14136

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.76.2036334699\596645223" -childID 73 -isForBrowser -prefsHandle 12756 -prefMapHandle 9680 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec1a9777-6906-4254-a694-192b7b11c111} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 10488 2198f193d58 tab
3⤵
PID:8616

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.77.1751868663\2092937554" -childID 74 -isForBrowser -prefsHandle 12432 -prefMapHandle 11944 -prefsLen 27748 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9825853c-042e-46f5-8155-b1f0168824d2} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12664 21993c70558 tab
3⤵
PID:9328

C:\Users\Admin\Downloads\MBSetup.exe
"C:\Users\Admin\Downloads\MBSetup.exe"
3⤵
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:10076

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.78.1376761840\1314801163" -childID 75 -isForBrowser -prefsHandle 12640 -prefMapHandle 7520 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffb4bf05-7199-4aae-8a39-afbb8cc703a8} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 5024 21991672e58 tab
3⤵
PID:9748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.79.624714375\2134656233" -childID 76 -isForBrowser -prefsHandle 12236 -prefMapHandle 12376 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08c9d6e1-d50b-476a-93c5-398854608717} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12660 2198ef4b058 tab
3⤵
PID:9636

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.80.2090105940\687236547" -childID 77 -isForBrowser -prefsHandle 8484 -prefMapHandle 9536 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63da4492-6367-4691-8993-f225f940c1cd} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 3680 2198edecd58 tab
3⤵
PID:1212

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.81.1377310394\1530857514" -childID 78 -isForBrowser -prefsHandle 12676 -prefMapHandle 12672 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9eb6ce71-f962-407c-8a78-d60bf87929dc} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9272 219844c3258 tab
3⤵
PID:6396

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.82.1318306490\1680061520" -childID 79 -isForBrowser -prefsHandle 11604 -prefMapHandle 11944 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {03d96172-3fce-4ff8-913a-ec0709c9bc96} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12912 21994b5b358 tab
3⤵
PID:9456

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.83.2057965850\23531060" -childID 80 -isForBrowser -prefsHandle 7620 -prefMapHandle 11992 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f61cdf7f-36de-409c-a874-a17a8fba0616} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 6616 2198d8b0858 tab
3⤵
PID:9088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.84.1741367521\497302472" -childID 81 -isForBrowser -prefsHandle 12936 -prefMapHandle 12944 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d8ebf7d-5193-4922-96de-9813a6613564} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12948 2198ba33a58 tab
3⤵
PID:1568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.85.22256716\1781840508" -childID 82 -isForBrowser -prefsHandle 10472 -prefMapHandle 10496 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e9bf836-326a-4026-9ce3-981e085e962e} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12772 21995189758 tab
3⤵
PID:10132

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.86.534018289\528203521" -childID 83 -isForBrowser -prefsHandle 9736 -prefMapHandle 11760 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba3e359f-32bd-4256-a047-88f865e54cdb} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 7628 21994a3c558 tab
3⤵
PID:10160

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.87.1414881431\131441462" -childID 84 -isForBrowser -prefsHandle 9736 -prefMapHandle 8400 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d712a05-b8f3-4611-a55d-f39ac2299134} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12824 21995827d58 tab
3⤵
PID:9944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.88.128026010\1598532472" -childID 85 -isForBrowser -prefsHandle 4712 -prefMapHandle 11632 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65078edb-f05b-4979-a6a4-f2844fef48ff} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12220 219951f5258 tab
3⤵
PID:11960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.89.1682121961\1808920909" -childID 86 -isForBrowser -prefsHandle 11348 -prefMapHandle 10744 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {22787269-aff2-4376-be23-c20a383a7782} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 11992 219820a8f58 tab
3⤵
PID:11744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.90.747836418\22545595" -childID 87 -isForBrowser -prefsHandle 10188 -prefMapHandle 7612 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8419d81-42c0-4d82-b185-e6a0526d6914} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12236 21988519658 tab
3⤵
PID:11184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.91.2018271703\1698250141" -childID 88 -isForBrowser -prefsHandle 9648 -prefMapHandle 9128 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3f9fcb4-7569-489a-950c-05515051089d} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 13264 21982af0658 tab
3⤵
PID:11688

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.92.1350024672\1352303801" -childID 89 -isForBrowser -prefsHandle 12420 -prefMapHandle 10220 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f16f793-9432-42ac-9769-c7084ec244c3} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 10504 2198b13be58 tab
3⤵
PID:12708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.93.1007200596\388854627" -childID 90 -isForBrowser -prefsHandle 11804 -prefMapHandle 10504 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a8e6c23-68b1-4709-b6fe-a9fea92100f8} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12324 21982aef458 tab
3⤵
PID:12148

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.94.944572984\154517832" -childID 91 -isForBrowser -prefsHandle 12892 -prefMapHandle 8204 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {189f32ae-2b2e-4c7c-b0f2-882ac552e014} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 11040 219845cc158 tab
3⤵
PID:6860

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.95.518005910\69603184" -childID 92 -isForBrowser -prefsHandle 8868 -prefMapHandle 7360 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {220c03a3-283d-4023-9f8a-ef52c710ec1e} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 7668 219820b6d58 tab
3⤵
PID:13276

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.96.729187521\2123245423" -childID 93 -isForBrowser -prefsHandle 9388 -prefMapHandle 7936 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4b8aef5-f6c7-4814-8348-ae506f8653b8} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 2648 21984462858 tab
3⤵
PID:8440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.97.432550346\1328286274" -childID 94 -isForBrowser -prefsHandle 12844 -prefMapHandle 9020 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {18746fba-ad47-4fbc-94e8-e8df4e1da4b0} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 11748 219844c3858 tab
3⤵
PID:11512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.98.382147526\1699666413" -childID 95 -isForBrowser -prefsHandle 8732 -prefMapHandle 13196 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce7e7e9b-6ace-45a9-a612-a567a35d381f} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12600 21988518758 tab
3⤵
PID:11968

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.99.2100585672\559508239" -childID 96 -isForBrowser -prefsHandle 13208 -prefMapHandle 11628 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b82f16c-ac54-4bea-bb53-ef11eca46c47} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 4424 2198b476958 tab
3⤵
PID:4964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.100.1679870657\340770808" -childID 97 -isForBrowser -prefsHandle 12996 -prefMapHandle 7780 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {236cf92e-46df-4e1a-8a12-ae3211119c22} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12592 2198b66d558 tab
3⤵
PID:10376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.101.1487577819\295991244" -childID 98 -isForBrowser -prefsHandle 13196 -prefMapHandle 12928 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {194a5df8-b364-41ba-998f-4cadad038e5a} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12780 2198b6e7958 tab
3⤵
PID:12392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.102.988990404\181957906" -childID 99 -isForBrowser -prefsHandle 10504 -prefMapHandle 10744 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2334ef44-ed8f-4b6f-8eaa-0708f7e3b745} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 13296 219845cdc58 tab
3⤵
PID:11892

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.103.410857806\2082086524" -childID 100 -isForBrowser -prefsHandle 9768 -prefMapHandle 10944 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47833f7b-5028-48c2-9374-e349fc49f9df} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 13268 2198823f658 tab
3⤵
PID:8560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.104.638757274\145594611" -childID 101 -isForBrowser -prefsHandle 9952 -prefMapHandle 12752 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e614143f-16a7-46a0-8cb6-454c5478ee0d} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 7452 219885e6858 tab
3⤵
PID:3332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.105.916054983\586028457" -childID 102 -isForBrowser -prefsHandle 9776 -prefMapHandle 11408 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {31bcd25e-95b4-4fe7-bfa8-55a71a1923f5} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 8432 2198860fb58 tab
3⤵
PID:10056

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.106.1370715630\302773227" -childID 103 -isForBrowser -prefsHandle 13336 -prefMapHandle 13248 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {886b6cdf-e1bf-4cd2-9f15-7df931c90cac} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 11552 2198ba64858 tab
3⤵
PID:11448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.107.995524086\1662476407" -childID 104 -isForBrowser -prefsHandle 8968 -prefMapHandle 12408 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {619d3c72-9720-473d-a37d-a17b4d331f76} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9768 219875edc58 tab
3⤵
PID:12304

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.108.506376345\2133489414" -childID 105 -isForBrowser -prefsHandle 13440 -prefMapHandle 13416 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5ff65629-2d8a-41b0-b6f3-efd5ed559e95} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 13388 2198b66db58 tab
3⤵
PID:12140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.109.1704528886\417267114" -childID 106 -isForBrowser -prefsHandle 13744 -prefMapHandle 8516 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74d3011d-fb34-4daa-9311-e59f0b38561e} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 13572 2198b136258 tab
3⤵
PID:12796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.110.943228740\278118138" -childID 107 -isForBrowser -prefsHandle 10188 -prefMapHandle 10496 -prefsLen 27757 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3673b2d0-c3e6-41b6-b8b8-babb8032d3aa} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 12672 2198baf5758 tab
3⤵
PID:9424

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
3⤵
- Executes dropped EXE
PID:10168

C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
3⤵
- Executes dropped EXE
PID:9044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.111.1555378933\880163557" -childID 108 -isForBrowser -prefsHandle 13052 -prefMapHandle 12812 -prefsLen 27813 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ddf2502-ad0e-43b2-96ca-a97bc064a63b} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 11404 219885e8958 tab
3⤵
PID:13068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.112.933189976\1246835735" -childID 109 -isForBrowser -prefsHandle 13612 -prefMapHandle 13484 -prefsLen 27813 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b45cddbe-988a-47d5-91e1-4436ff315bcd} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 13604 219875ec458 tab
3⤵
PID:10400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4588.113.387701182\1489618044" -childID 110 -isForBrowser -prefsHandle 8476 -prefMapHandle 12936 -prefsLen 27813 -prefMapSize 233444 -jsInitHandle 1304 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {336a6de4-14f2-4461-bf9d-b126f0b81c81} 4588 "\\.\pipe\gecko-crash-server-pipe.4588" 9160 2198b7bd858 tab
3⤵
PID:8584

C:\Users\Admin\Downloads\winzip28.exe
"C:\Users\Admin\Downloads\winzip28.exe"
3⤵
- Executes dropped EXE
- NTFS ADS
PID:9928

C:\Users\Admin\AppData\Local\Temp\e6f6656\winzip28.exe
run=1 shortcut="C:\Users\Admin\Downloads\winzip28.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:10924

C:\Users\Admin\Downloads\winzip28.exe
"C:\Users\Admin\Downloads\winzip28.exe"
3⤵
- NTFS ADS
PID:7004

C:\Users\Admin\AppData\Local\Temp\e706596\winzip28.exe
run=1 shortcut="C:\Users\Admin\Downloads\winzip28.exe"
4⤵
PID:11852

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\EpicInstaller-15.17.1.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5616

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4AAB4D6BDBDB505E43A4E1B089294F9E C
2⤵
- Loads dropped DLL
PID:6108

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIDD53.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240835921 5 CustomActionManaged!CustomActionManaged.CustomActions.ValidatePathLength
3⤵
- Loads dropped DLL
PID:5296

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E4925B4E193F558F4862AF2196414313
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3532

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIE3BB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240837578 10 CustomActionManaged!CustomActionManaged.CustomActions.TelemetrySendStart
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
PID:5732

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIEA92.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240839328 16 CustomActionManaged!CustomActionManaged.CustomActions.SetStartupCmdlineArgs
3⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2192

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIEFE3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240840687 22 CustomActionManaged!CustomActionManaged.CustomActions.CheckReparsePoints
3⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5404

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3AFAB13A23ACE72D3B0F8BC8571DBFB7 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:5180

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI1BB8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240851937 31 CustomActionManaged!CustomActionManaged.CustomActions.MoveChainerToFolder
3⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5968

C:\Program Files (x86)\Epic Games\DirectXRedist\DXSETUP.exe
"C:\Program Files (x86)\Epic Games\DirectXRedist\DXSETUP.exe" /silent
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:1468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:5972

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:6012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6192

C:\Program Files\VideoLAN\VLC\uninstall.exe
"C:\Program Files\VideoLAN\VLC\uninstall.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5292

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Program Files\VideoLAN\VLC\
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files\VideoLAN\VLC\axvlc.dll"
3⤵
PID:2192

C:\Windows\system32\regsvr32.exe
/s /u "C:\Program Files\VideoLAN\VLC\axvlc.dll"
4⤵
- Registers COM server for autorun
- Modifies registry class
PID:5944

C:\Program Files (x86)\GlassWire\GWCtlSrv.exe
"C:\Program Files (x86)\GlassWire\GWCtlSrv.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:5404

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7116

C:\Program Files (x86)\GlassWire\GlassWire.exe
"C:\Program Files (x86)\GlassWire\GlassWire.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6852

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:5900

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:6320

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:5880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:7208

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
PID:7228

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:3204

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:5552

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:7188

C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies system certificate store
- NTFS ADS
PID:9368

C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBVpnTunnelService.exe" /installmbtun
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:9916

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Windows directory
- Modifies registry class
PID:10816

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:9668

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
1⤵
PID:10600

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "9" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun\mbtun.inf" "9" "4ba9030c7" "0000000000000178" "Service-0x0-3e7$\Default" "000000000000017C" "208" "C:\Program Files\Malwarebytes\Anti-Malware\mbtun"
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:10612

C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"
1⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Registers COM server for autorun
- Enumerates connected drives
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
PID:10124

C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe
"C:\Program Files\Malwarebytes\Anti-Malware\Malwarebytes.exe" nowindow
2⤵
- Executes dropped EXE
PID:10692

C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe
"C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\updatrpkg\mbupdatrV5.exe" "C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\config\UpdateControllerConfig.json" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE" "C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\dbclsupdate\staging" /db:dbupdate /su:no
2⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:11596

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\rsStubActivator.exe" -ip:"dui=4efffe2433ed3780d59da4b21b9c78c6fd880415&dit=20240427205179701&is_silent=true&oc=DOT_RAV_Cross_Solo_LDP&p=bf64&a=103&b=&se=true" -i
1⤵
- Executes dropped EXE
PID:10056

C:\Users\Admin\AppData\Local\Temp\txjzd1me.exe
"C:\Users\Admin\AppData\Local\Temp\txjzd1me.exe" /silent
2⤵
- Executes dropped EXE
PID:10616

C:\Users\Admin\AppData\Local\Temp\nst7B2F.tmp\RAVEndPointProtection-installer.exe
"C:\Users\Admin\AppData\Local\Temp\nst7B2F.tmp\RAVEndPointProtection-installer.exe" "C:\Users\Admin\AppData\Local\Temp\txjzd1me.exe" /silent
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
PID:9624

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -i -bn:ReasonLabs -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -dt:10
4⤵
- Executes dropped EXE
PID:8484

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngine.inf
4⤵
- Adds Run key to start application
PID:9332

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
5⤵
- Checks processor information in registry
PID:11284

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
6⤵
PID:3448

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\x64\rsKernelEngineEvents.xml
4⤵
PID:12144

C:\Windows\SYSTEM32\fltmc.exe
"fltmc.exe" load rsKernelEngine
4⤵
PID:11100

C:\Windows\system32\wevtutil.exe
"C:\Windows\system32\wevtutil.exe" im C:\Program Files\ReasonLabs\EPP\elam\evntdrv.xml
4⤵
PID:10604

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe" -i -i
4⤵
- Executes dropped EXE
PID:12376

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe" -i -i
4⤵
- Executes dropped EXE
PID:5792

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe" -i -i
4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:11912

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\saBSI.exe" /affid 91082 PaidDistribution=true CountryCode=GB
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:9256

C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\installer.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer_files\\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:9236

C:\Program Files\McAfee\Temp2944930062\installer.exe
"C:\Program Files\McAfee\Temp2944930062\installer.exe" /setOem:Affid=91082 /s /thirdparty /upgrade
3⤵
- Executes dropped EXE
PID:9936

C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe
"C:\Program Files\ReasonLabs\Common\rsSyncSvc.exe" -pn:EPP -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v2/live -bn:ReasonLabs -dt:10
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ac
1⤵
PID:11172

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9972

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:12052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:11948

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:11668

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:11596

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:11456

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:10112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:10628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:12848

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:12892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:13260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:11404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:9468

C:\Program Files\ReasonLabs\EPP\rsWSC.exe
"C:\Program Files\ReasonLabs\EPP\rsWSC.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:11792

C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsClientSvc.exe"
1⤵
- Executes dropped EXE
PID:11924

C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe
"C:\Program Files\ReasonLabs\EPP\rsEngineSvc.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:12584

\??\c:\program files\reasonlabs\epp\rsHelper.exe
"c:\program files\reasonlabs\epp\rsHelper.exe"
2⤵
- Executes dropped EXE
PID:12932

\??\c:\program files\reasonlabs\EPP\ui\EPP.exe
"c:\program files\reasonlabs\EPP\ui\EPP.exe" --minimized --first-run
2⤵
- Executes dropped EXE
PID:12976

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" "c:\program files\reasonlabs\EPP\ui\app.asar" --engine-path="c:\program files\reasonlabs\EPP" --minimized --first-run
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:13012

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2100 --field-trial-handle=2084,i,13817615202717130995,5430445004527039933,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
- Executes dropped EXE
PID:12088

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=3112 --field-trial-handle=2084,i,13817615202717130995,5430445004527039933,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
4⤵
- Executes dropped EXE
PID:11200

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3272 --field-trial-handle=2084,i,13817615202717130995,5430445004527039933,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:11884

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.reasonlabs.epp --app-path="C:\Program Files\ReasonLabs\Common\Client\v1.4.2\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3632 --field-trial-handle=2084,i,13817615202717130995,5430445004527039933,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:9128

C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe
"C:\Program Files\ReasonLabs\Common\Client\v1.4.2\rsAppUI.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\ReasonLabs\EPP" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3608 --field-trial-handle=2084,i,13817615202717130995,5430445004527039933,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
4⤵
- Executes dropped EXE
PID:9684

C:\program files\reasonlabs\epp\rsLitmus.A.exe
"C:\program files\reasonlabs\epp\rsLitmus.A.exe"
2⤵
- Executes dropped EXE
PID:7112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:13060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:11880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:12772

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\7b1c64742ba64457966af2b9caa2d9a6 /t 4576 /p 10168
1⤵
PID:11548

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\8d68335875344319839c96115a1d89fe /t 8956 /p 9044
1⤵
PID:5928

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
PID:11508

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:6860

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
2⤵
PID:8476

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
2⤵
PID:11680

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
2⤵
PID:2272

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-54d7-000000000000 --vrde config
2⤵
PID:11768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
PID:14092

C:\Users\Admin\Downloads\winzip28.exe
"C:\Users\Admin\Downloads\winzip28.exe"
1⤵
- NTFS ADS
PID:13324

C:\Users\Admin\AppData\Local\Temp\e70b4fe\winzip28.exe
run=1 shortcut="C:\Users\Admin\Downloads\winzip28.exe"
2⤵
PID:13348

C:\Users\Admin\Downloads\winzip28.exe
"C:\Users\Admin\Downloads\winzip28.exe"
1⤵
- NTFS ADS
PID:13372

C:\Users\Admin\AppData\Local\Temp\e70b9ff\winzip28.exe
run=1 shortcut="C:\Users\Admin\Downloads\winzip28.exe"
2⤵
PID:13408

C:\Users\Admin\Downloads\winzip28.exe
"C:\Users\Admin\Downloads\winzip28.exe"
1⤵
- NTFS ADS
PID:13440

C:\Users\Admin\AppData\Local\Temp\e70c22d\winzip28.exe
run=1 shortcut="C:\Users\Admin\Downloads\winzip28.exe"
2⤵
PID:11416

C:\Users\Admin\Downloads\winzip28.exe
"C:\Users\Admin\Downloads\winzip28.exe"
1⤵
- NTFS ADS
PID:13484

C:\Users\Admin\AppData\Local\Temp\e70cb65\winzip28.exe
run=1 shortcut="C:\Users\Admin\Downloads\winzip28.exe"
2⤵
PID:13540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Install Root Certificate

T1553.004

Modify Registry

File and Directory Permissions Modification

T1222

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery