afc3ff71d364c14eecc12918e7c00a435943005fc86dafa53da529f0a9c95285

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Program Files (x86)\\Windows\\Error file remover\\fatalerror.exe"	msiexec.exe

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	RedEye.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	RedEye.exe

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	828	cmd.exe	228

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RedEye.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5568	bcdedit.exe
3768	bcdedit.exe

Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	RedEye.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	RedEye.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Downloads MZ/PE file 14 IoCs

flow	pid	Process
201	2540	msedge.exe
201	2540	msedge.exe
201	2540	msedge.exe
201	2540	msedge.exe
201	2540	msedge.exe
201	2540	msedge.exe
201	2540	msedge.exe
201	2540	msedge.exe
201	2540	msedge.exe
201	2540	msedge.exe
201	2540	msedge.exe
201	2540	msedge.exe
201	2540	msedge.exe
201	2540	msedge.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File created	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spoclsv.exe	Gnil.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro_x64.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro_x64.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com\Debugger = "RIP"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	RedEye.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
2260	NetSh.exe

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	SporaRansomware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	AdwereCleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	Rokku.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	msedge.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\International\Geo\Nation	RedEye.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\US579-7DXZT-RTXTX-HTXAT-XYYYY.HTML	SporaRansomware.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\us579-7dxzt-rtxtx-htxat-xyyyy.html	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\readme_how_to_unlock.html	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\readme_how_to_unlock.txt	taskmgr.exe

Executes dropped EXE 64 IoCs

pid	Process
5796	xpaj.exe
3080	msedge.exe
1640	msedge.exe
2916	xpajB.exe
3088	msedge.exe
2068	msedge.exe
540	msedge.exe
456	Gnil.exe
5296	spoclsv.exe
5476	msedge.exe
5300	msedge.exe
664	msedge.exe
3044	msedge.exe
5536	Floxif.exe
3628	Floxif.exe
216	Gnil.exe
4772	spoclsv.exe
1748	xpaj.exe
4540	msedge.exe
1140	msedge.exe
5200	msedge.exe
5112	AdwereCleaner.exe
5700	6AdwCleaner.exe
3912	msedge.exe
5868	msedge.exe
5732	msedge.exe
5152	SpySheriff.exe
5044	msedge.exe
3488	msedge.exe
5320	msedge.exe
5608	WinlockerVB6Blacksod.exe
5776	WinlockerVB6Blacksod.exe
6084	WinlockerVB6Blacksod.exe
60	Floxif.exe
5744	Gnil.exe
2064	spoclsv.exe
436	msedge.exe
5748	msedge.exe
3580	msedge.exe
4536	satan.exe
3576	satan.exe
5224	opno.exe
1220	opno.exe
420	msedge.exe
4784	msedge.exe
2580	msedge.exe
1328	SporaRansomware.exe
4044	msedge.exe
2384	msedge.exe
3720	msedge.exe
3556	msedge.exe
1140	msedge.exe
2632	msedge.exe
6024	msedge.exe
576	msedge.exe
4056	msedge.exe
1260	Satana.exe
5312	Satana.exe
4680	msedge.exe
5288	msedge.exe
4348	msedge.exe
6012	Rokku.exe
3924	msedge.exe
2680	Rokku.exe

Loads dropped DLL 64 IoCs

pid	Process
3108	msedge.exe
3080	msedge.exe
1640	msedge.exe
3088	msedge.exe
3088	msedge.exe
2068	msedge.exe
2068	msedge.exe
540	msedge.exe
540	msedge.exe
5476	msedge.exe
5476	msedge.exe
5300	msedge.exe
5300	msedge.exe
664	msedge.exe
664	msedge.exe
3044	msedge.exe
3044	msedge.exe
5536	Floxif.exe
3628	Floxif.exe
4540	msedge.exe
4540	msedge.exe
1140	msedge.exe
1140	msedge.exe
5200	msedge.exe
5200	msedge.exe
3912	msedge.exe
3912	msedge.exe
5868	msedge.exe
5868	msedge.exe
5732	msedge.exe
5732	msedge.exe
5044	msedge.exe
5044	msedge.exe
3488	msedge.exe
3488	msedge.exe
5320	msedge.exe
5320	msedge.exe
5608	WinlockerVB6Blacksod.exe
5608	WinlockerVB6Blacksod.exe
1860	MsiExec.exe
1860	MsiExec.exe
1860	MsiExec.exe
1860	MsiExec.exe
1860	MsiExec.exe
1860	MsiExec.exe
1860	MsiExec.exe
1860	MsiExec.exe
1860	MsiExec.exe
1860	MsiExec.exe
4036	MsiExec.exe
1860	MsiExec.exe
5608	WinlockerVB6Blacksod.exe
1860	MsiExec.exe
5776	WinlockerVB6Blacksod.exe
5776	WinlockerVB6Blacksod.exe
1940	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe"	RedEye.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe"	RedEye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe"	RedEye.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto"	6AdwCleaner.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AE3DD8E9-23D3-741B-5056-89916FF8340B} = "C:\\Users\\Admin\\AppData\\Roaming\\Eqcel\\opno.exe"	Explorer.EXE

Blocklisted process makes network request 3 IoCs

flow	pid	Process
262	1860	MsiExec.exe
265	1940	MsiExec.exe
266	5416	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RedEye.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\M:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\X:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\W:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\X:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\T:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\D:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\Z:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\S:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\D:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\X:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\P:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\I:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\K:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\G:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\Y:	WinlockerVB6Blacksod.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
200	raw.githubusercontent.com
201	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	xpaj.exe
File opened for modification	\??\PHYSICALDRIVE0	xpaj.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	RedEye.exe
File opened for modification	C:\autorun.inf	RedEye.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Control Panel\Desktop\WallPaper = "C:\\redeyebmp.bmp"	RedEye.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
1220	opno.exe
1220	opno.exe
1220	opno.exe
1220	opno.exe
1220	opno.exe
4420	RuntimeBroker.exe
4420	RuntimeBroker.exe
4420	RuntimeBroker.exe
4420	RuntimeBroker.exe
5572	backgroundTaskHost.exe
5572	backgroundTaskHost.exe
5572	backgroundTaskHost.exe
5572	backgroundTaskHost.exe
4828	DllHost.exe
4828	DllHost.exe
4828	DllHost.exe
4828	DllHost.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
5160	Conhost.exe
5160	Conhost.exe
5160	Conhost.exe
5160	Conhost.exe
2720	cmd.exe
2720	cmd.exe
2720	cmd.exe
2720	cmd.exe
5504	vssadmin.exe
5504	vssadmin.exe
5504	vssadmin.exe
5504	vssadmin.exe
5836	DllHost.exe
5836	DllHost.exe
5836	DllHost.exe
5836	DllHost.exe
5428	Conhost.exe
5428	Conhost.exe
5428	Conhost.exe
5428	Conhost.exe
5576	Rensenware.exe
5576	Rensenware.exe
5576	Rensenware.exe
5576	Rensenware.exe
5504	dw20.exe
5504	dw20.exe
5504	dw20.exe
5504	dw20.exe
2580	DllHost.exe
2580	DllHost.exe
2580	DllHost.exe
2580	DllHost.exe
1968	DllHost.exe
1968	DllHost.exe
1968	DllHost.exe
1968	DllHost.exe
5868	RedEye.exe
5868	RedEye.exe
5868	RedEye.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4536 set thread context of 3576	4536	satan.exe	202
PID 5224 set thread context of 1220	5224	opno.exe	206
PID 1260 set thread context of 5312	1260	Satana.exe	238

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5536-1964-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/5536-1968-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3628-1987-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/3628-1990-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/60-3131-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/memory/60-3134-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral1/files/0x000b000000027f7b-3804.dat	upx
behavioral1/memory/6012-3871-0x0000000000400000-0x000000000058D000-memory.dmp	upx
behavioral1/memory/2680-4176-0x0000000000400000-0x000000000058D000-memory.dmp	upx
behavioral1/memory/2680-4214-0x0000000000400000-0x000000000058D000-memory.dmp	upx
behavioral1/memory/6012-4215-0x0000000000400000-0x000000000058D000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\psmachine.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhds_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_pitch_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.OleDbProvider.dll	xpaj.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ucrtbase.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libtransform_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\ReachFramework.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\mpvis.DLL	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\rt3d.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ps_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EntityDataHandler.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mip_upe_sdk.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHSAPIFE.DLL	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_id.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_ms.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ViewerPS.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-processenvironment-l1-1-0.dll	xpaj.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-handle-l1-1-0.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_duplicate_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Data.OData.NetFX35.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vk_swiftshader.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Net.Resources.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libkate_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pipanel.exe	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\concrt140.dll	xpaj.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\WindowsAccessBridge-64.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_iw.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.ProgressiveProcessing.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Services.Client.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_eu.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\pwahelper.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	xpaj.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-runtime-l1-1-0.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libjpeg_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\upe.dll	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	xpaj.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.ReportingServices.AdHoc.Excel.Client.Entry.Interfaces.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationCore.resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Data.Entity.Resources.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_sw.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwjpn.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll	xpaj.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\wab32.dll	xpaj.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5cbf50.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC05C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI587A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI97BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC218.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC2C7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC316.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5939.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5859.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI975E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI990B.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC268.tmp	msiexec.exe
File created	C:\Windows\Installer\e5cbf54.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5610.tmp	msiexec.exe
File created	C:\Windows\Nope.txt	RedEye.exe
File opened for modification	C:\Windows\Installer\e5cbf50.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI56FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9700.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI988C.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC169.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5cbf59.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI982D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI997B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5cbf54.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI97DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC08C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC1E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC208.tmp	msiexec.exe
File opened for modification	C:\Windows\Tasks\sys.job	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI9A67.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI57FB.tmp	msiexec.exe
File created	C:\Windows\Installer\e5cbf59.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI98EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI56CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Tasks\sys.job	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI9AC6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC238.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI577D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5998.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBFAE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI567F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI572D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58AA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI978E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0BB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0FB.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C452D4E2-DE24-48B6-B5C3-ACB240A01606}	msiexec.exe
File created	C:\Windows\Tasks\sys.job	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSIBFFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI589A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI993B.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Program crash 5 IoCs

pid	pid_target	Process	procid_target
5916	5536	WerFault.exe	154
3524	3628	WerFault.exe	159
5952	60	WerFault.exe	192
5624	5312	WerFault.exe	238
4456	2680	WerFault.exe	265

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpajB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rokku.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdwereCleaner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	satan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinlockerVB6Blacksod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	satan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Floxif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinlockerVB6Blacksod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Satana.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinlockerVB6Blacksod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SporaRansomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Satana.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rokku.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000d000000027f2c-2074.dat	nsis_installer_1
behavioral1/files/0x000d000000027f2c-2074.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Interacts with shadow copies 3 TTPs 5 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
5684	vssadmin.exe
4224	vssadmin.exe
5820	vssadmin.exe
5008	vssadmin.exe
5504	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

defense_evasion spyware trojan

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE

Modifies data under HKEY_USERS 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "163"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0 = 5a00310000000000425a9501100053797374656d33320000420009000400efbe874f7748425a95012e000000f00800000000010000000000000000000000000000004fa91201530079007300740065006d0033003200000018000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010008000000140000007b0031004e005000310034005200370037002d0030003200520037002d0034005200350051002d004f003700340034002d00320052004f0031004e00520035003100390038004f0037007d005c0047006e00660078007a00740065002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e907020050004300480020003200390025000d000a005a0072007a00620065006c0020003700320025000d000a0051007600660078002000310025000d000a004100720067006a00620065007800200030002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002500000000000000000000000000000000000000000000000000000000000000d15bac3c0875db01c17d60ce0875db010000000047006e006600780020005a006e0061006e0074007200650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e90702004100720067006a00620065007800200033000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002600000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000055e27b0a7271db0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e90702004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002700000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000aa5486117171db0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000007b0031004e005000310034005200370037002d0030003200520037002d0034005200350051002d004f003700340034002d00320052004f0031004e00520035003100390038004f0037007d005c0046007200700068006500760067006c00550072006e0079006700750046006c006600670065006e006c002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e90701004a0076006100710062006a006600200046007200700068006500760067006c0020002d0020004e0070006700760062006100660020006100720072007100720071002e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000004000000dce282ba05f4ad47b032cf0faa0e3933000000000000000000000000c0f024e86971db0100000000000000000000000000000d20218f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c0000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90701000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90701000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90701000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90701000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133825311530040188"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010008000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e90702004100720067006a00620065007800200033000a005600610067007200650061007200670020006e0070007000720066006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002900000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000055e27b0a7271db0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e90702004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002a00000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000aa5486117171db0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000007b0031004e005000310034005200370037002d0030003200520037002d0034005200350051002d004f003700340034002d00320052004f0031004e00520035003100390038004f0037007d005c0047006e00660078007a00740065002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e907020047006e006600780020005a006e0061006e0074007200650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000028000000000000000000000000000000000000000000000000000000000000002284a6760875db01c17d60ce0875db010000000047006e006600780020005a006e0061006e0074007200650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b0031004e005000310034005200370037002d0030003200520037002d0034005200350051002d004f003700340034002d00320052004f0031004e00520035003100390038004f0037007d005c0046007200700068006500760067006c00550072006e0079006700750046006c006600670065006e006c002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e90701004a0076006100710062006a006600200046007200700068006500760067006c0020002d0020004e0070006700760062006100660020006100720072007100720071002e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000004000000dce282ba05f4ad47b032cf0faa0e3933000000000000000000000000c0f024e86971db0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90701000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90701000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90701000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e90701000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1\0\NodeSlot = "3"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616209"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 = 56003100000000003c5a9051120057696e646f777300400009000400efbe874f7748425a8b022e000000360200000000010000000000000000000000000000005a211b01570069006e0064006f0077007300000016000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2566122449-2538968884-464987429-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	6AdwCleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	6AdwCleaner.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 227465.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3636	Explorer.EXE
3636	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	mspaint.exe
2528	mspaint.exe
2540	msedge.exe
2540	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
2968	identity_helper.exe
2968	identity_helper.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
772	msedge.exe
5920	msedge.exe
5920	msedge.exe
3080	msedge.exe
3080	msedge.exe
2068	msedge.exe
2068	msedge.exe
456	Gnil.exe
456	Gnil.exe
456	Gnil.exe
456	Gnil.exe
456	Gnil.exe
456	Gnil.exe
5296	spoclsv.exe
5296	spoclsv.exe
664	msedge.exe
664	msedge.exe
216	Gnil.exe
216	Gnil.exe
216	Gnil.exe
216	Gnil.exe
216	Gnil.exe
216	Gnil.exe
4772	spoclsv.exe
4772	spoclsv.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
5200	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
2916	xpajB.exe
2332	taskmgr.exe
3636	Explorer.EXE
380	msedge.exe
2816	taskhostw.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 45 IoCs

pid	Process
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4128	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4128	AUDIODG.EXE
Token: SeDebugPrivilege	5536	Floxif.exe
Token: SeDebugPrivilege	3628	Floxif.exe
Token: SeDebugPrivilege	1508	taskmgr.exe
Token: SeSystemProfilePrivilege	1508	taskmgr.exe
Token: SeCreateGlobalPrivilege	1508	taskmgr.exe
Token: 33	1508	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1508	taskmgr.exe
Token: SeDebugPrivilege	5700	6AdwCleaner.exe
Token: SeSecurityPrivilege	872	msiexec.exe
Token: SeCreateTokenPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeAssignPrimaryTokenPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeLockMemoryPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeIncreaseQuotaPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeMachineAccountPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeTcbPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeSecurityPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeTakeOwnershipPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeLoadDriverPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeSystemProfilePrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeSystemtimePrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeProfSingleProcessPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeIncBasePriorityPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeCreatePagefilePrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeCreatePermanentPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeBackupPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeRestorePrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeShutdownPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeDebugPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeAuditPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeSystemEnvironmentPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeChangeNotifyPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeRemoteShutdownPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeUndockPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeSyncAgentPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeEnableDelegationPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeManageVolumePrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeImpersonatePrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeCreateGlobalPrivilege	5608	WinlockerVB6Blacksod.exe
Token: SeShutdownPrivilege	5304	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5304	msiexec.exe
Token: SeCreateTokenPrivilege	5304	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5304	msiexec.exe
Token: SeLockMemoryPrivilege	5304	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5304	msiexec.exe
Token: SeMachineAccountPrivilege	5304	msiexec.exe
Token: SeTcbPrivilege	5304	msiexec.exe
Token: SeSecurityPrivilege	5304	msiexec.exe
Token: SeTakeOwnershipPrivilege	5304	msiexec.exe
Token: SeLoadDriverPrivilege	5304	msiexec.exe
Token: SeSystemProfilePrivilege	5304	msiexec.exe
Token: SeSystemtimePrivilege	5304	msiexec.exe
Token: SeProfSingleProcessPrivilege	5304	msiexec.exe
Token: SeIncBasePriorityPrivilege	5304	msiexec.exe
Token: SeCreatePagefilePrivilege	5304	msiexec.exe
Token: SeCreatePermanentPrivilege	5304	msiexec.exe
Token: SeBackupPrivilege	5304	msiexec.exe
Token: SeRestorePrivilege	5304	msiexec.exe
Token: SeShutdownPrivilege	5304	msiexec.exe
Token: SeDebugPrivilege	5304	msiexec.exe
Token: SeAuditPrivilege	5304	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5304	msiexec.exe
Token: SeChangeNotifyPrivilege	5304	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe
1508	taskmgr.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
2528	mspaint.exe
2528	mspaint.exe
2528	mspaint.exe
2528	mspaint.exe
5796	xpaj.exe
1748	xpaj.exe
5700	6AdwCleaner.exe
5700	6AdwCleaner.exe
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
3636	Explorer.EXE
2280	LogonUI.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4144	RuntimeBroker.exe
2000	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 648	380	msedge.exe	91
PID 380 wrote to memory of 648	380	msedge.exe	91
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 444	380	msedge.exe	92
PID 380 wrote to memory of 2540	380	msedge.exe	93
PID 380 wrote to memory of 2540	380	msedge.exe	93
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94
PID 380 wrote to memory of 2444	380	msedge.exe	94

System policy modification 1 TTPs 11 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	RedEye.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RedEye.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	RedEye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	RedEye.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "4"	RedEye.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2672

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2816

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3636
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\b231263f-0b92-4f02-9e71-3d6a05534490.jpg"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7fff506046f8,0x7fff50604708,0x7fff50604718
    3⤵
    PID:648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
    3⤵
    PID:444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
    3⤵
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    PID:2540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
    3⤵
    PID:2444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
    3⤵
    PID:4224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
    3⤵
    PID:1492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
    3⤵
    PID:4584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
    3⤵
    PID:4948
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
    3⤵
    PID:1508
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
    3⤵
    PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
    3⤵
    PID:4336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
    3⤵
    PID:3896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
    3⤵
    PID:3664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
    3⤵
    PID:4220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
    3⤵
    PID:400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
    3⤵
    PID:2760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
    3⤵
    PID:3376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
    3⤵
    PID:2956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
    3⤵
    PID:2624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
    3⤵
    PID:5104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
    3⤵
    PID:3324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
    3⤵
    PID:3044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6344 /prefetch:8
    3⤵
    PID:4352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2068 /prefetch:8
    3⤵
    PID:1748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4768 /prefetch:8
    3⤵
    PID:3888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
    3⤵
    PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
    3⤵
    PID:2520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
    3⤵
    PID:5252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
    3⤵
    PID:5336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
    3⤵
    PID:5344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
    3⤵
    PID:5508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
    3⤵
    PID:5516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
    3⤵
    PID:5672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
    3⤵
    PID:6004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
    3⤵
    PID:6080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5724 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1436 /prefetch:1
    3⤵
    PID:5648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6708 /prefetch:8
    3⤵
    PID:5932
- - C:\Users\Admin\Downloads\xpaj.exe
    "C:\Users\Admin\Downloads\xpaj.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
    3⤵
    - Loads dropped DLL
    PID:3108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5460 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1640
- - C:\Users\Admin\Downloads\xpajB.exe
    "C:\Users\Admin\Downloads\xpajB.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3960 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5696 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:540
- - C:\Users\Admin\Downloads\Gnil.exe
    "C:\Users\Admin\Downloads\Gnil.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:456
  - - C:\Windows\SysWOW64\drivers\spoclsv.exe
      C:\Windows\system32\drivers\spoclsv.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7208 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7224 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3044
- - C:\Users\Admin\Downloads\Floxif.exe
    "C:\Users\Admin\Downloads\Floxif.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 476
      4⤵
      Program crash
      PID:5916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5804 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1072 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5200
- - C:\Users\Admin\Downloads\AdwereCleaner.exe
    "C:\Users\Admin\Downloads\AdwereCleaner.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5112
  - - C:\Users\Admin\AppData\Local\6AdwCleaner.exe
      "C:\Users\Admin\AppData\Local\6AdwCleaner.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6016 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5732
- - C:\Users\Admin\Downloads\SpySheriff.exe
    "C:\Users\Admin\Downloads\SpySheriff.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4316 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7312 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5320
- - C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe
    "C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5608
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\Downloads\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5304
- - C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe
    "C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:5776
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\Downloads\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      PID:1240
- - C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe
    "C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    PID:6084
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\Downloads\WinlockerVB6Blacksod.exe SETUPEXEDIR=C:\Users\Admin\Downloads\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
      4⤵
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      PID:5816
- - C:\Users\Admin\Downloads\Floxif.exe
    "C:\Users\Admin\Downloads\Floxif.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:60
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 476
      4⤵
      Program crash
      PID:5952
- - C:\Users\Admin\Downloads\Gnil.exe
    "C:\Users\Admin\Downloads\Gnil.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5744
  - - C:\Windows\SysWOW64\drivers\spoclsv.exe
      C:\Windows\system32\drivers\spoclsv.exe
      4⤵
      Executes dropped EXE
      PID:2064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7692 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7636 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:5748
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:3580
- - C:\Users\Admin\Downloads\satan.exe
    "C:\Users\Admin\Downloads\satan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4536
  - - C:\Users\Admin\Downloads\satan.exe
      "C:\Users\Admin\Downloads\satan.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3576
    - - C:\Users\Admin\AppData\Roaming\Eqcel\opno.exe
        
        "C:\Users\Admin\AppData\Roaming\Eqcel\opno.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5224
      - C:\Users\Admin\AppData\Roaming\Eqcel\opno.exe
        
        "C:\Users\Admin\AppData\Roaming\Eqcel\opno.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1220
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_42bf30ec.bat"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:2580
- - C:\Users\Admin\Downloads\SporaRansomware.exe
    "C:\Users\Admin\Downloads\SporaRansomware.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1328
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\US579-7DXZT-RTXTX-HTXAT-XYYYY.HTML
      4⤵
      Executes dropped EXE
      PID:3556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7fff506046f8,0x7fff50604708,0x7fff50604718
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:2384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7672 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:3720
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:2632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7732 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:6024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7184 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:4056
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1260
  - - C:\Users\Admin\Downloads\Satana.exe
      "C:\Users\Admin\Downloads\Satana.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 412
        5⤵
        Program crash
        
        PID:5624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7336 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:5288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3592 /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:4348
- - C:\Users\Admin\Downloads\Rokku.exe
    "C:\Users\Admin\Downloads\Rokku.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6012
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:5428
  - - C:\Windows\SysWOW64\wbem\WMIC.exe
      "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
      4⤵
      System Location Discovery: System Language Discovery
      PID:5608
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:272
  - - C:\Windows\SysWOW64\reg.exe
      "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5836
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop vss
      4⤵
      System Location Discovery: System Language Discovery
      PID:1240
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop vss
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop swprv
      4⤵
      System Location Discovery: System Language Discovery
      PID:3332
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop swprv
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:988
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop srservice
      4⤵
      System Location Discovery: System Language Discovery
      PID:5860
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop srservice
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3924
- - C:\Users\Admin\Downloads\Rokku.exe
    "C:\Users\Admin\Downloads\Rokku.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 600
      4⤵
      Program crash
      PID:4456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
    3⤵
    PID:1320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5504 /prefetch:8
    3⤵
    PID:3396
- - C:\Users\Admin\Downloads\Rensenware.exe
    "C:\Users\Admin\Downloads\Rensenware.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:5576
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 840
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Enumerates system info in registry
      PID:5504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
    3⤵
    - Checks computer location settings
    PID:2780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
    3⤵
    - Checks computer location settings
    PID:5908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
    3⤵
    - Checks computer location settings
    PID:304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7348 /prefetch:8
    3⤵
    PID:5212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18307307074734400489,1074012207238413863,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7416 /prefetch:8
    3⤵
    PID:2700
- - C:\Users\Admin\Downloads\RedEye.exe
    "C:\Users\Admin\Downloads\RedEye.exe"
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Disables RegEdit via registry modification
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops autorun.inf file
    - Sets desktop wallpaper using registry
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System policy modification
    PID:5868
  - - C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:5684
  - - C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:5820
  - - C:\Windows\SYSTEM32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:4224
  - - C:\Windows\SYSTEM32\NetSh.exe
      NetSh Advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2260
  - - C:\Windows\System32\shutdown.exe
      "C:\Windows\System32\shutdown.exe" -r -t 00 -f
      4⤵
      PID:4980
- - C:\Users\Admin\Downloads\RedEye.exe
    "C:\Users\Admin\Downloads\RedEye.exe"
    3⤵
    PID:440
- - C:\Users\Admin\Downloads\RedEye.exe
    "C:\Users\Admin\Downloads\RedEye.exe"
    3⤵
    PID:1736
- - C:\Users\Admin\Downloads\RedEye.exe
    "C:\Users\Admin\Downloads\RedEye.exe"
    3⤵
    PID:4996
- - C:\Users\Admin\Downloads\RedEye.exe
    "C:\Users\Admin\Downloads\RedEye.exe"
    3⤵
    PID:2240
- C:\Users\Admin\Downloads\Floxif.exe
  "C:\Users\Admin\Downloads\Floxif.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 476
    3⤵
    - Program crash
    PID:3524
- C:\Users\Admin\Downloads\Gnil.exe
  "C:\Users\Admin\Downloads\Gnil.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:216
- - C:\Windows\SysWOW64\drivers\spoclsv.exe
    C:\Windows\system32\drivers\spoclsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4772
- C:\Users\Admin\Downloads\xpaj.exe
  "C:\Users\Admin\Downloads\xpaj.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1748
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  PID:1508
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  - Drops startup file
  - Checks SCSI registry key(s)
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2332
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:5008
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3804

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4072

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:796

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:4144

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4360

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:4632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1548

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3820

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1600

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:1936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3492

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x3f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5536 -ip 5536
1⤵
PID:5912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 236 -p 3628 -ip 3628
1⤵
PID:1740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:872
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AF7FF05589F6E7F10F28358D13302B66
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6E9F2FE9819B6EA92C222A6178A48D1 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4036
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E71C6C819ADFDC2A5FFCD3334421A34B
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 76283517A2C9374D813D7E84C8D106C4 E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B0B18160D7BD24B34EF2C4CF8C461CD8
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:5416
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 53A8BACE0042552B9D4D1343C6D1FE3A E Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 252 -p 60 -ip 60
1⤵
PID:5944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2696

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5572

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4828

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2720
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:5160
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Interacts with shadow copies
  PID:5504
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5568
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 236 -p 5312 -ip 5312
1⤵
PID:2284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 252 -p 2680 -ip 2680
1⤵
PID:3864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:3620

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3958055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery