Overview
overview
10Static
static
ﱞﱞﱞ�...ﱞﱞ
windows7_x64
ﱞﱞﱞ�...ﱞﱞ
windows7_x64
ﱞﱞﱞ�...ﱞﱞ
windows7_x64
10ﱞﱞﱞ�...ﱞﱞ
windows7_x64
10win102
windows10_x64
10win102
windows10_x64
8win102
windows10_x64
8win102
windows10_x64
8win104
windows10_x64
10win104
windows10_x64
10win104
windows10_x64
8win104
windows10_x64
8win105
windows10_x64
8win105
windows10_x64
8win105
windows10_x64
8win105
windows10_x64
10win106
windows10_x64
10win106
windows10_x64
10win106
windows10_x64
10win106
windows10_x64
10win103
windows10_x64
10win103
windows10_x64
8win103
windows10_x64
8win103
windows10_x64
10win101
windows10_x64
10win101
windows10_x64
8win101
windows10_x64
10win101
windows10_x64
8win100
windows10_x64
10win100
windows10_x64
10win100
windows10_x64
8win100
windows10_x64
10Resubmissions
12-11-2024 01:29
241112-bwgrxs1gnf 1008-07-2021 12:18
210708-8z6d5h8z2n 1006-07-2021 17:53
210706-g6we6sa7sa 1019-06-2021 18:17
210619-vr8bj2dzfn 1017-06-2021 21:39
210617-a9cvlnmrbx 1011-06-2021 17:26
210611-wvab1yw2tj 1008-06-2021 06:47
210608-qrbpch3y46 1008-06-2021 06:47
210608-64tndgm1ln 1005-06-2021 18:40
210605-cd6qpr55sx 1004-06-2021 11:56
210604-5c416rs3ns 10Analysis
-
max time kernel
1788s -
max time network
1802s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
18-05-2021 13:06
Static task
static1
Behavioral task
behavioral1
Sample
Install.exe
Resource
win7v20210410
gluptebametasploitplugxredlinesmokeloadervidarbackdoorfacebookdiscoverydropperevasioninfostealerloaderpersistencephishingstealertrojanupxvmprotect
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Install2.exe
Resource
win7v20210410
gluptebametasploitplugxredlinesmokeloadervidarbackdoorfacebookdiscoverydropperevasioninfostealerloaderpersistencephishingstealertrojanupxvmprotect
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
keygen-step-4.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
keygen-step-4d.exe
Resource
win7v20210410
elysiumstealergluptebametasploitredlinesmokeloadersocelarsvidarbackdoorfacebookdiscoverydropperevasioninfostealerloaderpersistencephishingspywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
Install.exe
Resource
win10v20210410
elysiumstealerraccoonredlinesmokeloadersocelarsvidarxmrigagressiabackdoorfacebookdiscoveryevasioninfostealerminerpersistencephishingspywarestealertrojanupx
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
Install2.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
keygen-step-4.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
keygen-step-4d.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
Install.exe
Resource
win10v20210410
elysiumstealerredlinesmokeloadersocelarsvidarbackdoorfacebookdiscoveryevasioninfostealerpersistencephishingspywarestealertrojanupxvmprotect
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
Install2.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
keygen-step-4.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
keygen-step-4d.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
Install.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral14
Sample
Install2.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral15
Sample
keygen-step-4.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral16
Sample
keygen-step-4d.exe
Resource
win10v20210410
elysiumstealerraccoonsocelarsvidarxmrigfacebookdiscoveryevasionminerpersistencephishingspywarestealertrojanupx
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral17
Sample
Install.exe
Resource
win10v20210410
raccoonredlinesmokeloadersocelarsvidarxmrigagressiabackdoordiscoveryevasioninfostealerminerpersistencespywarestealertrojanupx
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral18
Sample
Install2.exe
Resource
win10v20210410
raccoonredlinesmokeloadersocelarsvidarxmrigbackdoordiscoveryevasioninfostealerminerpersistencespywarestealertrojanupx
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral19
Sample
keygen-step-4.exe
Resource
win10v20210410
elysiumstealerraccoonredlinesocelarsvidarxmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingspywarestealertrojanupx
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral20
Sample
keygen-step-4d.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral21
Sample
Install.exe
Resource
win10v20210410
raccoonsmokeloadersocelarsvidarxmrigbackdoorfacebookdiscoveryevasionminerpersistencephishingspywarestealertrojanupx
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral22
Sample
Install2.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral23
Sample
keygen-step-4.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
keygen-step-4d.exe
Resource
win10v20210410
elysiumstealerraccoonredlinesocelarsvidarxmrigfacebookdiscoveryevasioninfostealerminerpersistencephishingspywarestealertrojanupx
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral25
Sample
Install.exe
Resource
win10v20210410
raccoonredlinesmokeloadersocelarsvidarxmrigagressiabackdoordiscoveryevasioninfostealerminerpersistencespywarestealertrojanupx
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral26
Sample
Install2.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral27
Sample
keygen-step-4.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral28
Sample
keygen-step-4d.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral29
Sample
Install.exe
Resource
win10v20210410
elysiumstealerraccoonredlinesmokeloadersocelarsvidarxmrigbackdoorfacebookdiscoveryevasioninfostealerminerpersistencephishingspywarestealertrojanupxvmprotect
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral30
Sample
Install2.exe
Resource
win10v20210410
elysiumstealerraccoonredlinesmokeloadersocelarsvidarxmrigafefd33a49c7cbd55d417545269920f24c85aa37backdoorfacebookdiscoveryevasioninfostealerminerpersistencephishingspywarestealertrojanupx
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral31
Sample
keygen-step-4.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 4768 created 6112 4768 svchost.exe 160 -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Blocklisted process makes network request 50 IoCs
flow pid Process 145 5456 msiexec.exe 155 5392 MsiExec.exe 157 5392 MsiExec.exe 158 5392 MsiExec.exe 160 5392 MsiExec.exe 161 5392 MsiExec.exe 162 5392 MsiExec.exe 163 5392 MsiExec.exe 165 5392 MsiExec.exe 166 5392 MsiExec.exe 167 5392 MsiExec.exe 168 5392 MsiExec.exe 169 5392 MsiExec.exe 170 5392 MsiExec.exe 171 5392 MsiExec.exe 172 5392 MsiExec.exe 173 5392 MsiExec.exe 174 5392 MsiExec.exe 175 5392 MsiExec.exe 176 5392 MsiExec.exe 177 5392 MsiExec.exe 178 5392 MsiExec.exe 180 5392 MsiExec.exe 181 5392 MsiExec.exe 182 5392 MsiExec.exe 183 5392 MsiExec.exe 185 5392 MsiExec.exe 186 5392 MsiExec.exe 187 5392 MsiExec.exe 188 5392 MsiExec.exe 189 5392 MsiExec.exe 190 5392 MsiExec.exe 191 5392 MsiExec.exe 192 5392 MsiExec.exe 193 5392 MsiExec.exe 194 5392 MsiExec.exe 195 5392 MsiExec.exe 196 5392 MsiExec.exe 198 5392 MsiExec.exe 201 5392 MsiExec.exe 202 5392 MsiExec.exe 203 5392 MsiExec.exe 204 5392 MsiExec.exe 205 5392 MsiExec.exe 208 5392 MsiExec.exe 209 5392 MsiExec.exe 212 5392 MsiExec.exe 213 5392 MsiExec.exe 214 5392 MsiExec.exe 277 2992 cmd.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Ultra.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 4_177039.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 3316505.exe -
Executes dropped EXE 64 IoCs
pid Process 2824 xiuhuali.exe 4072 JoSetp.exe 4248 Install.exe 4300 Install.tmp 4396 Ultra.exe 4836 Jidibolaxy.exe 4880 Qelaecejuca.exe 1524 filee.exe 4320 001.exe 4252 installer.exe 4392 hbggg.exe 5164 jfiag3g_gg.exe 5488 google-game.exe 5244 setup.exe 5352 customer1.exe 5432 jfiag3g_gg.exe 5476 cmd.exe 5532 F32C.exe 5580 toolspab1.exe 5576 Setup.exe 592 jg6_6asg.exe 1588 gaoou.exe 4136 005.exe 6020 installer.exe 6096 702564a0.exe 6112 app.exe 4640 jfiag3g_gg.exe 5428 Setup3310.exe 6036 Setup3310.tmp 5208 jfiag3g_gg.exe 5980 app.exe 3452 EDDB.exe 5532 F32C.exe 5576 Setup.exe 5972 hjjgaa.exe 4532 RunWW.exe 4832 BarSetpFile.exe 700 guihuali-game.exe 4748 LabPicV3.exe 6028 lylal220.exe 4092 jg7_7wjg.exe 4864 askinstall38.exe 4752 lylal220.tmp 2992 cmd.exe 2160 4_177039.exe 5844 3316505.exe 4776 jfiag3g_gg.exe 4116 2963966.exe 5588 jfiag3g_gg.exe 5936 Windows Host.exe 5796 6707195.exe 4888 1524803.exe 5144 irecord.exe 5944 irecord.tmp 5160 prolab.exe 1892 Gerimizhono.exe 4428 Kacyjaebaejy.exe 5592 Caevaqaeqenae.exe 2428 Netoduryhu.exe 1072 prolab.tmp 3980 i-record.exe 5588 jfiag3g_gg.exe 4704 001.exe 5872 001.exe -
resource yara_rule behavioral32/files/0x000100000001ac0e-248.dat upx behavioral32/files/0x000100000001ac0e-249.dat upx behavioral32/files/0x000200000001ac1b-303.dat upx behavioral32/files/0x000200000001ac1b-304.dat upx behavioral32/files/0x000200000001ac1b-309.dat upx behavioral32/files/0x000100000001ac49-334.dat upx behavioral32/files/0x000100000001ac49-335.dat upx -
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Caevaqaeqenae.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation google-game.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation toolspab1.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Jidibolaxy.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation google-game.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation keygen-step-4d.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation guihuali-game.exe Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation Gerimizhono.exe -
Loads dropped DLL 63 IoCs
pid Process 3576 rundll32.exe 4300 Install.tmp 4252 installer.exe 4252 installer.exe 5732 rUNdlL32.eXe 4252 installer.exe 6064 MsiExec.exe 6064 MsiExec.exe 5580 toolspab1.exe 5392 MsiExec.exe 5392 MsiExec.exe 5392 MsiExec.exe 5392 MsiExec.exe 5392 MsiExec.exe 5392 MsiExec.exe 5392 MsiExec.exe 5392 MsiExec.exe 5392 MsiExec.exe 5392 MsiExec.exe 4252 installer.exe 5392 MsiExec.exe 5392 MsiExec.exe 5844 3316505.exe 5844 3316505.exe 5844 3316505.exe 5844 3316505.exe 5844 3316505.exe 5844 3316505.exe 5844 3316505.exe 5392 MsiExec.exe 6036 Setup3310.tmp 6036 Setup3310.tmp 6096 702564a0.exe 2992 cmd.exe 4752 lylal220.tmp 3988 rUNdlL32.eXe 3980 i-record.exe 3980 i-record.exe 3980 i-record.exe 3980 i-record.exe 3980 i-record.exe 3980 i-record.exe 3980 i-record.exe 3980 i-record.exe 3980 i-record.exe 4532 RunWW.exe 4532 RunWW.exe 5184 installer.exe 5184 installer.exe 5184 installer.exe 6380 MsiExec.exe 6380 MsiExec.exe 7040 rUNdlL32.eXe 6084 rUNdlL32.eXe 6116 spoolsv.exe 6116 spoolsv.exe 6116 spoolsv.exe 6116 spoolsv.exe 6116 spoolsv.exe 6116 spoolsv.exe 6116 spoolsv.exe 6116 spoolsv.exe 6604 toolspab1.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Duhehikelo.exe\"" Ultra.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" gaoou.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" jfiag3g_gg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Data Finder\\Fapobysiru.exe\"" 4_177039.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Adobe\\Bepanudiva.exe\"" 3316505.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host Service = "C:\\Windows\\System\\svchost.exe" DDEA.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg6_6asg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: installer.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: installer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 365 ip-api.com 31 ip-api.com 225 ipinfo.io 227 ipinfo.io -
Drops file in System32 directory 10 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #1 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #5 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 79DE3EA8FCE4AC10 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedUpdater svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #4 svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent E0144521C7934FBA svchost.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 3852 set thread context of 2144 3852 svchost.exe 80 PID 3852 set thread context of 4436 3852 svchost.exe 84 PID 5476 set thread context of 5580 5476 cmd.exe 134 PID 5848 set thread context of 5496 5848 EE28.exe 284 PID 6592 set thread context of 6604 6592 toolspab1.exe 289 PID 6760 set thread context of 6848 6760 toolspab1.exe 293 PID 6832 set thread context of 1976 6832 490C.exe 299 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Duhehikelo.exe Ultra.exe File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe Setup.exe File created C:\Program Files\Windows Portable Devices\WFWCCSKEAV\prolab.exe.config 3316505.exe File created C:\Program Files (x86)\recording\unins000.dat irecord.tmp File created C:\Program Files (x86)\Data Finder\Fapobysiru.exe.config 4_177039.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe Setup.exe File created C:\Program Files (x86)\recording\is-3PNJH.tmp irecord.tmp File created C:\Program Files (x86)\Google\Duhehikelo.exe.config Ultra.exe File created C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.ini Setup.exe File opened for modification C:\Program Files (x86)\recording\postproc-52.dll irecord.tmp File created C:\Program Files (x86)\recording\is-GBT03.tmp irecord.tmp File created C:\Program Files (x86)\recording\is-5D6RT.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Picture Lab\AForge.dll prolab.tmp File created C:\Program Files (x86)\Picture Lab\is-1D1QG.tmp prolab.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe Setup.exe File opened for modification C:\Program Files (x86)\recording\avfilter-2.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\avutil-51.dll irecord.tmp File created C:\Program Files (x86)\Data Finder\Fapobysiru.exe 4_177039.exe File created C:\Program Files (x86)\recording\is-J2814.tmp irecord.tmp File created C:\Program Files (x86)\Picture Lab\is-D2R60.tmp prolab.tmp File created C:\Program Files (x86)\Picture Lab\is-978BV.tmp prolab.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\Uninstall.exe Setup.exe File opened for modification C:\Program Files (x86)\recording\i-record.exe irecord.tmp File opened for modification C:\Program Files (x86)\recording\AForge.Video.FFMPEG.dll irecord.tmp File created C:\Program Files (x86)\recording\is-801MP.tmp irecord.tmp File created C:\Program Files (x86)\Adobe\Bepanudiva.exe 3316505.exe File opened for modification C:\Program Files (x86)\Picture Lab\SourceLibrary.dll prolab.tmp File opened for modification C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll prolab.tmp File created C:\Program Files\install.dat xiuhuali.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File created C:\Program Files (x86)\recording\is-0Q66S.tmp irecord.tmp File created C:\Program Files (x86)\recording\is-A9HT9.tmp irecord.tmp File created C:\Program Files (x86)\Picture Lab\unins000.dat prolab.tmp File created C:\Program Files (x86)\Picture Lab\is-IBGC1.tmp prolab.tmp File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe File created C:\Program Files (x86)\recording\is-5EJ8F.tmp irecord.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File opened for modification C:\Program Files (x86)\recording\avdevice-53.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\avcodec-53.dll irecord.tmp File created C:\Program Files (x86)\recording\is-A5NHH.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Picture Lab\AForge.Math.dll prolab.tmp File created C:\Program Files (x86)\Picture Lab\is-OPQ9I.tmp prolab.tmp File opened for modification C:\Program Files (x86)\recording\avformat-53.dll irecord.tmp File created C:\Program Files (x86)\recording\is-K5LPL.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Picture Lab\DockingToolbar.dll prolab.tmp File created C:\Program Files (x86)\Picture Lab\is-HM4N8.tmp prolab.tmp File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File opened for modification C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll prolab.tmp File opened for modification C:\Program Files (x86)\recording\unins000.dat irecord.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File created C:\Program Files\Windows Portable Devices\WFWCCSKEAV\prolab.exe 3316505.exe File created C:\Program Files (x86)\recording\is-UAJ6J.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Picture Lab\SourceGrid2.dll prolab.tmp File created C:\Program Files (x86)\Picture Lab\is-QIJ4K.tmp prolab.tmp File opened for modification C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe Setup.exe File opened for modification C:\Program Files (x86)\recording\AForge.Video.dll irecord.tmp File created C:\Program Files (x86)\recording\is-I148V.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Picture Lab\unins000.dat prolab.tmp File created C:\Program Files (x86)\recording\is-NJ80P.tmp irecord.tmp File opened for modification C:\Program Files (x86)\recording\swresample-0.dll irecord.tmp File opened for modification C:\Program Files (x86)\recording\swscale-2.dll irecord.tmp File opened for modification C:\Program Files (x86)\Picture Lab\Pictures Lab.exe prolab.tmp File created C:\Program Files (x86)\Picture Lab\is-1BJ5M.tmp prolab.tmp -
Drops file in Windows directory 50 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI522F.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\System\svchost.exe DDEA.exe File created C:\Windows\System\xxx1.bak svchost.exe File opened for modification C:\Windows\Installer\f752fea.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI59A6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI640B.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File created C:\Windows\Installer\f752fed.msi msiexec.exe File opened for modification C:\Windows\System\libevent_core-2-1-7.dll svchost.exe File opened for modification C:\Windows\System\libwinpthread-1.dll svchost.exe File opened for modification C:\Windows\System\zlib1.dll svchost.exe File opened for modification C:\Windows\Installer\MSI5368.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI67F5.tmp msiexec.exe File opened for modification C:\Windows\System\spoolsv.exe svchost.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI4B16.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4F6F.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\System\spoolsv.tar svchost.exe File opened for modification C:\Windows\System\libgcc_s_sjlj-1.dll svchost.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File opened for modification C:\Windows\Installer\MSI4931.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5483.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI65E1.tmp msiexec.exe File opened for modification C:\Windows\System\svchost.exe DDEA.exe File opened for modification C:\Windows\Installer\MSI47E8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D1B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI62C1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6C6D.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File created C:\Windows\Installer\f752fea.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5733.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5938.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\System\libssp-0.dll svchost.exe File created C:\Windows\System\xxx1.bak DDEA.exe File opened for modification C:\Windows\System\libcrypto-1_1.dll svchost.exe File opened for modification C:\Windows\Installer\MSI417E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4F00.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6040.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI636E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6893.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\System\libevent-2-1-7.dll svchost.exe File opened for modification C:\Windows\System\libevent_extra-2-1-7.dll svchost.exe File opened for modification C:\Windows\System\libssl-1_1.dll svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4696 6084 WerFault.exe 253 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 702564a0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 702564a0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 702564a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab1.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RunWW.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RunWW.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 6628 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 3716 taskkill.exe 1404 taskkill.exe 1700 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main guihuali-game.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" app.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" app.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" app.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersion = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance toolspab1.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance google-game.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S}\1 = "2400" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 30cbde90e64bd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fd4f728ce64bd701 MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TV2553ZI-PZ3Y-VP7M-68Y0-MJT9X67Z6U7M} rUNdlL32.eXe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QJ2559JN-BF7A-LM2A-20M4-JBF9M43Q7G3S} svchost.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" MicrosoftEdge.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe -
Runs ping.exe 1 TTPs 3 IoCs
pid Process 6852 PING.EXE 5524 PING.EXE 2936 PING.EXE -
Script User-Agent 7 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 226 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 227 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 266 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 268 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 269 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 270 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 274 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3576 rundll32.exe 3576 rundll32.exe 3852 svchost.exe 3852 svchost.exe 3852 svchost.exe 3852 svchost.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe 4880 Qelaecejuca.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2984 Process not Found -
Suspicious behavior: MapViewOfSection 28 IoCs
pid Process 3156 MicrosoftEdgeCP.exe 3156 MicrosoftEdgeCP.exe 3156 MicrosoftEdgeCP.exe 3156 MicrosoftEdgeCP.exe 5580 toolspab1.exe 3156 MicrosoftEdgeCP.exe 6096 702564a0.exe 6568 MicrosoftEdgeCP.exe 6568 MicrosoftEdgeCP.exe 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 2984 Process not Found 6604 toolspab1.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3576 rundll32.exe Token: SeTcbPrivilege 3852 svchost.exe Token: SeDebugPrivilege 3576 rundll32.exe Token: SeDebugPrivilege 3576 rundll32.exe Token: SeDebugPrivilege 4072 JoSetp.exe Token: SeDebugPrivilege 3576 rundll32.exe Token: SeDebugPrivilege 3576 rundll32.exe Token: SeDebugPrivilege 3576 rundll32.exe Token: SeDebugPrivilege 3576 rundll32.exe Token: SeDebugPrivilege 3576 rundll32.exe Token: SeDebugPrivilege 3576 rundll32.exe Token: SeDebugPrivilege 3576 rundll32.exe Token: SeDebugPrivilege 3576 rundll32.exe Token: SeDebugPrivilege 3576 rundll32.exe Token: SeDebugPrivilege 3576 rundll32.exe Token: SeTcbPrivilege 3852 svchost.exe Token: SeDebugPrivilege 4396 Ultra.exe Token: SeDebugPrivilege 4836 Jidibolaxy.exe Token: SeDebugPrivilege 4880 Qelaecejuca.exe Token: SeAssignPrimaryTokenPrivilege 2780 svchost.exe Token: SeIncreaseQuotaPrivilege 2780 svchost.exe Token: SeSecurityPrivilege 2780 svchost.exe Token: SeTakeOwnershipPrivilege 2780 svchost.exe Token: SeLoadDriverPrivilege 2780 svchost.exe Token: SeSystemtimePrivilege 2780 svchost.exe Token: SeBackupPrivilege 2780 svchost.exe Token: SeRestorePrivilege 2780 svchost.exe Token: SeShutdownPrivilege 2780 svchost.exe Token: SeSystemEnvironmentPrivilege 2780 svchost.exe Token: SeUndockPrivilege 2780 svchost.exe Token: SeManageVolumePrivilege 2780 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2780 svchost.exe Token: SeIncreaseQuotaPrivilege 2780 svchost.exe Token: SeSecurityPrivilege 2780 svchost.exe Token: SeTakeOwnershipPrivilege 2780 svchost.exe Token: SeLoadDriverPrivilege 2780 svchost.exe Token: SeSystemtimePrivilege 2780 svchost.exe Token: SeBackupPrivilege 2780 svchost.exe Token: SeRestorePrivilege 2780 svchost.exe Token: SeShutdownPrivilege 2780 svchost.exe Token: SeSystemEnvironmentPrivilege 2780 svchost.exe Token: SeUndockPrivilege 2780 svchost.exe Token: SeManageVolumePrivilege 2780 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2780 svchost.exe Token: SeIncreaseQuotaPrivilege 2780 svchost.exe Token: SeSecurityPrivilege 2780 svchost.exe Token: SeTakeOwnershipPrivilege 2780 svchost.exe Token: SeLoadDriverPrivilege 2780 svchost.exe Token: SeSystemtimePrivilege 2780 svchost.exe Token: SeBackupPrivilege 2780 svchost.exe Token: SeRestorePrivilege 2780 svchost.exe Token: SeShutdownPrivilege 2780 svchost.exe Token: SeSystemEnvironmentPrivilege 2780 svchost.exe Token: SeUndockPrivilege 2780 svchost.exe Token: SeManageVolumePrivilege 2780 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2780 svchost.exe Token: SeIncreaseQuotaPrivilege 2780 svchost.exe Token: SeSecurityPrivilege 2780 svchost.exe Token: SeTakeOwnershipPrivilege 2780 svchost.exe Token: SeLoadDriverPrivilege 2780 svchost.exe Token: SeSystemtimePrivilege 2780 svchost.exe Token: SeBackupPrivilege 2780 svchost.exe Token: SeRestorePrivilege 2780 svchost.exe Token: SeShutdownPrivilege 2780 svchost.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 4252 installer.exe 2984 Process not Found 2984 Process not Found 6036 Setup3310.tmp 2984 Process not Found 2984 Process not Found 5944 irecord.tmp 1072 prolab.tmp 5184 installer.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2824 xiuhuali.exe 2824 xiuhuali.exe 4196 MicrosoftEdge.exe 3156 MicrosoftEdgeCP.exe 3156 MicrosoftEdgeCP.exe 4860 MicrosoftEdge.exe 6568 MicrosoftEdgeCP.exe 6568 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3168 wrote to memory of 2824 3168 keygen-step-4d.exe 76 PID 3168 wrote to memory of 2824 3168 keygen-step-4d.exe 76 PID 3168 wrote to memory of 2824 3168 keygen-step-4d.exe 76 PID 2824 wrote to memory of 3576 2824 xiuhuali.exe 78 PID 2824 wrote to memory of 3576 2824 xiuhuali.exe 78 PID 2824 wrote to memory of 3576 2824 xiuhuali.exe 78 PID 3168 wrote to memory of 4072 3168 keygen-step-4d.exe 79 PID 3168 wrote to memory of 4072 3168 keygen-step-4d.exe 79 PID 3576 wrote to memory of 3852 3576 rundll32.exe 32 PID 3852 wrote to memory of 2144 3852 svchost.exe 80 PID 3852 wrote to memory of 2144 3852 svchost.exe 80 PID 3576 wrote to memory of 2696 3576 rundll32.exe 26 PID 3852 wrote to memory of 2144 3852 svchost.exe 80 PID 3576 wrote to memory of 1008 3576 rundll32.exe 65 PID 3576 wrote to memory of 2528 3576 rundll32.exe 30 PID 3576 wrote to memory of 2536 3576 rundll32.exe 29 PID 3576 wrote to memory of 1140 3576 rundll32.exe 59 PID 3576 wrote to memory of 1084 3576 rundll32.exe 61 PID 3576 wrote to memory of 1420 3576 rundll32.exe 53 PID 3576 wrote to memory of 1948 3576 rundll32.exe 42 PID 3576 wrote to memory of 1176 3576 rundll32.exe 58 PID 3576 wrote to memory of 1412 3576 rundll32.exe 54 PID 3576 wrote to memory of 2780 3576 rundll32.exe 22 PID 3576 wrote to memory of 2800 3576 rundll32.exe 21 PID 3168 wrote to memory of 4248 3168 keygen-step-4d.exe 81 PID 3168 wrote to memory of 4248 3168 keygen-step-4d.exe 81 PID 3168 wrote to memory of 4248 3168 keygen-step-4d.exe 81 PID 4248 wrote to memory of 4300 4248 Install.exe 82 PID 4248 wrote to memory of 4300 4248 Install.exe 82 PID 4248 wrote to memory of 4300 4248 Install.exe 82 PID 4300 wrote to memory of 4396 4300 Install.tmp 83 PID 4300 wrote to memory of 4396 4300 Install.tmp 83 PID 3852 wrote to memory of 4436 3852 svchost.exe 84 PID 3852 wrote to memory of 4436 3852 svchost.exe 84 PID 3852 wrote to memory of 4436 3852 svchost.exe 84 PID 4396 wrote to memory of 4836 4396 Ultra.exe 89 PID 4396 wrote to memory of 4836 4396 Ultra.exe 89 PID 4396 wrote to memory of 4880 4396 Ultra.exe 90 PID 4396 wrote to memory of 4880 4396 Ultra.exe 90 PID 3156 wrote to memory of 4504 3156 MicrosoftEdgeCP.exe 96 PID 3156 wrote to memory of 4504 3156 MicrosoftEdgeCP.exe 96 PID 3156 wrote to memory of 4504 3156 MicrosoftEdgeCP.exe 96 PID 3168 wrote to memory of 1524 3168 keygen-step-4d.exe 97 PID 3168 wrote to memory of 1524 3168 keygen-step-4d.exe 97 PID 3168 wrote to memory of 1524 3168 keygen-step-4d.exe 97 PID 4880 wrote to memory of 4952 4880 Qelaecejuca.exe 98 PID 4880 wrote to memory of 4952 4880 Qelaecejuca.exe 98 PID 4952 wrote to memory of 4320 4952 cmd.exe 100 PID 4952 wrote to memory of 4320 4952 cmd.exe 100 PID 4952 wrote to memory of 4320 4952 cmd.exe 100 PID 4880 wrote to memory of 4812 4880 Qelaecejuca.exe 101 PID 4880 wrote to memory of 4812 4880 Qelaecejuca.exe 101 PID 4812 wrote to memory of 4252 4812 cmd.exe 103 PID 4812 wrote to memory of 4252 4812 cmd.exe 103 PID 4812 wrote to memory of 4252 4812 cmd.exe 103 PID 4880 wrote to memory of 4796 4880 Qelaecejuca.exe 104 PID 4880 wrote to memory of 4796 4880 Qelaecejuca.exe 104 PID 4796 wrote to memory of 4392 4796 cmd.exe 107 PID 4796 wrote to memory of 4392 4796 cmd.exe 107 PID 4796 wrote to memory of 4392 4796 cmd.exe 107 PID 4392 wrote to memory of 5164 4392 hbggg.exe 108 PID 4392 wrote to memory of 5164 4392 hbggg.exe 108 PID 4392 wrote to memory of 5164 4392 hbggg.exe 108 PID 4880 wrote to memory of 5416 4880 Qelaecejuca.exe 109
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2800
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe"C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3576
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Users\Admin\AppData\Local\Temp\is-ARLLP.tmp\Install.tmp"C:\Users\Admin\AppData\Local\Temp\is-ARLLP.tmp\Install.tmp" /SL5="$5018E,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\is-D1NEF.tmp\Ultra.exe"C:\Users\Admin\AppData\Local\Temp\is-D1NEF.tmp\Ultra.exe" /S /UID=burnerch14⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Users\Admin\AppData\Local\Temp\d0-a4c0c-a78-84ebb-1f6efa940b57c\Jidibolaxy.exe"C:\Users\Admin\AppData\Local\Temp\d0-a4c0c-a78-84ebb-1f6efa940b57c\Jidibolaxy.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4836
-
-
C:\Users\Admin\AppData\Local\Temp\fe-56d18-e0a-01192-971893f2f149c\Qelaecejuca.exe"C:\Users\Admin\AppData\Local\Temp\fe-56d18-e0a-01192-971893f2f149c\Qelaecejuca.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\macwqjvc.sbn\001.exe & exit6⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Users\Admin\AppData\Local\Temp\macwqjvc.sbn\001.exeC:\Users\Admin\AppData\Local\Temp\macwqjvc.sbn\001.exe7⤵
- Executes dropped EXE
PID:4320
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rmavprpc.vfh\installer.exe /qn CAMPAIGN="654" & exit6⤵
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Users\Admin\AppData\Local\Temp\rmavprpc.vfh\installer.exeC:\Users\Admin\AppData\Local\Temp\rmavprpc.vfh\installer.exe /qn CAMPAIGN="654"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:4252 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\rmavprpc.vfh\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\rmavprpc.vfh\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621083853 /qn CAMPAIGN=""654"" " CAMPAIGN="654"8⤵PID:524
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\quqnwxng.fef\hbggg.exe & exit6⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\quqnwxng.fef\hbggg.exeC:\Users\Admin\AppData\Local\Temp\quqnwxng.fef\hbggg.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
PID:5164
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
- Executes dropped EXE
PID:5432
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cemhnrfx.eup\google-game.exe & exit6⤵PID:5416
-
C:\Users\Admin\AppData\Local\Temp\cemhnrfx.eup\google-game.exeC:\Users\Admin\AppData\Local\Temp\cemhnrfx.eup\google-game.exe7⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:5488 -
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser8⤵
- Loads dropped DLL
- Modifies registry class
PID:5732
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\50atltkv.xvq\setup.exe & exit6⤵PID:5840
-
C:\Users\Admin\AppData\Local\Temp\50atltkv.xvq\setup.exeC:\Users\Admin\AppData\Local\Temp\50atltkv.xvq\setup.exe7⤵
- Executes dropped EXE
PID:5244 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\50atltkv.xvq\setup.exe"8⤵PID:5608
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30009⤵
- Runs ping.exe
PID:5524
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ojspmpag.vph\customer1.exe & exit6⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\ojspmpag.vph\customer1.exeC:\Users\Admin\AppData\Local\Temp\ojspmpag.vph\customer1.exe7⤵
- Executes dropped EXE
PID:5352 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵PID:5532
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵PID:5576
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\000lvbwt.a1b\toolspab1.exe & exit6⤵PID:5264
-
C:\Users\Admin\AppData\Local\Temp\000lvbwt.a1b\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\000lvbwt.a1b\toolspab1.exe7⤵PID:5476
-
C:\Users\Admin\AppData\Local\Temp\000lvbwt.a1b\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\000lvbwt.a1b\toolspab1.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5580
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d3sethg2.ebc\GcleanerWW.exe /mixone & exit6⤵PID:3280
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fiaehq1l.1jg\005.exe & exit6⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\fiaehq1l.1jg\005.exeC:\Users\Admin\AppData\Local\Temp\fiaehq1l.1jg\005.exe7⤵
- Executes dropped EXE
PID:4136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b5pfwklt.qav\installer.exe /qn CAMPAIGN="654" & exit6⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\b5pfwklt.qav\installer.exeC:\Users\Admin\AppData\Local\Temp\b5pfwklt.qav\installer.exe /qn CAMPAIGN="654"7⤵
- Executes dropped EXE
PID:6020
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l4mfr403.2ey\702564a0.exe & exit6⤵PID:5460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:5840
-
-
C:\Users\Admin\AppData\Local\Temp\l4mfr403.2ey\702564a0.exeC:\Users\Admin\AppData\Local\Temp\l4mfr403.2ey\702564a0.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6096
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\j5dppkib.h0t\app.exe /8-2222 & exit6⤵PID:4804
-
C:\Users\Admin\AppData\Local\Temp\j5dppkib.h0t\app.exeC:\Users\Admin\AppData\Local\Temp\j5dppkib.h0t\app.exe /8-22227⤵
- Executes dropped EXE
PID:6112 -
C:\Users\Admin\AppData\Local\Temp\j5dppkib.h0t\app.exe"C:\Users\Admin\AppData\Local\Temp\j5dppkib.h0t\app.exe" /8-22228⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5980
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k3n5zfbw.bhj\Setup3310.exe /Verysilent /subid=623 & exit6⤵PID:4356
-
C:\Users\Admin\AppData\Local\Temp\k3n5zfbw.bhj\Setup3310.exeC:\Users\Admin\AppData\Local\Temp\k3n5zfbw.bhj\Setup3310.exe /Verysilent /subid=6237⤵
- Executes dropped EXE
PID:5428 -
C:\Users\Admin\AppData\Local\Temp\is-GBQ17.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-GBQ17.tmp\Setup3310.tmp" /SL5="$70304,138429,56832,C:\Users\Admin\AppData\Local\Temp\k3n5zfbw.bhj\Setup3310.exe" /Verysilent /subid=6238⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:6036 -
C:\Users\Admin\AppData\Local\Temp\is-1O3TN.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-1O3TN.tmp\Setup.exe" /Verysilent9⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5576 -
C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"10⤵
- Executes dropped EXE
PID:5972 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
- Executes dropped EXE
PID:4776
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt11⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5588
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4532 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit11⤵PID:916
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RunWW.exe /f12⤵
- Kills process with taskkill
PID:1700
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 612⤵
- Delays execution with timeout.exe
PID:6628
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"10⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies Internet Explorer settings
PID:700 -
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install11⤵
- Loads dropped DLL
PID:3988
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"10⤵
- Executes dropped EXE
PID:6028 -
C:\Users\Admin\AppData\Local\Temp\is-AAGJI.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-AAGJI.tmp\lylal220.tmp" /SL5="$4034E,237286,153600,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\is-D0PSI.tmp\4_177039.exe"C:\Users\Admin\AppData\Local\Temp\is-D0PSI.tmp\4_177039.exe" /S /UID=lylal22012⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2160 -
C:\Program Files\Windows Portable Devices\JAGFNIHONP\irecord.exe"C:\Program Files\Windows Portable Devices\JAGFNIHONP\irecord.exe" /VERYSILENT13⤵
- Executes dropped EXE
PID:5144 -
C:\Users\Admin\AppData\Local\Temp\is-5H6DD.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-5H6DD.tmp\irecord.tmp" /SL5="$503BC,6139911,56832,C:\Program Files\Windows Portable Devices\JAGFNIHONP\irecord.exe" /VERYSILENT14⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:5944 -
C:\Program Files (x86)\recording\i-record.exe"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3980
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d4-1b10e-3eb-37997-0a301bd0071cd\Gerimizhono.exe"C:\Users\Admin\AppData\Local\Temp\d4-1b10e-3eb-37997-0a301bd0071cd\Gerimizhono.exe"13⤵
- Executes dropped EXE
- Checks computer location settings
PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\26-adfd0-3fa-db8bf-4008c51cbba26\Kacyjaebaejy.exe"C:\Users\Admin\AppData\Local\Temp\26-adfd0-3fa-db8bf-4008c51cbba26\Kacyjaebaejy.exe"13⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a3tbnq0d.slb\001.exe & exit14⤵PID:6104
-
C:\Users\Admin\AppData\Local\Temp\a3tbnq0d.slb\001.exeC:\Users\Admin\AppData\Local\Temp\a3tbnq0d.slb\001.exe15⤵
- Executes dropped EXE
PID:5872
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\40lnugyu.n2o\installer.exe /qn CAMPAIGN="654" & exit14⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\40lnugyu.n2o\installer.exeC:\Users\Admin\AppData\Local\Temp\40lnugyu.n2o\installer.exe /qn CAMPAIGN="654"15⤵PID:3788
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2jfaegot.mn0\hbggg.exe & exit14⤵PID:4132
-
C:\Users\Admin\AppData\Local\Temp\2jfaegot.mn0\hbggg.exeC:\Users\Admin\AppData\Local\Temp\2jfaegot.mn0\hbggg.exe15⤵PID:6212
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵PID:6484
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵PID:7136
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yryaceok.lwh\google-game.exe & exit14⤵PID:6940
-
C:\Users\Admin\AppData\Local\Temp\yryaceok.lwh\google-game.exeC:\Users\Admin\AppData\Local\Temp\yryaceok.lwh\google-game.exe15⤵PID:6760
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser16⤵
- Loads dropped DLL
PID:6084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 59617⤵
- Drops file in Windows directory
- Program crash
PID:4696
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\h5y10kga.svv\setup.exe & exit14⤵PID:7160
-
C:\Users\Admin\AppData\Local\Temp\h5y10kga.svv\setup.exeC:\Users\Admin\AppData\Local\Temp\h5y10kga.svv\setup.exe15⤵PID:1404
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\h5y10kga.svv\setup.exe"16⤵PID:3788
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300017⤵
- Runs ping.exe
PID:6852
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mlzdy4b3.5vb\customer1.exe & exit14⤵PID:6072
-
C:\Users\Admin\AppData\Local\Temp\mlzdy4b3.5vb\customer1.exeC:\Users\Admin\AppData\Local\Temp\mlzdy4b3.5vb\customer1.exe15⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt16⤵PID:1224
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3olbr3ep.r5v\toolspab1.exe & exit14⤵PID:6260
-
C:\Users\Admin\AppData\Local\Temp\3olbr3ep.r5v\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\3olbr3ep.r5v\toolspab1.exe15⤵
- Suspicious use of SetThreadContext
PID:6592 -
C:\Users\Admin\AppData\Local\Temp\3olbr3ep.r5v\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\3olbr3ep.r5v\toolspab1.exe16⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6604
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe"C:\Program Files (x86)\Data Finder\Versium Research\askinstall38.exe"10⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe11⤵PID:3176
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe12⤵
- Kills process with taskkill
PID:1404
-
-
-
-
C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\Data Finder\Versium Research\jg7_7wjg.exe"10⤵
- Executes dropped EXE
PID:4092
-
-
C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"10⤵
- Executes dropped EXE
PID:4748
-
-
C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"C:\Program Files (x86)\Data Finder\Versium Research\BarSetpFile.exe"10⤵
- Executes dropped EXE
PID:4832 -
C:\Users\Admin\AppData\Roaming\2963966.exe"C:\Users\Admin\AppData\Roaming\2963966.exe"11⤵
- Executes dropped EXE
PID:4116
-
-
C:\Users\Admin\AppData\Roaming\5947769.exe"C:\Users\Admin\AppData\Roaming\5947769.exe"11⤵PID:5588
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"12⤵
- Executes dropped EXE
PID:5936
-
-
-
C:\Users\Admin\AppData\Roaming\6707195.exe"C:\Users\Admin\AppData\Roaming\6707195.exe"11⤵
- Executes dropped EXE
PID:5796
-
-
C:\Users\Admin\AppData\Roaming\1524803.exe"C:\Users\Admin\AppData\Roaming\1524803.exe"11⤵
- Executes dropped EXE
PID:4888
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"2⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe" >> NUL3⤵PID:5232
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:2936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:592
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
PID:5208
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2536
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2528
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:2144
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4436
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1948
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1420
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1412
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
- Modifies registry class
PID:1176
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1140
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
PID:1084
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:1008
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4196
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:700
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4504
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4268
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5652
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:5456 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 378F657D7FC8E808350F33E3AFC69F4A C2⤵
- Loads dropped DLL
PID:6064
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 62FCB8EF4ADF0348E8599101132AA0882⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5392 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:3716
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5939979564CBDE285AEC14D366C5C3DB E Global\MSI00002⤵PID:5844
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6373A834167929759AC52ED3D0546234 C2⤵
- Loads dropped DLL
PID:6380
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4108
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4800
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4768
-
C:\Users\Admin\AppData\Local\Temp\EDDB.exeC:\Users\Admin\AppData\Local\Temp\EDDB.exe1⤵
- Executes dropped EXE
PID:3452
-
C:\Users\Admin\AppData\Local\Temp\F32C.exeC:\Users\Admin\AppData\Local\Temp\F32C.exe1⤵
- Executes dropped EXE
PID:5532
-
C:\Users\Admin\AppData\Local\Temp\is-GJQL5.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-GJQL5.tmp\LabPicV3.tmp" /SL5="$30346,506127,422400,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"1⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\is-64H2O.tmp\3316505.exe"C:\Users\Admin\AppData\Local\Temp\is-64H2O.tmp\3316505.exe" /S /UID=lab2142⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
PID:5844 -
C:\Program Files\Windows Portable Devices\WFWCCSKEAV\prolab.exe"C:\Program Files\Windows Portable Devices\WFWCCSKEAV\prolab.exe" /VERYSILENT3⤵
- Executes dropped EXE
PID:5160 -
C:\Users\Admin\AppData\Local\Temp\is-43FT7.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-43FT7.tmp\prolab.tmp" /SL5="$502B4,575243,216576,C:\Program Files\Windows Portable Devices\WFWCCSKEAV\prolab.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1072
-
-
-
C:\Users\Admin\AppData\Local\Temp\22-81f74-bc1-11ca7-3cfadf2f61471\Netoduryhu.exe"C:\Users\Admin\AppData\Local\Temp\22-81f74-bc1-11ca7-3cfadf2f61471\Netoduryhu.exe"3⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\szecknih.5ei\001.exe & exit4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5476 -
C:\Users\Admin\AppData\Local\Temp\szecknih.5ei\001.exeC:\Users\Admin\AppData\Local\Temp\szecknih.5ei\001.exe5⤵
- Executes dropped EXE
PID:4704
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\entryxpd.0iu\installer.exe /qn CAMPAIGN="654" & exit4⤵PID:3780
-
C:\Users\Admin\AppData\Local\Temp\entryxpd.0iu\installer.exeC:\Users\Admin\AppData\Local\Temp\entryxpd.0iu\installer.exe /qn CAMPAIGN="654"5⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:5184
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dtlz1arg.xlj\hbggg.exe & exit4⤵PID:5556
-
C:\Users\Admin\AppData\Local\Temp\dtlz1arg.xlj\hbggg.exeC:\Users\Admin\AppData\Local\Temp\dtlz1arg.xlj\hbggg.exe5⤵PID:6204
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:6476
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:6628
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wq1cyjsm.d4x\google-game.exe & exit4⤵PID:6772
-
C:\Users\Admin\AppData\Local\Temp\wq1cyjsm.d4x\google-game.exeC:\Users\Admin\AppData\Local\Temp\wq1cyjsm.d4x\google-game.exe5⤵
- Checks computer location settings
PID:6356 -
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setuser6⤵
- Loads dropped DLL
PID:7040
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lxoh4rbd.ve4\setup.exe & exit4⤵PID:7000
-
C:\Users\Admin\AppData\Local\Temp\lxoh4rbd.ve4\setup.exeC:\Users\Admin\AppData\Local\Temp\lxoh4rbd.ve4\setup.exe5⤵PID:5408
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zmheie1g.cee\customer1.exe & exit4⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\zmheie1g.cee\customer1.exeC:\Users\Admin\AppData\Local\Temp\zmheie1g.cee\customer1.exe5⤵PID:6044
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:3920
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:6852
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z14v5xnf.hbv\toolspab1.exe & exit4⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\z14v5xnf.hbv\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\z14v5xnf.hbv\toolspab1.exe5⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
PID:6760 -
C:\Users\Admin\AppData\Local\Temp\z14v5xnf.hbv\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\z14v5xnf.hbv\toolspab1.exe6⤵PID:6848
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\09-2d10d-f50-f9ca4-d7d1168a38e99\Caevaqaeqenae.exe"C:\Users\Admin\AppData\Local\Temp\09-2d10d-f50-f9ca4-d7d1168a38e99\Caevaqaeqenae.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
PID:5592
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4860
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:2272
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6568
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:6892
-
C:\Users\Admin\AppData\Local\Temp\DDEA.exeC:\Users\Admin\AppData\Local\Temp\DDEA.exe1⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:6344 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true2⤵PID:4732
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal2⤵
- Drops file in Windows directory
PID:5396 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true3⤵PID:7096
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:7136
-
-
-
C:\Windows\System\spoolsv.exe"C:\Windows\System\spoolsv.exe" --MaxCircuitDirtiness 60 --NewCircuitPeriod 1 --MaxClientCircuitsPending 1024 --OptimisticData 1 --KeepalivePeriod 30 --CircuitBuildTimeout 10 --EnforceDistinctSubnets 0 --HardwareAccel 1 --UseEntryGuards 03⤵
- Loads dropped DLL
PID:6116
-
-
-
C:\Users\Admin\AppData\Local\Temp\EE28.exeC:\Users\Admin\AppData\Local\Temp\EE28.exe1⤵
- Suspicious use of SetThreadContext
PID:5848 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵PID:5496
-
-
C:\Users\Admin\AppData\Local\Temp\F28E.exeC:\Users\Admin\AppData\Local\Temp\F28E.exe1⤵PID:6232
-
C:\Users\Admin\AppData\Local\Temp\F926.exeC:\Users\Admin\AppData\Local\Temp\F926.exe1⤵PID:7004
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4384
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:6544
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:6588
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:6644
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4072
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:6532
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:6660
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4480
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\490C.exeC:\Users\Admin\AppData\Local\Temp\490C.exe1⤵
- Suspicious use of SetThreadContext
PID:6832 -
C:\Users\Admin\AppData\Local\Temp\490C.exeC:\Users\Admin\AppData\Local\Temp\490C.exe2⤵PID:1976
-
-
C:\Users\Admin\AppData\Local\Temp\5BBB.exeC:\Users\Admin\AppData\Local\Temp\5BBB.exe1⤵PID:7052