Overview
overview
10Static
static
Setup (1).exe
windows7_x64
Setup (1).exe
windows10_x64
10Setup (10).exe
windows7_x64
10Setup (10).exe
windows10_x64
10Setup (11).exe
windows7_x64
Setup (11).exe
windows10_x64
10Setup (12).exe
windows7_x64
Setup (12).exe
windows10_x64
10Setup (13).exe
windows7_x64
10Setup (13).exe
windows10_x64
10Setup (14).exe
windows7_x64
10Setup (14).exe
windows10_x64
10Setup (15).exe
windows7_x64
10Setup (15).exe
windows10_x64
10Setup (16).exe
windows7_x64
10Setup (16).exe
windows10_x64
10Setup (17).exe
windows7_x64
10Setup (17).exe
windows10_x64
10Setup (18).exe
windows7_x64
10Setup (18).exe
windows10_x64
10Setup (19).exe
windows7_x64
10Setup (19).exe
windows10_x64
10Setup (2).exe
windows7_x64
10Setup (2).exe
windows10_x64
10Setup (20).exe
windows7_x64
10Setup (20).exe
windows10_x64
10Setup (21).exe
windows7_x64
Setup (21).exe
windows10_x64
10Setup (22).exe
windows7_x64
Setup (22).exe
windows10_x64
10Setup (23).exe
windows7_x64
10Setup (23).exe
windows10_x64
10Resubmissions
15/10/2024, 15:36
241015-s1zlzasdkc 1001/07/2024, 18:32
240701-w6yteawhmq 1001/07/2024, 14:52
240701-r82wmaxdnd 1001/07/2024, 14:52
240701-r8syqa1dpp 1011/03/2024, 21:22
240311-z8dsssgg58 1001/09/2021, 13:18
210901-5bmxjspa5s 1001/09/2021, 13:04
210901-te4btfspqa 1001/09/2021, 05:12
210901-4wnkwm1p3j 1031/08/2021, 21:47
210831-41rp97dma2 10Analysis
-
max time kernel
1755s -
max time network
1846s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
27/08/2021, 15:40
Static task
static1
Behavioral task
behavioral1
Sample
Setup (1).exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Setup (1).exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
Setup (10).exe
Resource
win7v20210410
gluptebametasploitraccoonredlinesmokeloadervidar27.08995adsfe582536ec580228180f270f7cb80a867860e010backdoordiscoverydropperevasioninfostealerloaderstealerthemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
Setup (10).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadertofseevidar27.08937995backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
Setup (11).exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
Setup (11).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadervidar27.08937995dibild2backdoordiscoverydropperevasioninfostealerloaderransomwarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
Setup (12).exe
Resource
win7v20210408
gluptebametasploitredlinesmokeloadervidar27.08937995adsdibild2installs8912backdoordropperevasioninfostealerloaderstealerthemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
Setup (12).exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
Setup (13).exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
Setup (13).exe
Resource
win10v20210410
burangluptebametasploitredlinesmokeloadertofseevidar937995dibild2supertraffbackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
Setup (14).exe
Resource
win7v20210410
gluptebametasploitraccoonredlinesmokeloadertofseevidar260827.08517937adsd02c5d65069fc7ce1993e7c52edf0c9c4c195c81installs8912backdoordiscoverydropperevasioninfostealerloaderpersistencestealerthemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
Setup (14).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadervidar27.08937995dibild2backdoordropperevasioninfostealerloaderstealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
Setup (15).exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral14
Sample
Setup (15).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadertofseevidar27.08937995dibild2backdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral15
Sample
Setup (16).exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral16
Sample
Setup (16).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadervidar27.08937995supertraffbackdoordiscoverydropperevasioninfostealerloaderspywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral17
Sample
Setup (17).exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral18
Sample
Setup (17).exe
Resource
win10v20210410
burangluptebametasploitredlinesmokeloadertofseevidar2608937995dibild2supertraffbackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral19
Sample
Setup (18).exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral20
Sample
Setup (18).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadertofseevidar27.08995dibild2supertraffbackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral21
Sample
Setup (19).exe
Resource
win7v20210408
redlineadsdibild2installs8912supertraffdiscoveryevasioninfostealerpersistenceransomwarespywarestealerthemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral22
Sample
Setup (19).exe
Resource
win10v20210410
burangluptebametasploitredlinesmokeloadertofseevidar27.08937995dibild2supertraffbackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral23
Sample
Setup (2).exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral24
Sample
Setup (2).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadertofseevidar937995supertraffbackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral25
Sample
Setup (20).exe
Resource
win7v20210410
redlinetofsee27.08adsdibild2installs8912supertrafftest 22.08evasioninfostealerpersistenceransomwarespywarestealerthemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral26
Sample
Setup (20).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadertofseevidar27.08937995dibild2supertraffbackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral27
Sample
Setup (21).exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral28
Sample
Setup (21).exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral29
Sample
Setup (22).exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral30
Sample
Setup (22).exe
Resource
win10v20210408
gluptebametasploitredlinesmokeloadertofseevidar27.08937995dibild2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral31
Sample
Setup (23).exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral32
Sample
Setup (23).exe
Resource
win10v20210410
gluptebametasploitredlinesmokeloadertofseevidar260827.08937995supertraffbackdoordiscoverydropperevasioninfostealerloaderpersistenceransomwarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
General
-
Target
Setup (19).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Malware Config
Extracted
Path
C:\_readme.txt
Ransom Note
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-ykQaS2tRyB
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]
Your personal ID:
0328gDrgoC4j04vLx6lqyFlyzpTC55w9igCGDgaBYLhUjv3Rr
URLs
https://we.tl/t-ykQaS2tRyB
Extracted
Family
redline
Botnet
dibild2
C2
135.148.139.222:1494
Extracted
Family
redline
Botnet
supertraff
C2
135.148.139.222:1494
Extracted
Family
redline
C2
185.215.113.29:8678
Extracted
Family
redline
Botnet
ads
C2
45.93.4.12:80
Extracted
Family
redline
Botnet
installs8912
C2
185.186.142.245:22850
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 12 IoCs
resource yara_rule behavioral21/memory/2552-177-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral21/memory/2552-180-0x000000000041A616-mapping.dmp family_redline behavioral21/memory/2584-181-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral21/memory/1940-182-0x0000000003050000-0x000000000306C000-memory.dmp family_redline behavioral21/memory/2584-183-0x000000000041A6B2-mapping.dmp family_redline behavioral21/memory/2584-186-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral21/memory/2780-192-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral21/memory/2812-196-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral21/memory/2780-197-0x000000000041A67A-mapping.dmp family_redline behavioral21/memory/2780-201-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral21/memory/2360-205-0x00000000024E0000-0x00000000024FD000-memory.dmp family_redline behavioral21/memory/2360-206-0x0000000003E10000-0x0000000003E2C000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 46 IoCs
pid Process 1004 2YzYGHmuKUOOOBnGphCPPabj.exe 816 yoxGu_m2_blMYbQ50g43VQmP.exe 1764 9UN7oVbs0N95sBuIsDeKkJtr.exe 1648 NCvOVZA6o16S1f1QOBHOuhfV.exe 1688 MS43Zwx0_MZg2p79k8PsC6V7.exe 528 lpCON7jA7LeNLCaWMxkqWtwl.exe 428 bsXERFd4YbVF6qoggCh03Q2M.exe 1768 NHf9j44uoVOg_KovTpufStjQ.exe 560 8VId9tSQ2Qw1ouoNffDbTZ96.exe 760 _Jtg7m0n9mycuTpQOm0FQo5v.exe 1660 iQix3GpJ6iOpyQ5OTtOXho0k.exe 1896 meYsz7C98wRh3fCOU1Yxcx61.exe 1684 S4FXU_9gh05lSLUoyzQoAHyI.exe 1508 64RZLsNPDZw9zUrvqKlAAsH2.exe 1312 XVfbKSEgl9df0U6OBZOefYc3.exe 840 j6DMetZ9Imrb7_aHVNaxE41n.exe 576 R6bTjzEz6GBwQiuQIx1t4afm.exe 1940 LPtM79t0U_Z9NEUfnXXnJ4Pi.exe 1560 lV2j78LQO0cdhxyJZuZhc82x.exe 756 j3gVYLzK107PgU9OFnpxDUmU.exe 864 kFa2dT5P1HHFxHACEzM9Ajhp.exe 2064 aqEwqYCwTLw48PVpxBIb8jx3.exe 2076 YPs39cdQTpqJL5qNeKSkLwJb.exe 2560 R6bTjzEz6GBwQiuQIx1t4afm.exe 2584 R6bTjzEz6GBwQiuQIx1t4afm.exe 2760 cutm3.exe 2824 md8_8eus.exe 2844 inst1.exe 2780 8VId9tSQ2Qw1ouoNffDbTZ96.exe 2376 8C0A.exe 2360 C13E.exe 2964 8C0A.exe 2028 kFa2dT5P1HHFxHACEzM9Ajhp.exe 1776 8C0A.exe 188 ieserhw 2508 8C0A.exe 2164 8C0A.exe 1072 8C0A.exe 2416 EA13.exe 1904 8C0A.exe 1168 EC07.exe 3052 ieserhw 2764 8C0A.exe 3004 8C0A.exe 400 build2.exe 1724 build3.exe -
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\CheckpointLimit.crw => C:\Users\Admin\Pictures\CheckpointLimit.crw.orkf 8C0A.exe File opened for modification C:\Users\Admin\Pictures\DismountReceive.tiff 8C0A.exe File renamed C:\Users\Admin\Pictures\DismountReceive.tiff => C:\Users\Admin\Pictures\DismountReceive.tiff.orkf 8C0A.exe File opened for modification C:\Users\Admin\Pictures\ShowSubmit.tiff 8C0A.exe File renamed C:\Users\Admin\Pictures\ShowSubmit.tiff => C:\Users\Admin\Pictures\ShowSubmit.tiff.orkf 8C0A.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion aqEwqYCwTLw48PVpxBIb8jx3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NHf9j44uoVOg_KovTpufStjQ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NHf9j44uoVOg_KovTpufStjQ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion aqEwqYCwTLw48PVpxBIb8jx3.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International\Geo\Nation Setup (19).exe -
Loads dropped DLL 53 IoCs
pid Process 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 1080 Setup (19).exe 560 8VId9tSQ2Qw1ouoNffDbTZ96.exe 1684 S4FXU_9gh05lSLUoyzQoAHyI.exe 2076 YPs39cdQTpqJL5qNeKSkLwJb.exe 2076 YPs39cdQTpqJL5qNeKSkLwJb.exe 2076 YPs39cdQTpqJL5qNeKSkLwJb.exe 2376 8C0A.exe 2964 8C0A.exe 2964 8C0A.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1776 8C0A.exe 2164 8C0A.exe 2164 8C0A.exe 2164 8C0A.exe 2164 8C0A.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2020 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral21/files/0x000300000001315b-100.dat themida behavioral21/files/0x0003000000013179-140.dat themida behavioral21/files/0x00040000000055aa-130.dat themida behavioral21/files/0x000300000001315b-109.dat themida behavioral21/files/0x0003000000013179-155.dat themida behavioral21/files/0x00040000000055aa-153.dat themida behavioral21/memory/1768-175-0x0000000000950000-0x0000000000951000-memory.dmp themida behavioral21/memory/2064-185-0x0000000000890000-0x0000000000891000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6c3bf94e-8141-4a22-bac8-96c391488feb\\8C0A.exe\" --AutoStart" 8C0A.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NHf9j44uoVOg_KovTpufStjQ.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA aqEwqYCwTLw48PVpxBIb8jx3.exe -
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ipinfo.io 22 ipinfo.io 172 api.2ip.ua 173 api.2ip.ua 211 api.2ip.ua 279 api.2ip.ua 284 api.2ip.ua -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1768 NHf9j44uoVOg_KovTpufStjQ.exe 2064 aqEwqYCwTLw48PVpxBIb8jx3.exe -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 816 set thread context of 1448 816 yoxGu_m2_blMYbQ50g43VQmP.exe 52 PID 1764 set thread context of 2552 1764 9UN7oVbs0N95sBuIsDeKkJtr.exe 66 PID 576 set thread context of 2584 576 R6bTjzEz6GBwQiuQIx1t4afm.exe 67 PID 576 set thread context of 2672 576 R6bTjzEz6GBwQiuQIx1t4afm.exe 68 PID 560 set thread context of 2780 560 8VId9tSQ2Qw1ouoNffDbTZ96.exe 70 PID 1684 set thread context of 2812 1684 S4FXU_9gh05lSLUoyzQoAHyI.exe 71 PID 2376 set thread context of 2964 2376 8C0A.exe 81 PID 1776 set thread context of 2164 1776 8C0A.exe 93 PID 2508 set thread context of 1072 2508 8C0A.exe 95 PID 1904 set thread context of 2764 1904 8C0A.exe 102 -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Company\NewProduct\cutm3.exe YPs39cdQTpqJL5qNeKSkLwJb.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe YPs39cdQTpqJL5qNeKSkLwJb.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\inst1.exe YPs39cdQTpqJL5qNeKSkLwJb.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe YPs39cdQTpqJL5qNeKSkLwJb.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini YPs39cdQTpqJL5qNeKSkLwJb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1564 1660 WerFault.exe 46 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ieserhw Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ieserhw Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ieserhw Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ieserhw Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ieserhw Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ieserhw Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI lpCON7jA7LeNLCaWMxkqWtwl.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI lpCON7jA7LeNLCaWMxkqWtwl.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI lpCON7jA7LeNLCaWMxkqWtwl.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" kFa2dT5P1HHFxHACEzM9Ajhp.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 iQix3GpJ6iOpyQ5OTtOXho0k.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Setup (19).exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 Setup (19).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 8C0A.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 8C0A.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 8C0A.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e iQix3GpJ6iOpyQ5OTtOXho0k.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C Setup (19).exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 Setup (19).exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Setup (19).exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1080 Setup (19).exe 528 lpCON7jA7LeNLCaWMxkqWtwl.exe 528 lpCON7jA7LeNLCaWMxkqWtwl.exe 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found 1212 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1212 Process not Found 1564 WerFault.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 528 lpCON7jA7LeNLCaWMxkqWtwl.exe 188 ieserhw 3052 ieserhw -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1768 NHf9j44uoVOg_KovTpufStjQ.exe Token: SeShutdownPrivilege 1212 Process not Found Token: SeShutdownPrivilege 1212 Process not Found Token: SeShutdownPrivilege 1212 Process not Found Token: SeShutdownPrivilege 1212 Process not Found Token: SeDebugPrivilege 864 kFa2dT5P1HHFxHACEzM9Ajhp.exe Token: SeImpersonatePrivilege 864 kFa2dT5P1HHFxHACEzM9Ajhp.exe Token: SeShutdownPrivilege 1212 Process not Found Token: SeShutdownPrivilege 1212 Process not Found Token: SeDebugPrivilege 2360 C13E.exe Token: SeDebugPrivilege 1564 WerFault.exe Token: SeShutdownPrivilege 1212 Process not Found Token: SeShutdownPrivilege 1212 Process not Found Token: SeDebugPrivilege 2064 aqEwqYCwTLw48PVpxBIb8jx3.exe Token: SeShutdownPrivilege 1212 Process not Found Token: SeDebugPrivilege 2584 R6bTjzEz6GBwQiuQIx1t4afm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1212 Process not Found 1212 Process not Found -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1212 Process not Found 1212 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1080 wrote to memory of 816 1080 Setup (19).exe 31 PID 1080 wrote to memory of 816 1080 Setup (19).exe 31 PID 1080 wrote to memory of 816 1080 Setup (19).exe 31 PID 1080 wrote to memory of 816 1080 Setup (19).exe 31 PID 1080 wrote to memory of 1764 1080 Setup (19).exe 33 PID 1080 wrote to memory of 1764 1080 Setup (19).exe 33 PID 1080 wrote to memory of 1764 1080 Setup (19).exe 33 PID 1080 wrote to memory of 1764 1080 Setup (19).exe 33 PID 1080 wrote to memory of 1228 1080 Setup (19).exe 32 PID 1080 wrote to memory of 1228 1080 Setup (19).exe 32 PID 1080 wrote to memory of 1228 1080 Setup (19).exe 32 PID 1080 wrote to memory of 1228 1080 Setup (19).exe 32 PID 1080 wrote to memory of 1648 1080 Setup (19).exe 36 PID 1080 wrote to memory of 1648 1080 Setup (19).exe 36 PID 1080 wrote to memory of 1648 1080 Setup (19).exe 36 PID 1080 wrote to memory of 1648 1080 Setup (19).exe 36 PID 1080 wrote to memory of 912 1080 Setup (19).exe 38 PID 1080 wrote to memory of 912 1080 Setup (19).exe 38 PID 1080 wrote to memory of 912 1080 Setup (19).exe 38 PID 1080 wrote to memory of 912 1080 Setup (19).exe 38 PID 1080 wrote to memory of 528 1080 Setup (19).exe 37 PID 1080 wrote to memory of 528 1080 Setup (19).exe 37 PID 1080 wrote to memory of 528 1080 Setup (19).exe 37 PID 1080 wrote to memory of 528 1080 Setup (19).exe 37 PID 1080 wrote to memory of 1688 1080 Setup (19).exe 47 PID 1080 wrote to memory of 1688 1080 Setup (19).exe 47 PID 1080 wrote to memory of 1688 1080 Setup (19).exe 47 PID 1080 wrote to memory of 1688 1080 Setup (19).exe 47 PID 1080 wrote to memory of 1684 1080 Setup (19).exe 48 PID 1080 wrote to memory of 1684 1080 Setup (19).exe 48 PID 1080 wrote to memory of 1684 1080 Setup (19).exe 48 PID 1080 wrote to memory of 1684 1080 Setup (19).exe 48 PID 1080 wrote to memory of 1684 1080 Setup (19).exe 48 PID 1080 wrote to memory of 1684 1080 Setup (19).exe 48 PID 1080 wrote to memory of 1684 1080 Setup (19).exe 48 PID 1080 wrote to memory of 1660 1080 Setup (19).exe 46 PID 1080 wrote to memory of 1660 1080 Setup (19).exe 46 PID 1080 wrote to memory of 1660 1080 Setup (19).exe 46 PID 1080 wrote to memory of 1660 1080 Setup (19).exe 46 PID 1080 wrote to memory of 1896 1080 Setup (19).exe 45 PID 1080 wrote to memory of 1896 1080 Setup (19).exe 45 PID 1080 wrote to memory of 1896 1080 Setup (19).exe 45 PID 1080 wrote to memory of 1896 1080 Setup (19).exe 45 PID 1080 wrote to memory of 560 1080 Setup (19).exe 44 PID 1080 wrote to memory of 560 1080 Setup (19).exe 44 PID 1080 wrote to memory of 560 1080 Setup (19).exe 44 PID 1080 wrote to memory of 560 1080 Setup (19).exe 44 PID 1080 wrote to memory of 560 1080 Setup (19).exe 44 PID 1080 wrote to memory of 560 1080 Setup (19).exe 44 PID 1080 wrote to memory of 560 1080 Setup (19).exe 44 PID 1080 wrote to memory of 428 1080 Setup (19).exe 42 PID 1080 wrote to memory of 428 1080 Setup (19).exe 42 PID 1080 wrote to memory of 428 1080 Setup (19).exe 42 PID 1080 wrote to memory of 428 1080 Setup (19).exe 42 PID 1080 wrote to memory of 760 1080 Setup (19).exe 43 PID 1080 wrote to memory of 760 1080 Setup (19).exe 43 PID 1080 wrote to memory of 760 1080 Setup (19).exe 43 PID 1080 wrote to memory of 760 1080 Setup (19).exe 43 PID 1080 wrote to memory of 1312 1080 Setup (19).exe 41 PID 1080 wrote to memory of 1312 1080 Setup (19).exe 41 PID 1080 wrote to memory of 1312 1080 Setup (19).exe 41 PID 1080 wrote to memory of 1312 1080 Setup (19).exe 41 PID 1080 wrote to memory of 1768 1080 Setup (19).exe 40 PID 1080 wrote to memory of 1768 1080 Setup (19).exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (19).exe"C:\Users\Admin\AppData\Local\Temp\Setup (19).exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\Documents\yoxGu_m2_blMYbQ50g43VQmP.exe"C:\Users\Admin\Documents\yoxGu_m2_blMYbQ50g43VQmP.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:816 -
C:\Users\Admin\Documents\yoxGu_m2_blMYbQ50g43VQmP.exe"C:\Users\Admin\Documents\yoxGu_m2_blMYbQ50g43VQmP.exe"3⤵PID:1448
-
-
-
C:\Users\Admin\Documents\twMKI7Bt03soRxPcJE8PRJZS.exe"C:\Users\Admin\Documents\twMKI7Bt03soRxPcJE8PRJZS.exe"2⤵PID:1228
-
-
C:\Users\Admin\Documents\9UN7oVbs0N95sBuIsDeKkJtr.exe"C:\Users\Admin\Documents\9UN7oVbs0N95sBuIsDeKkJtr.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1764 -
C:\Users\Admin\Documents\9UN7oVbs0N95sBuIsDeKkJtr.exeC:\Users\Admin\Documents\9UN7oVbs0N95sBuIsDeKkJtr.exe3⤵PID:2552
-
-
-
C:\Users\Admin\Documents\2YzYGHmuKUOOOBnGphCPPabj.exe"C:\Users\Admin\Documents\2YzYGHmuKUOOOBnGphCPPabj.exe"2⤵
- Executes dropped EXE
PID:1004
-
-
C:\Users\Admin\Documents\NCvOVZA6o16S1f1QOBHOuhfV.exe"C:\Users\Admin\Documents\NCvOVZA6o16S1f1QOBHOuhfV.exe"2⤵
- Executes dropped EXE
PID:1648
-
-
C:\Users\Admin\Documents\lpCON7jA7LeNLCaWMxkqWtwl.exe"C:\Users\Admin\Documents\lpCON7jA7LeNLCaWMxkqWtwl.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:528
-
-
C:\Users\Admin\Documents\PeanxEjLKb_crOSnurtP1HYD.exe"C:\Users\Admin\Documents\PeanxEjLKb_crOSnurtP1HYD.exe"2⤵PID:912
-
-
C:\Users\Admin\Documents\64RZLsNPDZw9zUrvqKlAAsH2.exe"C:\Users\Admin\Documents\64RZLsNPDZw9zUrvqKlAAsH2.exe"2⤵
- Executes dropped EXE
PID:1508
-
-
C:\Users\Admin\Documents\NHf9j44uoVOg_KovTpufStjQ.exe"C:\Users\Admin\Documents\NHf9j44uoVOg_KovTpufStjQ.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Users\Admin\Documents\XVfbKSEgl9df0U6OBZOefYc3.exe"C:\Users\Admin\Documents\XVfbKSEgl9df0U6OBZOefYc3.exe"2⤵
- Executes dropped EXE
PID:1312
-
-
C:\Users\Admin\Documents\bsXERFd4YbVF6qoggCh03Q2M.exe"C:\Users\Admin\Documents\bsXERFd4YbVF6qoggCh03Q2M.exe"2⤵
- Executes dropped EXE
PID:428
-
-
C:\Users\Admin\Documents\_Jtg7m0n9mycuTpQOm0FQo5v.exe"C:\Users\Admin\Documents\_Jtg7m0n9mycuTpQOm0FQo5v.exe"2⤵
- Executes dropped EXE
PID:760
-
-
C:\Users\Admin\Documents\8VId9tSQ2Qw1ouoNffDbTZ96.exe"C:\Users\Admin\Documents\8VId9tSQ2Qw1ouoNffDbTZ96.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:560 -
C:\Users\Admin\Documents\8VId9tSQ2Qw1ouoNffDbTZ96.exe"C:\Users\Admin\Documents\8VId9tSQ2Qw1ouoNffDbTZ96.exe"3⤵
- Executes dropped EXE
PID:2780
-
-
-
C:\Users\Admin\Documents\meYsz7C98wRh3fCOU1Yxcx61.exe"C:\Users\Admin\Documents\meYsz7C98wRh3fCOU1Yxcx61.exe"2⤵
- Executes dropped EXE
PID:1896
-
-
C:\Users\Admin\Documents\iQix3GpJ6iOpyQ5OTtOXho0k.exe"C:\Users\Admin\Documents\iQix3GpJ6iOpyQ5OTtOXho0k.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 12843⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1564
-
-
-
C:\Users\Admin\Documents\MS43Zwx0_MZg2p79k8PsC6V7.exe"C:\Users\Admin\Documents\MS43Zwx0_MZg2p79k8PsC6V7.exe"2⤵
- Executes dropped EXE
PID:1688
-
-
C:\Users\Admin\Documents\S4FXU_9gh05lSLUoyzQoAHyI.exe"C:\Users\Admin\Documents\S4FXU_9gh05lSLUoyzQoAHyI.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1684 -
C:\Users\Admin\Documents\S4FXU_9gh05lSLUoyzQoAHyI.exe"C:\Users\Admin\Documents\S4FXU_9gh05lSLUoyzQoAHyI.exe"3⤵PID:2812
-
-
-
C:\Users\Admin\Documents\ceho3CSXO8kBZNigG_wZnF_s.exe"C:\Users\Admin\Documents\ceho3CSXO8kBZNigG_wZnF_s.exe"2⤵PID:1780
-
-
C:\Users\Admin\Documents\j3gVYLzK107PgU9OFnpxDUmU.exe"C:\Users\Admin\Documents\j3gVYLzK107PgU9OFnpxDUmU.exe"2⤵
- Executes dropped EXE
PID:756
-
-
C:\Users\Admin\Documents\lV2j78LQO0cdhxyJZuZhc82x.exe"C:\Users\Admin\Documents\lV2j78LQO0cdhxyJZuZhc82x.exe"2⤵
- Executes dropped EXE
PID:1560
-
-
C:\Users\Admin\Documents\R6bTjzEz6GBwQiuQIx1t4afm.exe"C:\Users\Admin\Documents\R6bTjzEz6GBwQiuQIx1t4afm.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:576 -
C:\Users\Admin\Documents\R6bTjzEz6GBwQiuQIx1t4afm.exeC:\Users\Admin\Documents\R6bTjzEz6GBwQiuQIx1t4afm.exe3⤵
- Executes dropped EXE
PID:2560
-
-
C:\Users\Admin\Documents\R6bTjzEz6GBwQiuQIx1t4afm.exeC:\Users\Admin\Documents\R6bTjzEz6GBwQiuQIx1t4afm.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Users\Admin\Documents\R6bTjzEz6GBwQiuQIx1t4afm.exeC:\Users\Admin\Documents\R6bTjzEz6GBwQiuQIx1t4afm.exe3⤵PID:2672
-
-
-
C:\Users\Admin\Documents\LPtM79t0U_Z9NEUfnXXnJ4Pi.exe"C:\Users\Admin\Documents\LPtM79t0U_Z9NEUfnXXnJ4Pi.exe"2⤵
- Executes dropped EXE
PID:1940
-
-
C:\Users\Admin\Documents\j6DMetZ9Imrb7_aHVNaxE41n.exe"C:\Users\Admin\Documents\j6DMetZ9Imrb7_aHVNaxE41n.exe"2⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\Documents\j6DMetZ9Imrb7_aHVNaxE41n.exe"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF """" == """" for %Q in ( ""C:\Users\Admin\Documents\j6DMetZ9Imrb7_aHVNaxE41n.exe"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )3⤵PID:2104
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\Documents\j6DMetZ9Imrb7_aHVNaxE41n.exe" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "" == "" for %Q in ( "C:\Users\Admin\Documents\j6DMetZ9Imrb7_aHVNaxE41n.exe" ) do taskkill -F -im "%~NxQ"4⤵PID:2480
-
C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExEBX0iUoFB.EXe -PyTJSIPDC12bsxp0f15⤵PID:3012
-
-
-
-
-
C:\Users\Admin\Documents\YPs39cdQTpqJL5qNeKSkLwJb.exe"C:\Users\Admin\Documents\YPs39cdQTpqJL5qNeKSkLwJb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2076 -
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
- Executes dropped EXE
PID:2760
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
PID:2824
-
-
C:\Program Files (x86)\Company\NewProduct\inst1.exe"C:\Program Files (x86)\Company\NewProduct\inst1.exe"3⤵
- Executes dropped EXE
PID:2844
-
-
-
C:\Users\Admin\Documents\aqEwqYCwTLw48PVpxBIb8jx3.exe"C:\Users\Admin\Documents\aqEwqYCwTLw48PVpxBIb8jx3.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Users\Admin\Documents\kFa2dT5P1HHFxHACEzM9Ajhp.exe"C:\Users\Admin\Documents\kFa2dT5P1HHFxHACEzM9Ajhp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Users\Admin\Documents\kFa2dT5P1HHFxHACEzM9Ajhp.exe"C:\Users\Admin\Documents\kFa2dT5P1HHFxHACEzM9Ajhp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2028
-
-
-
C:\Users\Admin\AppData\Local\Temp\8C0A.exeC:\Users\Admin\AppData\Local\Temp\8C0A.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\8C0A.exeC:\Users\Admin\AppData\Local\Temp\8C0A.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
PID:2964 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\8C0A.exe"C:\Users\Admin\AppData\Local\Temp\8C0A.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\8C0A.exe"C:\Users\Admin\AppData\Local\Temp\8C0A.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Loads dropped DLL
PID:2164 -
C:\Users\Admin\AppData\Local\ebc05679-4b75-4fb9-af91-5df206c64cb5\build2.exe"C:\Users\Admin\AppData\Local\ebc05679-4b75-4fb9-af91-5df206c64cb5\build2.exe"5⤵
- Executes dropped EXE
PID:400
-
-
C:\Users\Admin\AppData\Local\ebc05679-4b75-4fb9-af91-5df206c64cb5\build3.exe"C:\Users\Admin\AppData\Local\ebc05679-4b75-4fb9-af91-5df206c64cb5\build3.exe"5⤵
- Executes dropped EXE
PID:1724 -
C:\Users\Admin\AppData\Local\ebc05679-4b75-4fb9-af91-5df206c64cb5\build3.exe"C:\Users\Admin\AppData\Local\ebc05679-4b75-4fb9-af91-5df206c64cb5\build3.exe"6⤵PID:2036
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C13E.exeC:\Users\Admin\AppData\Local\Temp\C13E.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
C:\Users\Admin\AppData\Local\Temp\EA13.exeC:\Users\Admin\AppData\Local\Temp\EA13.exe1⤵
- Executes dropped EXE
PID:2416
-
C:\Windows\system32\taskeng.exetaskeng.exe {DCFEAADC-E2D4-46AA-9159-9226476BA17E} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵PID:1692
-
C:\Users\Admin\AppData\Roaming\ieserhwC:\Users\Admin\AppData\Roaming\ieserhw2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:188
-
-
C:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb\8C0A.exeC:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb\8C0A.exe --Task2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2508 -
C:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb\8C0A.exeC:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb\8C0A.exe --Task3⤵
- Executes dropped EXE
PID:1072
-
-
-
C:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb\8C0A.exeC:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb\8C0A.exe --Task2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1904 -
C:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb\8C0A.exeC:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb\8C0A.exe --Task3⤵
- Executes dropped EXE
PID:2764
-
-
-
C:\Users\Admin\AppData\Roaming\ieserhwC:\Users\Admin\AppData\Roaming\ieserhw2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3052
-
-
C:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb\8C0A.exeC:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb\8C0A.exe --Task2⤵
- Executes dropped EXE
PID:3004 -
C:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb\8C0A.exeC:\Users\Admin\AppData\Local\6c3bf94e-8141-4a22-bac8-96c391488feb\8C0A.exe --Task3⤵PID:1276
-
-
-
C:\Users\Admin\AppData\Local\Temp\EC07.exeC:\Users\Admin\AppData\Local\Temp\EC07.exe1⤵
- Executes dropped EXE
PID:1168
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1