redline | 90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407

Resubmissions

07-09-2021 17:58

210907-wkd7wadah9 10

07-09-2021 17:45

210907-wb81wsdag7 10

Analysis

max time kernel
347s
max time network
1833s
platform
windows7_x64
resource
win7-fr
submitted
07-09-2021 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

2.9MB
MD5

3f1f81101d0ce95fdfac97f5913cd662
SHA1

8e615a64e4d72b08926242b7d73a608bdd7e9fce
SHA256

90aa6a7c770f2c0f49596731c80fda7d044802dea9e905ff999b39cda5428407
SHA512

a776c1f8636ef90d294becf8d09a45366463364026837c19e13227c1c5c9a6656b6fa525e0eec5a1a46997b6ef7066e958c02523a7c4538d046f8b2091145285

Score

10^/10

redline smokeloader socelars vidar 706 jayson aspackv2 backdoor discovery infostealer persistence spyware stealer themida trojan

Malware Config

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

Jayson

95.181.172.207:56915

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	1756	rundll32.exe	2

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 27 IoCs

resource	yara_rule
behavioral2/memory/1076-238-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/1076-239-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/1076-243-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral2/memory/968-248-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2676-262-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2412-271-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2840-277-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/1644-285-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/1644-290-0x0000000000B30000-0x0000000000BD4000-memory.dmp	family_redline
behavioral2/memory/2172-292-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2568-298-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2568-302-0x00000000022C0000-0x0000000002364000-memory.dmp	family_redline
behavioral2/memory/1812-304-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2912-311-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2748-319-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/524-325-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2476-331-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2656-337-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2296-343-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2660-349-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/308-355-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2400-361-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2532-367-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/1596-373-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/1056-379-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/2768-385-0x000000000041C5E2-mapping.dmp	family_redline
behavioral2/memory/3672-439-0x0000000000A70000-0x0000000000B14000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0001000000012f19-147.dat	family_socelars
behavioral2/files/0x0001000000012f19-159.dat	family_socelars
behavioral2/files/0x0001000000012f19-124.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

rl_trojan 6 IoCs

redline stealer.

stealer

resource	yara_rule
behavioral2/files/0x0001000000012f1d-104.dat	redline
behavioral2/files/0x0001000000012f1d-164.dat	redline
behavioral2/files/0x0001000000012f1d-169.dat	redline
behavioral2/files/0x0001000000012f1d-168.dat	redline
behavioral2/files/0x0001000000012f1d-142.dat	redline
behavioral2/files/0x0001000000012f1d-141.dat	redline

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/2088-184-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0001000000012f10-72.dat	aspack_v212_v242
behavioral2/files/0x0001000000012f10-71.dat	aspack_v212_v242
behavioral2/files/0x0001000000012f11-70.dat	aspack_v212_v242
behavioral2/files/0x0001000000012f13-76.dat	aspack_v212_v242
behavioral2/files/0x0001000000012f13-75.dat	aspack_v212_v242
behavioral2/files/0x0001000000012f11-69.dat	aspack_v212_v242

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Tue11e4e580f2e8141a3.exe

Executes dropped EXE 20 IoCs

pid	Process
1076	setup_installer.exe
960	setup_install.exe
1980	Tue11f251db82fb7b.exe
1852	Tue1109eec571ac.exe
1812	Tue11bc0507b56295.exe
1460	Tue11d7385a978cc.exe
1928	Tue11b9d76a96506.exe
1108	Tue11141271fbe5877f.exe
524	Tue118f55232e4.exe
1172	Tue11e4e580f2e8141a3.exe
2088	Tue112c483dd3245d.exe
2184	Tue11b9d76a96506.tmp
2568	46807GHF____.exe
2996	ultramediaburner.exe
3016	5263140.exe
3060	ZHizhunicono.exe
3048	ultramediaburner.tmp
592	2476815.exe
1624	UltraMediaBurner.exe
2108	Wupekesule.exe

Loads dropped DLL 60 IoCs

pid	Process
1052	setup_x86_x64_install.exe
1076	setup_installer.exe
1076	setup_installer.exe
1076	setup_installer.exe
1076	setup_installer.exe
1076	setup_installer.exe
1076	setup_installer.exe
960	setup_install.exe
960	setup_install.exe
960	setup_install.exe
960	setup_install.exe
960	setup_install.exe
960	setup_install.exe
960	setup_install.exe
960	setup_install.exe
1044	cmd.exe
1544	cmd.exe
1544	cmd.exe
680	cmd.exe
680	cmd.exe
304	cmd.exe
1652	cmd.exe
1692	cmd.exe
916	cmd.exe
916	cmd.exe
1828	cmd.exe
1852	Tue1109eec571ac.exe
1852	Tue1109eec571ac.exe
1812	Tue11bc0507b56295.exe
1812	Tue11bc0507b56295.exe
1104	cmd.exe
1104	cmd.exe
1928	Tue11b9d76a96506.exe
1928	Tue11b9d76a96506.exe
1172	Tue11e4e580f2e8141a3.exe
1172	Tue11e4e580f2e8141a3.exe
2088	Tue112c483dd3245d.exe
2088	Tue112c483dd3245d.exe
1928	Tue11b9d76a96506.exe
2184	Tue11b9d76a96506.tmp
2184	Tue11b9d76a96506.tmp
2184	Tue11b9d76a96506.tmp
524	Tue118f55232e4.exe
524	Tue118f55232e4.exe
2184	Tue11b9d76a96506.tmp
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2996	ultramediaburner.exe
2996	ultramediaburner.exe
2996	ultramediaburner.exe
592	2476815.exe
592	2476815.exe
3048	ultramediaburner.tmp
3048	ultramediaburner.tmp
3048	ultramediaburner.tmp
3048	ultramediaburner.tmp
2924	WerFault.exe
3048	ultramediaburner.tmp
3048	ultramediaburner.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4464	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2264-242-0x0000000000FB0000-0x0000000000FB1000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Defender\\Suhyzhaebaby.exe\""	Tue11e4e580f2e8141a3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
704	api.2ip.ua
709	api.2ip.ua

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\UltraMediaBurner\is-KCJH5.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Defender\Suhyzhaebaby.exe.config	Tue11e4e580f2e8141a3.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files\Windows Mail\LWZRYXETRP\ultramediaburner.exe.config	Tue11e4e580f2e8141a3.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-M5KH6.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\Windows Defender\Suhyzhaebaby.exe	Tue11e4e580f2e8141a3.exe
File created	C:\Program Files\Windows Mail\LWZRYXETRP\ultramediaburner.exe	Tue11e4e580f2e8141a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2924	2088	WerFault.exe	44
3224	1700	WerFault.exe	79
3428	3016	WerFault.exe	65

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue11bc0507b56295.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2872	taskkill.exe
3752	taskkill.exe
1068	taskkill.exe
2716	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Tue118f55232e4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Tue118f55232e4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Tue112c483dd3245d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue112c483dd3245d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue112c483dd3245d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue112c483dd3245d.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1812	Tue11bc0507b56295.exe
1812	Tue11bc0507b56295.exe
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1600	powershell.exe
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1812	Tue11bc0507b56295.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	524	Tue118f55232e4.exe
Token: SeAssignPrimaryTokenPrivilege	524	Tue118f55232e4.exe
Token: SeLockMemoryPrivilege	524	Tue118f55232e4.exe
Token: SeIncreaseQuotaPrivilege	524	Tue118f55232e4.exe
Token: SeMachineAccountPrivilege	524	Tue118f55232e4.exe
Token: SeTcbPrivilege	524	Tue118f55232e4.exe
Token: SeSecurityPrivilege	524	Tue118f55232e4.exe
Token: SeTakeOwnershipPrivilege	524	Tue118f55232e4.exe
Token: SeLoadDriverPrivilege	524	Tue118f55232e4.exe
Token: SeSystemProfilePrivilege	524	Tue118f55232e4.exe
Token: SeSystemtimePrivilege	524	Tue118f55232e4.exe
Token: SeProfSingleProcessPrivilege	524	Tue118f55232e4.exe
Token: SeIncBasePriorityPrivilege	524	Tue118f55232e4.exe
Token: SeCreatePagefilePrivilege	524	Tue118f55232e4.exe
Token: SeCreatePermanentPrivilege	524	Tue118f55232e4.exe
Token: SeBackupPrivilege	524	Tue118f55232e4.exe
Token: SeRestorePrivilege	524	Tue118f55232e4.exe
Token: SeShutdownPrivilege	524	Tue118f55232e4.exe
Token: SeDebugPrivilege	524	Tue118f55232e4.exe
Token: SeAuditPrivilege	524	Tue118f55232e4.exe
Token: SeSystemEnvironmentPrivilege	524	Tue118f55232e4.exe
Token: SeChangeNotifyPrivilege	524	Tue118f55232e4.exe
Token: SeRemoteShutdownPrivilege	524	Tue118f55232e4.exe
Token: SeUndockPrivilege	524	Tue118f55232e4.exe
Token: SeSyncAgentPrivilege	524	Tue118f55232e4.exe
Token: SeEnableDelegationPrivilege	524	Tue118f55232e4.exe
Token: SeManageVolumePrivilege	524	Tue118f55232e4.exe
Token: SeImpersonatePrivilege	524	Tue118f55232e4.exe
Token: SeCreateGlobalPrivilege	524	Tue118f55232e4.exe
Token: 31	524	Tue118f55232e4.exe
Token: 32	524	Tue118f55232e4.exe
Token: 33	524	Tue118f55232e4.exe
Token: 34	524	Tue118f55232e4.exe
Token: 35	524	Tue118f55232e4.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	1108	Tue11141271fbe5877f.exe
Token: SeDebugPrivilege	2924	WerFault.exe
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1240	Process not Found
1240	Process not Found
3048	ultramediaburner.tmp

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1076	1052	setup_x86_x64_install.exe	30
PID 1052 wrote to memory of 1076	1052	setup_x86_x64_install.exe	30
PID 1052 wrote to memory of 1076	1052	setup_x86_x64_install.exe	30
PID 1052 wrote to memory of 1076	1052	setup_x86_x64_install.exe	30
PID 1052 wrote to memory of 1076	1052	setup_x86_x64_install.exe	30
PID 1052 wrote to memory of 1076	1052	setup_x86_x64_install.exe	30
PID 1052 wrote to memory of 1076	1052	setup_x86_x64_install.exe	30
PID 1076 wrote to memory of 960	1076	setup_installer.exe	31
PID 1076 wrote to memory of 960	1076	setup_installer.exe	31
PID 1076 wrote to memory of 960	1076	setup_installer.exe	31
PID 1076 wrote to memory of 960	1076	setup_installer.exe	31
PID 1076 wrote to memory of 960	1076	setup_installer.exe	31
PID 1076 wrote to memory of 960	1076	setup_installer.exe	31
PID 1076 wrote to memory of 960	1076	setup_installer.exe	31
PID 960 wrote to memory of 1956	960	setup_install.exe	33
PID 960 wrote to memory of 1956	960	setup_install.exe	33
PID 960 wrote to memory of 1956	960	setup_install.exe	33
PID 960 wrote to memory of 1956	960	setup_install.exe	33
PID 960 wrote to memory of 1956	960	setup_install.exe	33
PID 960 wrote to memory of 1956	960	setup_install.exe	33
PID 960 wrote to memory of 1956	960	setup_install.exe	33
PID 960 wrote to memory of 304	960	setup_install.exe	34
PID 960 wrote to memory of 304	960	setup_install.exe	34
PID 960 wrote to memory of 304	960	setup_install.exe	34
PID 960 wrote to memory of 304	960	setup_install.exe	34
PID 960 wrote to memory of 304	960	setup_install.exe	34
PID 960 wrote to memory of 304	960	setup_install.exe	34
PID 960 wrote to memory of 304	960	setup_install.exe	34
PID 960 wrote to memory of 1692	960	setup_install.exe	35
PID 960 wrote to memory of 1692	960	setup_install.exe	35
PID 960 wrote to memory of 1692	960	setup_install.exe	35
PID 960 wrote to memory of 1692	960	setup_install.exe	35
PID 960 wrote to memory of 1692	960	setup_install.exe	35
PID 960 wrote to memory of 1692	960	setup_install.exe	35
PID 960 wrote to memory of 1692	960	setup_install.exe	35
PID 960 wrote to memory of 1044	960	setup_install.exe	36
PID 960 wrote to memory of 1044	960	setup_install.exe	36
PID 960 wrote to memory of 1044	960	setup_install.exe	36
PID 960 wrote to memory of 1044	960	setup_install.exe	36
PID 960 wrote to memory of 1044	960	setup_install.exe	36
PID 960 wrote to memory of 1044	960	setup_install.exe	36
PID 960 wrote to memory of 1044	960	setup_install.exe	36
PID 960 wrote to memory of 680	960	setup_install.exe	38
PID 960 wrote to memory of 680	960	setup_install.exe	38
PID 960 wrote to memory of 680	960	setup_install.exe	38
PID 960 wrote to memory of 680	960	setup_install.exe	38
PID 960 wrote to memory of 680	960	setup_install.exe	38
PID 960 wrote to memory of 680	960	setup_install.exe	38
PID 960 wrote to memory of 680	960	setup_install.exe	38
PID 960 wrote to memory of 1544	960	setup_install.exe	37
PID 960 wrote to memory of 1544	960	setup_install.exe	37
PID 960 wrote to memory of 1544	960	setup_install.exe	37
PID 960 wrote to memory of 1544	960	setup_install.exe	37
PID 960 wrote to memory of 1544	960	setup_install.exe	37
PID 960 wrote to memory of 1544	960	setup_install.exe	37
PID 960 wrote to memory of 1544	960	setup_install.exe	37
PID 960 wrote to memory of 916	960	setup_install.exe	39
PID 960 wrote to memory of 916	960	setup_install.exe	39
PID 960 wrote to memory of 916	960	setup_install.exe	39
PID 960 wrote to memory of 916	960	setup_install.exe	39
PID 960 wrote to memory of 916	960	setup_install.exe	39
PID 960 wrote to memory of 916	960	setup_install.exe	39
PID 960 wrote to memory of 916	960	setup_install.exe	39
PID 960 wrote to memory of 1652	960	setup_install.exe	41

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS434D2564\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1956
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11d7385a978cc.exe
      4⤵
      Loads dropped DLL
      PID:304
    - - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11d7385a978cc.exe
        
        Tue11d7385a978cc.exe
        5⤵
        Executes dropped EXE
        
        PID:1460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11b9d76a96506.exe
      4⤵
      Loads dropped DLL
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11b9d76a96506.exe
        
        Tue11b9d76a96506.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11f251db82fb7b.exe
      4⤵
      Loads dropped DLL
      PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11f251db82fb7b.exe
        
        Tue11f251db82fb7b.exe
        5⤵
        Executes dropped EXE
        
        PID:1980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11bc0507b56295.exe
      4⤵
      Loads dropped DLL
      PID:1544
    - - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11bc0507b56295.exe
        
        Tue11bc0507b56295.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1812
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1109eec571ac.exe /mixone
      4⤵
      Loads dropped DLL
      PID:680
    - - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue1109eec571ac.exe
        
        Tue1109eec571ac.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1852
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Tue1109eec571ac.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue1109eec571ac.exe" & exit
        6⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Tue1109eec571ac.exe" /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11e4e580f2e8141a3.exe
      4⤵
      Loads dropped DLL
      PID:916
    - - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        Tue11e4e580f2e8141a3.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1172
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1076
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:968
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2412
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2840
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2304
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1644
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2172
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        Drops file in Drivers directory
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:2568
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1812
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2912
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2748
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:524
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2476
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2656
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2296
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2660
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:308
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2400
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1632
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2532
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1596
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1420
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:964
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2768
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:1056
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2768
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3128
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3188
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3256
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3316
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3388
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3464
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3528
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3580
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3620
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3672
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3792
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4000
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3196
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2988
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:884
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:704
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3800
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4048
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3220
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3416
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2680
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3968
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3864
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3960
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2388
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3752
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3544
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3300
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3152
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2592
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3612
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3988
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3744
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3996
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:2388
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3252
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3180
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4168
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4240
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4300
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4372
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4476
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4560
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4632
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4720
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4808
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4896
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:5000
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3156
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4288
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:4472
      - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11e4e580f2e8141a3.exe
        6⤵
        
        PID:3608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue11141271fbe5877f.exe
      4⤵
      Loads dropped DLL
      PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11141271fbe5877f.exe
        
        Tue11141271fbe5877f.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
      - C:\ProgramData\5263140.exe
        
        "C:\ProgramData\5263140.exe"
        6⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3016 -s 1772
        7⤵
        Program crash
        
        PID:3428
      - C:\ProgramData\2476815.exe
        
        "C:\ProgramData\2476815.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:592
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:1988
      - C:\ProgramData\7608651.exe
        
        "C:\ProgramData\7608651.exe"
        6⤵
        
        PID:2264
      - C:\ProgramData\4994266.exe
        
        "C:\ProgramData\4994266.exe"
        6⤵
        
        PID:2420
      - C:\ProgramData\8581719.exe
        
        "C:\ProgramData\8581719.exe"
        6⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 1720
        7⤵
        Program crash
        
        PID:3224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue112c483dd3245d.exe
      4⤵
      Loads dropped DLL
      PID:1104
    - - C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue112c483dd3245d.exe
        
        Tue112c483dd3245d.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:2088
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 976
        6⤵
        Loads dropped DLL
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue118f55232e4.exe
      4⤵
      Loads dropped DLL
      PID:1828

C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue118f55232e4.exe
Tue118f55232e4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:2836
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2872

C:\Users\Admin\AppData\Local\Temp\is-0OJ32.tmp\Tue11b9d76a96506.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0OJ32.tmp\Tue11b9d76a96506.tmp" /SL5="$50134,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS434D2564\Tue11b9d76a96506.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184
- C:\Users\Admin\AppData\Local\Temp\is-G1T76.tmp\46807GHF____.exe
  "C:\Users\Admin\AppData\Local\Temp\is-G1T76.tmp\46807GHF____.exe" /S /UID=burnerch2
  2⤵
  - Executes dropped EXE
  PID:2568
- - C:\Program Files\Windows Mail\LWZRYXETRP\ultramediaburner.exe
    "C:\Program Files\Windows Mail\LWZRYXETRP\ultramediaburner.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\is-CKPBS.tmp\ultramediaburner.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CKPBS.tmp\ultramediaburner.tmp" /SL5="$40170,281924,62464,C:\Program Files\Windows Mail\LWZRYXETRP\ultramediaburner.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious use of FindShellTrayWindow
      PID:3048
    - - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        5⤵
        Executes dropped EXE
        
        PID:1624
- - C:\Users\Admin\AppData\Local\Temp\f1-dea3b-736-64d99-d0e9682802d06\ZHizhunicono.exe
    "C:\Users\Admin\AppData\Local\Temp\f1-dea3b-736-64d99-d0e9682802d06\ZHizhunicono.exe"
    3⤵
    - Executes dropped EXE
    PID:3060
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
      4⤵
      PID:1096
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:2520
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:537615 /prefetch:2
        5⤵
        
        PID:4992
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
      4⤵
      PID:4936
- - C:\Users\Admin\AppData\Local\Temp\b6-70413-23d-278bb-df7c9d63daa81\Wupekesule.exe
    "C:\Users\Admin\AppData\Local\Temp\b6-70413-23d-278bb-df7c9d63daa81\Wupekesule.exe"
    3⤵
    - Executes dropped EXE
    PID:2108
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\24saqqkg.eu0\GcleanerEU.exe /eufive & exit
      4⤵
      PID:3780
    - - C:\Users\Admin\AppData\Local\Temp\24saqqkg.eu0\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\24saqqkg.eu0\GcleanerEU.exe /eufive
        5⤵
        
        PID:3912
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\24saqqkg.eu0\GcleanerEU.exe" & exit
        6⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:3752
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\swyls4wg.ksb\installer.exe /qn CAMPAIGN="654" & exit
      4⤵
      PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\swyls4wg.ksb\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\swyls4wg.ksb\installer.exe /qn CAMPAIGN="654"
        5⤵
        
        PID:3952
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\swyls4wg.ksb\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\swyls4wg.ksb\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630778469 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        6⤵
        
        PID:4184
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sjab4ado.xil\anyname.exe & exit
      4⤵
      PID:3992
    - - C:\Users\Admin\AppData\Local\Temp\sjab4ado.xil\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\sjab4ado.xil\anyname.exe
        5⤵
        
        PID:4076
      - C:\Users\Admin\AppData\Local\Temp\sjab4ado.xil\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\sjab4ado.xil\anyname.exe" -u
        6⤵
        
        PID:3120
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2jupiwfj.s3l\gcleaner.exe /mixfive & exit
      4⤵
      PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\2jupiwfj.s3l\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\2jupiwfj.s3l\gcleaner.exe /mixfive
        5⤵
        
        PID:2600
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\2jupiwfj.s3l\gcleaner.exe" & exit
        6⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:1068
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1zzs4iek.s2x\autosubplayer.exe /S & exit
      4⤵
      PID:3240

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:3944
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4064

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3076
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A3123274A4545CF846B74DB23CCEC233 C
  2⤵
  PID:3880

C:\Users\Admin\AppData\Local\Temp\FA.exe
C:\Users\Admin\AppData\Local\Temp\FA.exe
1⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\5542.exe
C:\Users\Admin\AppData\Local\Temp\5542.exe
1⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\758F.exe
C:\Users\Admin\AppData\Local\Temp\758F.exe
1⤵
PID:3612
- C:\Users\Admin\AppData\Local\Temp\758F.exe
  C:\Users\Admin\AppData\Local\Temp\758F.exe
  2⤵
  PID:2076
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\bf7e8e30-cfd7-447c-a077-176a4a4d30e5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\758F.exe
    "C:\Users\Admin\AppData\Local\Temp\758F.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:4836
  - - C:\Users\Admin\AppData\Local\Temp\758F.exe
      "C:\Users\Admin\AppData\Local\Temp\758F.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:5064

C:\Users\Admin\AppData\Local\Temp\F98E.exe
C:\Users\Admin\AppData\Local\Temp\F98E.exe
1⤵
PID:4684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/308-359-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/524-329-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/592-217-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/592-234-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/592-245-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/592-236-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/960-97-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/960-101-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/960-82-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/960-144-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/960-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/960-111-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/960-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/960-117-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/960-105-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/960-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1052-53-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download
memory/1056-383-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1076-238-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1076-243-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1076-256-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1108-198-0x000000001AA30000-0x000000001AA32000-memory.dmp

Filesize
8KB

Download
memory/1108-191-0x0000000000450000-0x0000000000465000-memory.dmp

Filesize
84KB

Download
memory/1108-174-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1172-196-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1172-186-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1240-189-0x0000000002B80000-0x0000000002B95000-memory.dmp

Filesize
84KB

Download
memory/1596-377-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/1600-185-0x0000000002010000-0x0000000002C5A000-memory.dmp

Filesize
12.3MB

Download
memory/1624-432-0x0000000000C75000-0x0000000000C76000-memory.dmp

Filesize
4KB

Download
memory/1624-426-0x0000000000C56000-0x0000000000C75000-memory.dmp

Filesize
124KB

Download
memory/1624-225-0x0000000000C50000-0x0000000000C52000-memory.dmp

Filesize
8KB

Download
memory/1644-290-0x0000000000B30000-0x0000000000BD4000-memory.dmp

Filesize
656KB

Download
memory/1700-269-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1812-181-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1812-182-0x0000000000400000-0x0000000002B48000-memory.dmp

Filesize
39.3MB

Download
memory/1812-309-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/1852-180-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/1852-179-0x0000000000370000-0x00000000003B8000-memory.dmp

Filesize
288KB

Download
memory/1928-175-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1980-172-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/2088-183-0x00000000030D0000-0x0000000005882000-memory.dmp

Filesize
39.7MB

Download
memory/2088-184-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/2108-425-0x0000000000B06000-0x0000000000B25000-memory.dmp

Filesize
124KB

Download
memory/2108-226-0x0000000000B00000-0x0000000000B02000-memory.dmp

Filesize
8KB

Download
memory/2172-296-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/2184-178-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2264-242-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/2264-255-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/2296-347-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/2400-365-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2412-275-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/2476-335-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/2532-371-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2568-302-0x00000000022C0000-0x0000000002364000-memory.dmp

Filesize
656KB

Download
memory/2568-190-0x00000000009D0000-0x00000000009D2000-memory.dmp

Filesize
8KB

Download
memory/2568-197-0x000000001C940000-0x000000001CC3F000-memory.dmp

Filesize
3.0MB

Download
memory/2656-341-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/2660-353-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/2676-268-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/2748-323-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/2768-389-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2840-281-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2912-317-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/2924-235-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2996-213-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3016-229-0x000000001B180000-0x000000001B182000-memory.dmp

Filesize
8KB

Download
memory/3016-209-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3016-219-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/3016-223-0x0000000000380000-0x00000000003CB000-memory.dmp

Filesize
300KB

Download
memory/3016-228-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/3048-218-0x000000006E1F1000-0x000000006E1F3000-memory.dmp

Filesize
8KB

Download
memory/3048-227-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3060-224-0x0000000002120000-0x0000000002122000-memory.dmp

Filesize
8KB

Download
memory/3128-394-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/3188-400-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/3224-406-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/3256-405-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/3316-411-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download
memory/3388-417-0x0000000004450000-0x0000000004451000-memory.dmp

Filesize
4KB

Download
memory/3428-453-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3464-422-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/3620-433-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/3672-439-0x0000000000A70000-0x0000000000B14000-memory.dmp

Filesize
656KB

Download
memory/3792-446-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download