smokeloader | 56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

Target

setup_x86_x64_install.exe
Size

4.0MB
MD5

73491325fde5366b31c09da701d07dd6
SHA1

a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
SHA256

56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
SHA512

28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88

Score

10^/10

smokeloader socelars vidar 706 aspackv2 backdoor discovery evasion spyware stealer suricata trojan

Malware Config

Extracted

Family

vidar

Version

40.7

Botnet

706

https://petrenko96.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 1 IoCs

resource	yara_rule
behavioral3/files/0x0006000000012269-94.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral3/memory/1928-183-0x0000000001E50000-0x0000000001F24000-memory.dmp	family_vidar
behavioral3/memory/1928-184-0x0000000000400000-0x00000000004D7000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral3/files/0x0006000000012236-70.dat	aspack_v212_v242
behavioral3/files/0x0007000000012220-72.dat	aspack_v212_v242
behavioral3/files/0x0007000000012220-73.dat	aspack_v212_v242
behavioral3/files/0x0006000000012236-71.dat	aspack_v212_v242
behavioral3/files/0x000600000001223f-77.dat	aspack_v212_v242
behavioral3/files/0x000600000001223f-76.dat	aspack_v212_v242

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Ze2ro.exe

Executes dropped EXE 43 IoCs

pid	Process
568	setup_installer.exe
836	setup_install.exe
1624	Sun1917b8fb5f09db8.exe
1296	Sun1908b94df837b3158.exe
332	Sun193fda712d9f1.exe
1912	Sun191101c1aaa.exe
764	Sun19e4ade31b2a.exe
1988	Sun19de8ff4b6aefeb8.exe
1928	Sun19eb40faaaa9.exe
1368	Sun1905815e51282417.exe
2064	Sun195a1614ec24e6a.exe
2140	Sun1966fb31dd5a07.exe
2156	Sun198361825f4.exe
2244	Sun1966fb31dd5a07.tmp
2572	Ze2ro.exe
2644	uEHqH46JY2AXwVodITjTrtci.exe
2676	Sun19262b9e49ad.exe
3024	3900998.scr
1496	Chrome 5.exe
2224	PublicDwlBrowser1100.exe
2080	2.exe
1720	setup.exe
1364	6522054.scr
1704	udptest.exe
2780	lc7NWqleMZq61SctuQPG47wl.exe
1868	YnRpxov9VpxiUz4kdCxLc1q1.exe
2600	06UpNnKppD9f6mifnUfC4SHN.exe
2408	GKldwwP06JLlts2ATFRSHR8m.exe
2868	JrboPFp1ADnYdSl352ttKT97.exe
1408	B7TZtHdofb4gO0rD6W76uXN3.exe
3064	5_UIp46m_pG3U43CjD8WyKx4.exe
2920	n5PhA52CggyvkHy7ITAvbzCR.exe
2852	cifVmb8cqBdmuEiQQGG0Aahm.exe
2988	Ha9jg1e833b8C5W6qhHtLqAc.exe
2820	8knMcD4d4TD3o6tHaw5swUfC.exe
3032	2716230.scr
1136	ptzD85XfJ9IkWDStC4oazvlX.exe
1828	306998.exe
1596	5315583.scr
2848	2809076.exe
2128	2044999.exe
2096	1715135.exe
3320	cirtswu

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1715135.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1715135.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5315583.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5315583.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6522054.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6522054.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	YnRpxov9VpxiUz4kdCxLc1q1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	YnRpxov9VpxiUz4kdCxLc1q1.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2375386074-2889020035-839874990-1000\Control Panel\International\Geo\Nation	Sun1917b8fb5f09db8.exe

Loads dropped DLL 64 IoCs

pid	Process
332	setup_x86_x64_install.exe
568	setup_installer.exe
568	setup_installer.exe
568	setup_installer.exe
568	setup_installer.exe
568	setup_installer.exe
568	setup_installer.exe
836	setup_install.exe
836	setup_install.exe
836	setup_install.exe
836	setup_install.exe
836	setup_install.exe
836	setup_install.exe
836	setup_install.exe
836	setup_install.exe
1684	Process not Found
1176	cmd.exe
1516	cmd.exe
620	cmd.exe
1364	6522054.scr
1364	6522054.scr
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1604	cmd.exe
1604	cmd.exe
1296	Sun1908b94df837b3158.exe
1296	Sun1908b94df837b3158.exe
796	cmd.exe
1092	cmd.exe
1092	cmd.exe
1628	cmd.exe
1988	Sun19de8ff4b6aefeb8.exe
1988	Sun19de8ff4b6aefeb8.exe
2064	Sun195a1614ec24e6a.exe
1592	cmd.exe
2064	Sun195a1614ec24e6a.exe
1928	Sun19eb40faaaa9.exe
1928	Sun19eb40faaaa9.exe
1100	cmd.exe
2140	Sun1966fb31dd5a07.exe
2140	Sun1966fb31dd5a07.exe
2140	Sun1966fb31dd5a07.exe
2244	Sun1966fb31dd5a07.tmp
2244	Sun1966fb31dd5a07.tmp
2244	Sun1966fb31dd5a07.tmp
2244	Sun1966fb31dd5a07.tmp
1624	Sun1917b8fb5f09db8.exe
1152	cmd.exe
2676	Sun19262b9e49ad.exe
2676	Sun19262b9e49ad.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
2796	WerFault.exe
1696	LzmwAqmV.exe
1696	LzmwAqmV.exe
1696	LzmwAqmV.exe
1696	LzmwAqmV.exe
1696	LzmwAqmV.exe
1696	LzmwAqmV.exe
1720	setup.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6522054.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5315583.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	YnRpxov9VpxiUz4kdCxLc1q1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1715135.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com
33	ipinfo.io
34	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1364	6522054.scr
1596	5315583.scr
1868	YnRpxov9VpxiUz4kdCxLc1q1.exe
2096	1715135.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\LRETETGRKJ\ultramediaburner.exe	Ze2ro.exe
File created	C:\Program Files\Common Files\LRETETGRKJ\ultramediaburner.exe.config	Ze2ro.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2796	1928	WerFault.exe	45
2884	2080	WerFault.exe	72

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3012	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Sun19262b9e49ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun19262b9e49ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun19262b9e49ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun19262b9e49ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun19262b9e49ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Sun19262b9e49ad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1296	Sun1908b94df837b3158.exe
1296	Sun1908b94df837b3158.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1624	Sun1917b8fb5f09db8.exe
1412	Process not Found
1412	Process not Found
1412	Process not Found
1412	Process not Found
1412	Process not Found
1412	Process not Found
1412	Process not Found
1412	Process not Found
2644	uEHqH46JY2AXwVodITjTrtci.exe
2644	uEHqH46JY2AXwVodITjTrtci.exe
1412	Process not Found
2644	uEHqH46JY2AXwVodITjTrtci.exe
1412	Process not Found
2644	uEHqH46JY2AXwVodITjTrtci.exe
1412	Process not Found
2644	uEHqH46JY2AXwVodITjTrtci.exe
2644	uEHqH46JY2AXwVodITjTrtci.exe
1412	Process not Found
2644	uEHqH46JY2AXwVodITjTrtci.exe
1412	Process not Found
2644	uEHqH46JY2AXwVodITjTrtci.exe
1412	Process not Found
2644	uEHqH46JY2AXwVodITjTrtci.exe
1412	Process not Found
2644	uEHqH46JY2AXwVodITjTrtci.exe
1412	Process not Found
2644	uEHqH46JY2AXwVodITjTrtci.exe
2644	uEHqH46JY2AXwVodITjTrtci.exe
1412	Process not Found
2644	uEHqH46JY2AXwVodITjTrtci.exe
1412	Process not Found
2644	uEHqH46JY2AXwVodITjTrtci.exe
1412	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1296	Sun1908b94df837b3158.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2676	Sun19262b9e49ad.exe
Token: SeAssignPrimaryTokenPrivilege	2676	Sun19262b9e49ad.exe
Token: SeLockMemoryPrivilege	2676	Sun19262b9e49ad.exe
Token: SeIncreaseQuotaPrivilege	2676	Sun19262b9e49ad.exe
Token: SeMachineAccountPrivilege	2676	Sun19262b9e49ad.exe
Token: SeTcbPrivilege	2676	Sun19262b9e49ad.exe
Token: SeSecurityPrivilege	2676	Sun19262b9e49ad.exe
Token: SeTakeOwnershipPrivilege	2676	Sun19262b9e49ad.exe
Token: SeLoadDriverPrivilege	2676	Sun19262b9e49ad.exe
Token: SeSystemProfilePrivilege	2676	Sun19262b9e49ad.exe
Token: SeSystemtimePrivilege	2676	Sun19262b9e49ad.exe
Token: SeProfSingleProcessPrivilege	2676	Sun19262b9e49ad.exe
Token: SeIncBasePriorityPrivilege	2676	Sun19262b9e49ad.exe
Token: SeCreatePagefilePrivilege	2676	Sun19262b9e49ad.exe
Token: SeCreatePermanentPrivilege	2676	Sun19262b9e49ad.exe
Token: SeBackupPrivilege	2676	Sun19262b9e49ad.exe
Token: SeRestorePrivilege	2676	Sun19262b9e49ad.exe
Token: SeShutdownPrivilege	2676	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	2676	Sun19262b9e49ad.exe
Token: SeAuditPrivilege	2676	Sun19262b9e49ad.exe
Token: SeSystemEnvironmentPrivilege	2676	Sun19262b9e49ad.exe
Token: SeChangeNotifyPrivilege	2676	Sun19262b9e49ad.exe
Token: SeRemoteShutdownPrivilege	2676	Sun19262b9e49ad.exe
Token: SeUndockPrivilege	2676	Sun19262b9e49ad.exe
Token: SeSyncAgentPrivilege	2676	Sun19262b9e49ad.exe
Token: SeEnableDelegationPrivilege	2676	Sun19262b9e49ad.exe
Token: SeManageVolumePrivilege	2676	Sun19262b9e49ad.exe
Token: SeImpersonatePrivilege	2676	Sun19262b9e49ad.exe
Token: SeCreateGlobalPrivilege	2676	Sun19262b9e49ad.exe
Token: 31	2676	Sun19262b9e49ad.exe
Token: 32	2676	Sun19262b9e49ad.exe
Token: 33	2676	Sun19262b9e49ad.exe
Token: 34	2676	Sun19262b9e49ad.exe
Token: 35	2676	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	764	Sun19e4ade31b2a.exe
Token: SeDebugPrivilege	2796	WerFault.exe
Token: SeShutdownPrivilege	1412	Process not Found
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	2064	Sun195a1614ec24e6a.exe
Token: SeShutdownPrivilege	1412	Process not Found
Token: SeDebugPrivilege	3024	3900998.scr
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2080	2.exe
Token: SeDebugPrivilege	2224	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	1412	Process not Found
Token: SeShutdownPrivilege	1412	Process not Found
Token: SeShutdownPrivilege	1412	Process not Found
Token: SeShutdownPrivilege	1412	Process not Found
Token: SeDebugPrivilege	1596	5315583.scr
Token: SeShutdownPrivilege	1412	Process not Found

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1412	Process not Found
1412	Process not Found
1412	Process not Found
1412	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 332 wrote to memory of 568	332	setup_x86_x64_install.exe	29
PID 332 wrote to memory of 568	332	setup_x86_x64_install.exe	29
PID 332 wrote to memory of 568	332	setup_x86_x64_install.exe	29
PID 332 wrote to memory of 568	332	setup_x86_x64_install.exe	29
PID 332 wrote to memory of 568	332	setup_x86_x64_install.exe	29
PID 332 wrote to memory of 568	332	setup_x86_x64_install.exe	29
PID 332 wrote to memory of 568	332	setup_x86_x64_install.exe	29
PID 568 wrote to memory of 836	568	setup_installer.exe	30
PID 568 wrote to memory of 836	568	setup_installer.exe	30
PID 568 wrote to memory of 836	568	setup_installer.exe	30
PID 568 wrote to memory of 836	568	setup_installer.exe	30
PID 568 wrote to memory of 836	568	setup_installer.exe	30
PID 568 wrote to memory of 836	568	setup_installer.exe	30
PID 568 wrote to memory of 836	568	setup_installer.exe	30
PID 836 wrote to memory of 1164	836	setup_install.exe	32
PID 836 wrote to memory of 1164	836	setup_install.exe	32
PID 836 wrote to memory of 1164	836	setup_install.exe	32
PID 836 wrote to memory of 1164	836	setup_install.exe	32
PID 836 wrote to memory of 1164	836	setup_install.exe	32
PID 836 wrote to memory of 1164	836	setup_install.exe	32
PID 836 wrote to memory of 1164	836	setup_install.exe	32
PID 836 wrote to memory of 1176	836	setup_install.exe	33
PID 836 wrote to memory of 1176	836	setup_install.exe	33
PID 836 wrote to memory of 1176	836	setup_install.exe	33
PID 836 wrote to memory of 1176	836	setup_install.exe	33
PID 836 wrote to memory of 1176	836	setup_install.exe	33
PID 836 wrote to memory of 1176	836	setup_install.exe	33
PID 836 wrote to memory of 1176	836	setup_install.exe	33
PID 836 wrote to memory of 1152	836	setup_install.exe	34
PID 836 wrote to memory of 1152	836	setup_install.exe	34
PID 836 wrote to memory of 1152	836	setup_install.exe	34
PID 836 wrote to memory of 1152	836	setup_install.exe	34
PID 836 wrote to memory of 1152	836	setup_install.exe	34
PID 836 wrote to memory of 1152	836	setup_install.exe	34
PID 836 wrote to memory of 1152	836	setup_install.exe	34
PID 836 wrote to memory of 620	836	setup_install.exe	35
PID 836 wrote to memory of 620	836	setup_install.exe	35
PID 836 wrote to memory of 620	836	setup_install.exe	35
PID 836 wrote to memory of 620	836	setup_install.exe	35
PID 836 wrote to memory of 620	836	setup_install.exe	35
PID 836 wrote to memory of 620	836	setup_install.exe	35
PID 836 wrote to memory of 620	836	setup_install.exe	35
PID 836 wrote to memory of 1516	836	setup_install.exe	36
PID 836 wrote to memory of 1516	836	setup_install.exe	36
PID 836 wrote to memory of 1516	836	setup_install.exe	36
PID 836 wrote to memory of 1516	836	setup_install.exe	36
PID 836 wrote to memory of 1516	836	setup_install.exe	36
PID 836 wrote to memory of 1516	836	setup_install.exe	36
PID 836 wrote to memory of 1516	836	setup_install.exe	36
PID 836 wrote to memory of 1364	836	setup_install.exe	37
PID 836 wrote to memory of 1364	836	setup_install.exe	37
PID 836 wrote to memory of 1364	836	setup_install.exe	37
PID 836 wrote to memory of 1364	836	setup_install.exe	37
PID 836 wrote to memory of 1364	836	setup_install.exe	37
PID 836 wrote to memory of 1364	836	setup_install.exe	37
PID 836 wrote to memory of 1364	836	setup_install.exe	37
PID 836 wrote to memory of 1604	836	setup_install.exe	57
PID 836 wrote to memory of 1604	836	setup_install.exe	57
PID 836 wrote to memory of 1604	836	setup_install.exe	57
PID 836 wrote to memory of 1604	836	setup_install.exe	57
PID 836 wrote to memory of 1604	836	setup_install.exe	57
PID 836 wrote to memory of 1604	836	setup_install.exe	57
PID 836 wrote to memory of 1604	836	setup_install.exe	57
PID 836 wrote to memory of 1684	836	setup_install.exe	39

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1164
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe
      4⤵
      Loads dropped DLL
      PID:1176
    - - C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun1917b8fb5f09db8.exe
        
        Sun1917b8fb5f09db8.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1624
      - C:\Users\Admin\Documents\uEHqH46JY2AXwVodITjTrtci.exe
        
        "C:\Users\Admin\Documents\uEHqH46JY2AXwVodITjTrtci.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644
      - C:\Users\Admin\Documents\5FyZh8RfGBomtgKlpYsdUuGO.exe
        
        "C:\Users\Admin\Documents\5FyZh8RfGBomtgKlpYsdUuGO.exe"
        6⤵
        
        PID:2860
      - C:\Users\Admin\Documents\lc7NWqleMZq61SctuQPG47wl.exe
        
        "C:\Users\Admin\Documents\lc7NWqleMZq61SctuQPG47wl.exe"
        6⤵
        Executes dropped EXE
        
        PID:2780
      - C:\Users\Admin\Documents\YnRpxov9VpxiUz4kdCxLc1q1.exe
        
        "C:\Users\Admin\Documents\YnRpxov9VpxiUz4kdCxLc1q1.exe"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1868
      - C:\Users\Admin\Documents\JrboPFp1ADnYdSl352ttKT97.exe
        
        "C:\Users\Admin\Documents\JrboPFp1ADnYdSl352ttKT97.exe"
        6⤵
        Executes dropped EXE
        
        PID:2868
      - C:\Users\Admin\Documents\DPNtTmHqNR6IT0FrpxMYIdST.exe
        
        "C:\Users\Admin\Documents\DPNtTmHqNR6IT0FrpxMYIdST.exe"
        6⤵
        
        PID:2840
      - C:\Users\Admin\Documents\06UpNnKppD9f6mifnUfC4SHN.exe
        
        "C:\Users\Admin\Documents\06UpNnKppD9f6mifnUfC4SHN.exe"
        6⤵
        Executes dropped EXE
        
        PID:2600
      - C:\Users\Admin\Documents\cifVmb8cqBdmuEiQQGG0Aahm.exe
        
        "C:\Users\Admin\Documents\cifVmb8cqBdmuEiQQGG0Aahm.exe"
        6⤵
        Executes dropped EXE
        
        PID:2852
      - C:\Users\Admin\Documents\8knMcD4d4TD3o6tHaw5swUfC.exe
        
        "C:\Users\Admin\Documents\8knMcD4d4TD3o6tHaw5swUfC.exe"
        6⤵
        Executes dropped EXE
        
        PID:2820
      - C:\Users\Admin\Documents\5_UIp46m_pG3U43CjD8WyKx4.exe
        
        "C:\Users\Admin\Documents\5_UIp46m_pG3U43CjD8WyKx4.exe"
        6⤵
        Executes dropped EXE
        
        PID:3064
      - C:\Users\Admin\Documents\5_yzPnmwSFHpyE1Mf6pl0rBN.exe
        
        "C:\Users\Admin\Documents\5_yzPnmwSFHpyE1Mf6pl0rBN.exe"
        6⤵
        
        PID:988
      - C:\Users\Admin\Documents\B7TZtHdofb4gO0rD6W76uXN3.exe
        
        "C:\Users\Admin\Documents\B7TZtHdofb4gO0rD6W76uXN3.exe"
        6⤵
        Executes dropped EXE
        
        PID:1408
      - C:\Users\Admin\Documents\Ha9jg1e833b8C5W6qhHtLqAc.exe
        
        "C:\Users\Admin\Documents\Ha9jg1e833b8C5W6qhHtLqAc.exe"
        6⤵
        Executes dropped EXE
        
        PID:2988
      - C:\Users\Admin\Documents\n5PhA52CggyvkHy7ITAvbzCR.exe
        
        "C:\Users\Admin\Documents\n5PhA52CggyvkHy7ITAvbzCR.exe"
        6⤵
        Executes dropped EXE
        
        PID:2920
      - C:\Users\Admin\Documents\Onnt9ioD1ZDjDhx3XkV23oGX.exe
        
        "C:\Users\Admin\Documents\Onnt9ioD1ZDjDhx3XkV23oGX.exe"
        6⤵
        
        PID:2384
      - C:\Users\Admin\Documents\GKldwwP06JLlts2ATFRSHR8m.exe
        
        "C:\Users\Admin\Documents\GKldwwP06JLlts2ATFRSHR8m.exe"
        6⤵
        Executes dropped EXE
        
        PID:2408
      - C:\Users\Admin\Documents\ptzD85XfJ9IkWDStC4oazvlX.exe
        
        "C:\Users\Admin\Documents\ptzD85XfJ9IkWDStC4oazvlX.exe"
        6⤵
        Executes dropped EXE
        
        PID:1136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe
      4⤵
      Loads dropped DLL
      PID:1152
    - - C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun19262b9e49ad.exe
        
        Sun19262b9e49ad.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe
      4⤵
      Loads dropped DLL
      PID:620
    - - C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun193fda712d9f1.exe
        
        Sun193fda712d9f1.exe
        5⤵
        Executes dropped EXE
        
        PID:332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe
      4⤵
      Loads dropped DLL
      PID:1516
    - - C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun19e4ade31b2a.exe
        
        Sun19e4ade31b2a.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
      - C:\Users\Admin\AppData\Roaming\3900998.scr
        
        "C:\Users\Admin\AppData\Roaming\3900998.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
      - C:\Users\Admin\AppData\Roaming\6522054.scr
        
        "C:\Users\Admin\AppData\Roaming\6522054.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1364
      - C:\Users\Admin\AppData\Roaming\2716230.scr
        
        "C:\Users\Admin\AppData\Roaming\2716230.scr" /S
        6⤵
        Executes dropped EXE
        
        PID:3032
      - C:\Users\Admin\AppData\Roaming\5315583.scr
        
        "C:\Users\Admin\AppData\Roaming\5315583.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe
      4⤵
      PID:1364
    - - C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun1908b94df837b3158.exe
        
        Sun1908b94df837b3158.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe
      4⤵
      Loads dropped DLL
      PID:1092
    - - C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun19eb40faaaa9.exe
        
        Sun19eb40faaaa9.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1928
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 956
        6⤵
        Loads dropped DLL
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe
      4⤵
      PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun191101c1aaa.exe
        
        Sun191101c1aaa.exe
        5⤵
        Executes dropped EXE
        
        PID:1912
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Loads dropped DLL
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
        
        C:\ProgramData\306998.exe
        
        "C:\ProgramData\306998.exe"
        8⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\ProgramData\2809076.exe
        
        "C:\ProgramData\2809076.exe"
        8⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\ProgramData\2044999.exe
        
        "C:\ProgramData\2044999.exe"
        8⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\ProgramData\1715135.exe
        
        "C:\ProgramData\1715135.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2080 -s 1420
        8⤵
        Program crash
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        8⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        7⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        
        PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe
      4⤵
      Loads dropped DLL
      PID:796
    - - C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun1905815e51282417.exe
        
        Sun1905815e51282417.exe
        5⤵
        Executes dropped EXE
        
        PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun198361825f4.exe
      4⤵
      Loads dropped DLL
      PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun198361825f4.exe
        
        Sun198361825f4.exe
        5⤵
        Executes dropped EXE
        
        PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe
      4⤵
      Loads dropped DLL
      PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe
      4⤵
      Loads dropped DLL
      PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone
      4⤵
      Loads dropped DLL
      PID:1604

C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun19de8ff4b6aefeb8.exe
Sun19de8ff4b6aefeb8.exe /mixone
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun19de8ff4b6aefeb8.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun19de8ff4b6aefeb8.exe" & exit
  2⤵
  PID:2432

C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun1966fb31dd5a07.exe
Sun1966fb31dd5a07.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140
- C:\Users\Admin\AppData\Local\Temp\is-GDEQC.tmp\Sun1966fb31dd5a07.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GDEQC.tmp\Sun1966fb31dd5a07.tmp" /SL5="$50134,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun1966fb31dd5a07.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\is-HDTR1.tmp\Ze2ro.exe
    "C:\Users\Admin\AppData\Local\Temp\is-HDTR1.tmp\Ze2ro.exe" /S /UID=burnerch2
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2572
  - - C:\Program Files\Common Files\LRETETGRKJ\ultramediaburner.exe
      "C:\Program Files\Common Files\LRETETGRKJ\ultramediaburner.exe" /VERYSILENT
      4⤵
      PID:2260

C:\Users\Admin\AppData\Local\Temp\7zS83216BD2\Sun195a1614ec24e6a.exe
Sun195a1614ec24e6a.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\taskeng.exe
taskeng.exe {1559396C-DDAA-4BA0-A409-26A2BA908436} S-1-5-21-2375386074-2889020035-839874990-1000:AFOWCZMM\Admin:Interactive:[1]
1⤵
PID:3208
- C:\Users\Admin\AppData\Roaming\cirtswu
  C:\Users\Admin\AppData\Roaming\cirtswu
  2⤵
  - Executes dropped EXE
  PID:3320

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource core
1⤵
PID:3264

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
PID:3420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/332-54-0x00000000753A1000-0x00000000753A3000-memory.dmp

Filesize
8KB

Download
memory/764-189-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/764-203-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/764-208-0x000000001AEC0000-0x000000001AEC2000-memory.dmp

Filesize
8KB

Download
memory/836-88-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/836-105-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/836-108-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/836-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/836-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/836-98-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/836-104-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/836-86-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/836-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/836-95-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1296-187-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1296-188-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1412-199-0x0000000003B50000-0x0000000003B65000-memory.dmp

Filesize
84KB

Download
memory/1496-269-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/1496-225-0x000000013F090000-0x000000013F091000-memory.dmp

Filesize
4KB

Download
memory/1624-196-0x0000000004160000-0x00000000042A0000-memory.dmp

Filesize
1.2MB

Download
memory/1696-219-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1928-183-0x0000000001E50000-0x0000000001F24000-memory.dmp

Filesize
848KB

Download
memory/1928-184-0x0000000000400000-0x00000000004D7000-memory.dmp

Filesize
860KB

Download
memory/1988-186-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1988-185-0x0000000000320000-0x0000000000368000-memory.dmp

Filesize
288KB

Download
memory/2064-193-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/2064-210-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2080-232-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2080-238-0x000000001B1B0000-0x000000001B1B2000-memory.dmp

Filesize
8KB

Download
memory/2084-216-0x0000000002010000-0x0000000002C5A000-memory.dmp

Filesize
12.3MB

Download
memory/2084-209-0x0000000002010000-0x0000000002C5A000-memory.dmp

Filesize
12.3MB

Download
memory/2084-197-0x0000000002010000-0x0000000002C5A000-memory.dmp

Filesize
12.3MB

Download
memory/2140-179-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2156-205-0x0000000000140000-0x000000000014B000-memory.dmp

Filesize
44KB

Download
memory/2156-190-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2156-204-0x000000001AD70000-0x000000001AD72000-memory.dmp

Filesize
8KB

Download
memory/2224-231-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2224-235-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2224-250-0x000000001B090000-0x000000001B092000-memory.dmp

Filesize
8KB

Download
memory/2244-182-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2572-198-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/2572-236-0x000000001C840000-0x000000001CB3F000-memory.dmp

Filesize
3.0MB

Download
memory/2796-226-0x0000000000250000-0x00000000002D0000-memory.dmp

Filesize
512KB

Download
memory/3024-229-0x00000000011A0000-0x00000000011A1000-memory.dmp

Filesize
4KB

Download
memory/3024-223-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3024-221-0x00000000012C0000-0x00000000012C1000-memory.dmp

Filesize
4KB

Download