Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
20/11/2021, 01:11
Static task
static1
General
-
Target
E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe
-
Size
6.2MB
-
MD5
860c180f8e614d3314b8f058d2e91a8d
-
SHA1
aee319eade0123403551a7a6e9fec06bd940dd2d
-
SHA256
e1917f133b3838845a0611ae4e9ac5db1479461c18644d1739f058c2adc4d9cb
-
SHA512
68ca22a57b9c64d96c070322b73d18cbf281508a58f525a4ed7544f7418628b26a8bc36b5d703d4fbd5f19a2eb9d2756922085008a3c51c8dc88ef3d3f36a042
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
vidar
40.6
706
https://dimonbk83.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
Extracted
redline
ANI
45.142.215.47:27643
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral1/memory/2440-222-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2440-224-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2440-223-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2440-225-0x000000000041C5CA-mapping.dmp family_redline behavioral1/memory/2440-227-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 3 IoCs
resource yara_rule behavioral1/files/0x00050000000125b1-101.dat family_socelars behavioral1/files/0x00050000000125b1-165.dat family_socelars behavioral1/files/0x00050000000125b1-168.dat family_socelars -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
resource yara_rule behavioral1/memory/1572-201-0x0000000000400000-0x00000000017ED000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x0006000000012235-63.dat aspack_v212_v242 behavioral1/files/0x0006000000012235-64.dat aspack_v212_v242 behavioral1/files/0x000700000001221e-65.dat aspack_v212_v242 behavioral1/files/0x000700000001221e-66.dat aspack_v212_v242 behavioral1/files/0x000600000001223d-69.dat aspack_v212_v242 behavioral1/files/0x000600000001223d-70.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 38 IoCs
pid Process 1104 setup_install.exe 292 Tue02522f9ea0b1.exe 1824 Tue02976fcdf1.exe 1700 Tue02705f9c2b455.exe 1608 Tue028a363eda.exe 1604 Tue02520f255d0ba43a.exe 1216 Tue026e182673.exe 1572 Tue029560e6534e190c.exe 1620 Tue02b2110095fe706.exe 396 Tue026e94a5005f8.exe 456 Tue02dc626f48.exe 892 Tue02b2110095fe706.tmp 2440 Tue026e94a5005f8.exe 2712 v8eRFzCqZhmMsxKzkHFDG1Vn.exe 2744 Tue0289c99651.exe 2936 vU3VonxBsco3Egfy0NyNMpcX.exe 2948 f_vC4zlB3Ter22PgSU2E1Z2F.exe 2980 FYZpwCERZXc8ZrjuKFDUDjRU.exe 2992 1oI66wgq9djXWPC8UzMUj9_N.exe 3000 9ldIVvvEbjRShFdxezBdgwLP.exe 3028 yows6ebj6m7T_5oh8_82yPbz.exe 1696 uIX22q4W_zbS5fzzPcAM_r35.exe 1524 MVT0Nnr9tz2nLPKf6FoWISsk.exe 2240 KNPC9J5aoY_QoNDRelPmH9Fq.exe 2208 UJLmlYtwsdeJFi_KTd02QwsQ.exe 2216 5l56dlR9sW6g4Rd0YE2NMxdw.exe 2364 cP88ovgQa5t_f1iUKNQZb9_6.exe 2284 iLRAuLlu6J_em_0UDjYLOlXX.exe 2212 _H_9AQN0VyBOXOdsvqDhRzVR.exe 2388 xgnb4bupsX4JK4nxEgFH93zD.exe 2148 kVOwqYWTQ1z_tBeDrCtGCTZK.exe 1620 rX_UI1JtgvjM_XG3QDr1vEkz.exe 1736 zGj0gQXhhc8y6ArJ2cYUUOlk.exe 2460 qC4H_CSrr8tt4hDNnN6bixB9.exe 1800 gg1kU4KAdWyNMJimB_yes_Fu.exe 2424 AHczulQtzJIwWDOxt_UZoSxn.exe 1012 Khy2nmUByLD3ekchC1fISg5c.exe 2108 inst2.exe -
resource yara_rule behavioral1/files/0x000600000001226f-114.dat vmprotect behavioral1/memory/2744-233-0x0000000140000000-0x0000000140650000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion AHczulQtzJIwWDOxt_UZoSxn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion AHczulQtzJIwWDOxt_UZoSxn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rX_UI1JtgvjM_XG3QDr1vEkz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rX_UI1JtgvjM_XG3QDr1vEkz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion _H_9AQN0VyBOXOdsvqDhRzVR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion _H_9AQN0VyBOXOdsvqDhRzVR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xgnb4bupsX4JK4nxEgFH93zD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xgnb4bupsX4JK4nxEgFH93zD.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Control Panel\International\Geo\Nation Tue02520f255d0ba43a.exe -
Loads dropped DLL 64 IoCs
pid Process 792 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 792 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 792 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 1104 setup_install.exe 1104 setup_install.exe 1104 setup_install.exe 1104 setup_install.exe 1104 setup_install.exe 1104 setup_install.exe 1104 setup_install.exe 1104 setup_install.exe 2036 cmd.exe 2036 cmd.exe 1352 cmd.exe 1892 cmd.exe 1940 cmd.exe 1708 cmd.exe 1708 cmd.exe 1508 cmd.exe 1748 cmd.exe 1748 cmd.exe 1608 Tue028a363eda.exe 1608 Tue028a363eda.exe 1604 Tue02520f255d0ba43a.exe 1604 Tue02520f255d0ba43a.exe 1960 cmd.exe 1444 cmd.exe 1444 cmd.exe 1620 Tue02b2110095fe706.exe 1620 Tue02b2110095fe706.exe 1796 cmd.exe 1216 Tue026e182673.exe 1216 Tue026e182673.exe 396 Tue026e94a5005f8.exe 396 Tue026e94a5005f8.exe 1572 Tue029560e6534e190c.exe 1572 Tue029560e6534e190c.exe 292 Tue02522f9ea0b1.exe 292 Tue02522f9ea0b1.exe 456 Tue02dc626f48.exe 456 Tue02dc626f48.exe 1620 Tue02b2110095fe706.exe 892 Tue02b2110095fe706.tmp 892 Tue02b2110095fe706.tmp 1992 WerFault.exe 1992 WerFault.exe 1992 WerFault.exe 892 Tue02b2110095fe706.tmp 1992 WerFault.exe 396 Tue026e94a5005f8.exe 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 2440 Tue026e94a5005f8.exe 2440 Tue026e94a5005f8.exe 1604 Tue02520f255d0ba43a.exe 344 cmd.exe 1604 Tue02520f255d0ba43a.exe 1604 Tue02520f255d0ba43a.exe 1604 Tue02520f255d0ba43a.exe 1604 Tue02520f255d0ba43a.exe 1604 Tue02520f255d0ba43a.exe 1604 Tue02520f255d0ba43a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AHczulQtzJIwWDOxt_UZoSxn.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rX_UI1JtgvjM_XG3QDr1vEkz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA _H_9AQN0VyBOXOdsvqDhRzVR.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xgnb4bupsX4JK4nxEgFH93zD.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 75 ipinfo.io 79 ip-api.com 74 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1620 rX_UI1JtgvjM_XG3QDr1vEkz.exe 2424 AHczulQtzJIwWDOxt_UZoSxn.exe 2212 _H_9AQN0VyBOXOdsvqDhRzVR.exe 2388 xgnb4bupsX4JK4nxEgFH93zD.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 396 set thread context of 2440 396 Tue026e94a5005f8.exe 61 -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe MVT0Nnr9tz2nLPKf6FoWISsk.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini MVT0Nnr9tz2nLPKf6FoWISsk.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\inst2.exe MVT0Nnr9tz2nLPKf6FoWISsk.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe MVT0Nnr9tz2nLPKf6FoWISsk.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\rtst1039.exe MVT0Nnr9tz2nLPKf6FoWISsk.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 1992 1104 WerFault.exe 28 2448 1572 WerFault.exe 48 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Tue02522f9ea0b1.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Tue02522f9ea0b1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Tue02522f9ea0b1.exe -
Kills process with taskkill 1 IoCs
pid Process 2228 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Tue02976fcdf1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A Tue02976fcdf1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 Tue02976fcdf1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Tue02976fcdf1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Tue02dc626f48.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Tue02976fcdf1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 Tue02520f255d0ba43a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd Tue02520f255d0ba43a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 Tue02976fcdf1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Tue02dc626f48.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 292 Tue02522f9ea0b1.exe 292 Tue02522f9ea0b1.exe 1992 WerFault.exe 1992 WerFault.exe 1992 WerFault.exe 1992 WerFault.exe 1992 WerFault.exe 1992 WerFault.exe 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1452 powershell.exe 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 2448 WerFault.exe 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found 1220 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1216 Tue026e182673.exe 1992 WerFault.exe 2448 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 292 Tue02522f9ea0b1.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeCreateTokenPrivilege 456 Tue02dc626f48.exe Token: SeAssignPrimaryTokenPrivilege 456 Tue02dc626f48.exe Token: SeLockMemoryPrivilege 456 Tue02dc626f48.exe Token: SeIncreaseQuotaPrivilege 456 Tue02dc626f48.exe Token: SeMachineAccountPrivilege 456 Tue02dc626f48.exe Token: SeTcbPrivilege 456 Tue02dc626f48.exe Token: SeSecurityPrivilege 456 Tue02dc626f48.exe Token: SeTakeOwnershipPrivilege 456 Tue02dc626f48.exe Token: SeLoadDriverPrivilege 456 Tue02dc626f48.exe Token: SeSystemProfilePrivilege 456 Tue02dc626f48.exe Token: SeSystemtimePrivilege 456 Tue02dc626f48.exe Token: SeProfSingleProcessPrivilege 456 Tue02dc626f48.exe Token: SeIncBasePriorityPrivilege 456 Tue02dc626f48.exe Token: SeCreatePagefilePrivilege 456 Tue02dc626f48.exe Token: SeCreatePermanentPrivilege 456 Tue02dc626f48.exe Token: SeBackupPrivilege 456 Tue02dc626f48.exe Token: SeRestorePrivilege 456 Tue02dc626f48.exe Token: SeShutdownPrivilege 456 Tue02dc626f48.exe Token: SeDebugPrivilege 456 Tue02dc626f48.exe Token: SeAuditPrivilege 456 Tue02dc626f48.exe Token: SeSystemEnvironmentPrivilege 456 Tue02dc626f48.exe Token: SeChangeNotifyPrivilege 456 Tue02dc626f48.exe Token: SeRemoteShutdownPrivilege 456 Tue02dc626f48.exe Token: SeUndockPrivilege 456 Tue02dc626f48.exe Token: SeSyncAgentPrivilege 456 Tue02dc626f48.exe Token: SeEnableDelegationPrivilege 456 Tue02dc626f48.exe Token: SeManageVolumePrivilege 456 Tue02dc626f48.exe Token: SeImpersonatePrivilege 456 Tue02dc626f48.exe Token: SeCreateGlobalPrivilege 456 Tue02dc626f48.exe Token: 31 456 Tue02dc626f48.exe Token: 32 456 Tue02dc626f48.exe Token: 33 456 Tue02dc626f48.exe Token: 34 456 Tue02dc626f48.exe Token: 35 456 Tue02dc626f48.exe Token: SeDebugPrivilege 1992 WerFault.exe Token: SeDebugPrivilege 1824 Tue02976fcdf1.exe Token: SeDebugPrivilege 1700 Tue02705f9c2b455.exe Token: SeDebugPrivilege 2228 taskkill.exe Token: SeDebugPrivilege 1452 powershell.exe Token: SeDebugPrivilege 2448 WerFault.exe Token: SeShutdownPrivilege 1220 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1220 Process not Found 1220 Process not Found -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1220 Process not Found 1220 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 792 wrote to memory of 1104 792 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 28 PID 792 wrote to memory of 1104 792 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 28 PID 792 wrote to memory of 1104 792 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 28 PID 792 wrote to memory of 1104 792 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 28 PID 792 wrote to memory of 1104 792 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 28 PID 792 wrote to memory of 1104 792 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 28 PID 792 wrote to memory of 1104 792 E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe 28 PID 1104 wrote to memory of 1176 1104 setup_install.exe 30 PID 1104 wrote to memory of 1176 1104 setup_install.exe 30 PID 1104 wrote to memory of 1176 1104 setup_install.exe 30 PID 1104 wrote to memory of 1176 1104 setup_install.exe 30 PID 1104 wrote to memory of 1176 1104 setup_install.exe 30 PID 1104 wrote to memory of 1176 1104 setup_install.exe 30 PID 1104 wrote to memory of 1176 1104 setup_install.exe 30 PID 1104 wrote to memory of 2036 1104 setup_install.exe 32 PID 1104 wrote to memory of 2036 1104 setup_install.exe 32 PID 1104 wrote to memory of 2036 1104 setup_install.exe 32 PID 1104 wrote to memory of 2036 1104 setup_install.exe 32 PID 1104 wrote to memory of 2036 1104 setup_install.exe 32 PID 1104 wrote to memory of 2036 1104 setup_install.exe 32 PID 1104 wrote to memory of 2036 1104 setup_install.exe 32 PID 1104 wrote to memory of 1940 1104 setup_install.exe 31 PID 1104 wrote to memory of 1940 1104 setup_install.exe 31 PID 1104 wrote to memory of 1940 1104 setup_install.exe 31 PID 1104 wrote to memory of 1940 1104 setup_install.exe 31 PID 1104 wrote to memory of 1940 1104 setup_install.exe 31 PID 1104 wrote to memory of 1940 1104 setup_install.exe 31 PID 1104 wrote to memory of 1940 1104 setup_install.exe 31 PID 1104 wrote to memory of 1352 1104 setup_install.exe 33 PID 1104 wrote to memory of 1352 1104 setup_install.exe 33 PID 1104 wrote to memory of 1352 1104 setup_install.exe 33 PID 1104 wrote to memory of 1352 1104 setup_install.exe 33 PID 1104 wrote to memory of 1352 1104 setup_install.exe 33 PID 1104 wrote to memory of 1352 1104 setup_install.exe 33 PID 1104 wrote to memory of 1352 1104 setup_install.exe 33 PID 1104 wrote to memory of 1508 1104 setup_install.exe 34 PID 1104 wrote to memory of 1508 1104 setup_install.exe 34 PID 1104 wrote to memory of 1508 1104 setup_install.exe 34 PID 1104 wrote to memory of 1508 1104 setup_install.exe 34 PID 1104 wrote to memory of 1508 1104 setup_install.exe 34 PID 1104 wrote to memory of 1508 1104 setup_install.exe 34 PID 1104 wrote to memory of 1508 1104 setup_install.exe 34 PID 1104 wrote to memory of 1796 1104 setup_install.exe 35 PID 1104 wrote to memory of 1796 1104 setup_install.exe 35 PID 1104 wrote to memory of 1796 1104 setup_install.exe 35 PID 1104 wrote to memory of 1796 1104 setup_install.exe 35 PID 1104 wrote to memory of 1796 1104 setup_install.exe 35 PID 1104 wrote to memory of 1796 1104 setup_install.exe 35 PID 1104 wrote to memory of 1796 1104 setup_install.exe 35 PID 1104 wrote to memory of 1444 1104 setup_install.exe 36 PID 1104 wrote to memory of 1444 1104 setup_install.exe 36 PID 1104 wrote to memory of 1444 1104 setup_install.exe 36 PID 1104 wrote to memory of 1444 1104 setup_install.exe 36 PID 1104 wrote to memory of 1444 1104 setup_install.exe 36 PID 1104 wrote to memory of 1444 1104 setup_install.exe 36 PID 1104 wrote to memory of 1444 1104 setup_install.exe 36 PID 1104 wrote to memory of 1892 1104 setup_install.exe 37 PID 1104 wrote to memory of 1892 1104 setup_install.exe 37 PID 1104 wrote to memory of 1892 1104 setup_install.exe 37 PID 1104 wrote to memory of 1892 1104 setup_install.exe 37 PID 1104 wrote to memory of 1892 1104 setup_install.exe 37 PID 1104 wrote to memory of 1892 1104 setup_install.exe 37 PID 1104 wrote to memory of 1892 1104 setup_install.exe 37 PID 1104 wrote to memory of 1960 1104 setup_install.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe"C:\Users\Admin\AppData\Local\Temp\E1917F133B3838845A0611AE4E9AC5DB1479461C18644.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS813278B5\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵PID:1176
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue028a363eda.exe3⤵
- Loads dropped DLL
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue028a363eda.exeTue028a363eda.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue02522f9ea0b1.exe3⤵
- Loads dropped DLL
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue02522f9ea0b1.exeTue02522f9ea0b1.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue02976fcdf1.exe3⤵
- Loads dropped DLL
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue02976fcdf1.exeTue02976fcdf1.exe4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue02520f255d0ba43a.exe3⤵
- Loads dropped DLL
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue02520f255d0ba43a.exeTue02520f255d0ba43a.exe4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
PID:1604 -
C:\Users\Admin\Pictures\Adobe Films\v8eRFzCqZhmMsxKzkHFDG1Vn.exe"C:\Users\Admin\Pictures\Adobe Films\v8eRFzCqZhmMsxKzkHFDG1Vn.exe"5⤵
- Executes dropped EXE
PID:2712
-
-
C:\Users\Admin\Pictures\Adobe Films\vU3VonxBsco3Egfy0NyNMpcX.exe"C:\Users\Admin\Pictures\Adobe Films\vU3VonxBsco3Egfy0NyNMpcX.exe"5⤵
- Executes dropped EXE
PID:2936
-
-
C:\Users\Admin\Pictures\Adobe Films\f_vC4zlB3Ter22PgSU2E1Z2F.exe"C:\Users\Admin\Pictures\Adobe Films\f_vC4zlB3Ter22PgSU2E1Z2F.exe"5⤵
- Executes dropped EXE
PID:2948
-
-
C:\Users\Admin\Pictures\Adobe Films\9ldIVvvEbjRShFdxezBdgwLP.exe"C:\Users\Admin\Pictures\Adobe Films\9ldIVvvEbjRShFdxezBdgwLP.exe"5⤵
- Executes dropped EXE
PID:3000
-
-
C:\Users\Admin\Pictures\Adobe Films\1oI66wgq9djXWPC8UzMUj9_N.exe"C:\Users\Admin\Pictures\Adobe Films\1oI66wgq9djXWPC8UzMUj9_N.exe"5⤵
- Executes dropped EXE
PID:2992
-
-
C:\Users\Admin\Pictures\Adobe Films\FYZpwCERZXc8ZrjuKFDUDjRU.exe"C:\Users\Admin\Pictures\Adobe Films\FYZpwCERZXc8ZrjuKFDUDjRU.exe"5⤵
- Executes dropped EXE
PID:2980
-
-
C:\Users\Admin\Pictures\Adobe Films\DnfZZyLIH0Q07jWmdcDx4wV7.exe"C:\Users\Admin\Pictures\Adobe Films\DnfZZyLIH0Q07jWmdcDx4wV7.exe"5⤵PID:3020
-
-
C:\Users\Admin\Pictures\Adobe Films\yows6ebj6m7T_5oh8_82yPbz.exe"C:\Users\Admin\Pictures\Adobe Films\yows6ebj6m7T_5oh8_82yPbz.exe"5⤵
- Executes dropped EXE
PID:3028
-
-
C:\Users\Admin\Pictures\Adobe Films\uIX22q4W_zbS5fzzPcAM_r35.exe"C:\Users\Admin\Pictures\Adobe Films\uIX22q4W_zbS5fzzPcAM_r35.exe"5⤵
- Executes dropped EXE
PID:1696
-
-
C:\Users\Admin\Pictures\Adobe Films\KNPC9J5aoY_QoNDRelPmH9Fq.exe"C:\Users\Admin\Pictures\Adobe Films\KNPC9J5aoY_QoNDRelPmH9Fq.exe"5⤵
- Executes dropped EXE
PID:2240
-
-
C:\Users\Admin\Pictures\Adobe Films\UJLmlYtwsdeJFi_KTd02QwsQ.exe"C:\Users\Admin\Pictures\Adobe Films\UJLmlYtwsdeJFi_KTd02QwsQ.exe"5⤵
- Executes dropped EXE
PID:2208
-
-
C:\Users\Admin\Pictures\Adobe Films\MVT0Nnr9tz2nLPKf6FoWISsk.exe"C:\Users\Admin\Pictures\Adobe Films\MVT0Nnr9tz2nLPKf6FoWISsk.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1524 -
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"6⤵
- Executes dropped EXE
PID:2108
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"6⤵PID:1304
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Khy2nmUByLD3ekchC1fISg5c.exe"C:\Users\Admin\Pictures\Adobe Films\Khy2nmUByLD3ekchC1fISg5c.exe"5⤵
- Executes dropped EXE
PID:1012
-
-
C:\Users\Admin\Pictures\Adobe Films\xgnb4bupsX4JK4nxEgFH93zD.exe"C:\Users\Admin\Pictures\Adobe Films\xgnb4bupsX4JK4nxEgFH93zD.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2388
-
-
C:\Users\Admin\Pictures\Adobe Films\kVOwqYWTQ1z_tBeDrCtGCTZK.exe"C:\Users\Admin\Pictures\Adobe Films\kVOwqYWTQ1z_tBeDrCtGCTZK.exe"5⤵
- Executes dropped EXE
PID:2148
-
-
C:\Users\Admin\Pictures\Adobe Films\_H_9AQN0VyBOXOdsvqDhRzVR.exe"C:\Users\Admin\Pictures\Adobe Films\_H_9AQN0VyBOXOdsvqDhRzVR.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2212
-
-
C:\Users\Admin\Pictures\Adobe Films\5l56dlR9sW6g4Rd0YE2NMxdw.exe"C:\Users\Admin\Pictures\Adobe Films\5l56dlR9sW6g4Rd0YE2NMxdw.exe"5⤵
- Executes dropped EXE
PID:2216
-
-
C:\Users\Admin\Pictures\Adobe Films\iLRAuLlu6J_em_0UDjYLOlXX.exe"C:\Users\Admin\Pictures\Adobe Films\iLRAuLlu6J_em_0UDjYLOlXX.exe"5⤵
- Executes dropped EXE
PID:2284
-
-
C:\Users\Admin\Pictures\Adobe Films\cP88ovgQa5t_f1iUKNQZb9_6.exe"C:\Users\Admin\Pictures\Adobe Films\cP88ovgQa5t_f1iUKNQZb9_6.exe"5⤵
- Executes dropped EXE
PID:2364
-
-
C:\Users\Admin\Pictures\Adobe Films\rX_UI1JtgvjM_XG3QDr1vEkz.exe"C:\Users\Admin\Pictures\Adobe Films\rX_UI1JtgvjM_XG3QDr1vEkz.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1620
-
-
C:\Users\Admin\Pictures\Adobe Films\gg1kU4KAdWyNMJimB_yes_Fu.exe"C:\Users\Admin\Pictures\Adobe Films\gg1kU4KAdWyNMJimB_yes_Fu.exe"5⤵
- Executes dropped EXE
PID:1800
-
-
C:\Users\Admin\Pictures\Adobe Films\AHczulQtzJIwWDOxt_UZoSxn.exe"C:\Users\Admin\Pictures\Adobe Films\AHczulQtzJIwWDOxt_UZoSxn.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2424
-
-
C:\Users\Admin\Pictures\Adobe Films\qC4H_CSrr8tt4hDNnN6bixB9.exe"C:\Users\Admin\Pictures\Adobe Films\qC4H_CSrr8tt4hDNnN6bixB9.exe"5⤵
- Executes dropped EXE
PID:2460
-
-
C:\Users\Admin\Pictures\Adobe Films\zGj0gQXhhc8y6ArJ2cYUUOlk.exe"C:\Users\Admin\Pictures\Adobe Films\zGj0gQXhhc8y6ArJ2cYUUOlk.exe"5⤵
- Executes dropped EXE
PID:1736
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue02dc626f48.exe3⤵
- Loads dropped DLL
PID:1796 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue02dc626f48.exeTue02dc626f48.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:456 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:2192
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue026e94a5005f8.exe3⤵
- Loads dropped DLL
PID:1444 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue026e94a5005f8.exeTue026e94a5005f8.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:396 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue026e94a5005f8.exeC:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue026e94a5005f8.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue02705f9c2b455.exe3⤵
- Loads dropped DLL
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue02705f9c2b455.exeTue02705f9c2b455.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue02b2110095fe706.exe3⤵
- Loads dropped DLL
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue02b2110095fe706.exeTue02b2110095fe706.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\is-SL4CQ.tmp\Tue02b2110095fe706.tmp"C:\Users\Admin\AppData\Local\Temp\is-SL4CQ.tmp\Tue02b2110095fe706.tmp" /SL5="$4012A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue02b2110095fe706.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue026e182673.exe /mixone3⤵
- Loads dropped DLL
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue026e182673.exeTue026e182673.exe /mixone4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1216
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue029560e6534e190c.exe3⤵
- Loads dropped DLL
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue029560e6534e190c.exeTue029560e6534e190c.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 9725⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0289c99651.exe3⤵
- Loads dropped DLL
PID:344 -
C:\Users\Admin\AppData\Local\Temp\7zS813278B5\Tue0289c99651.exeTue0289c99651.exe4⤵
- Executes dropped EXE
PID:2744
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 4523⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
-
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
2Virtualization/Sandbox Evasion
1Web Service
1