Analysis
-
max time kernel
59s -
max time network
62s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-03-2021 05:11
Static task
static1
Behavioral task
behavioral1
Sample
Video.nVidia.GeForce.8600.GTS.crack.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
Video.nVidia.GeForce.8600.GTS.crack.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
Video.nVidia.GeForce.8600.GTS.crack.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Video.nVidia.GeForce.8600.GTS.crack.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
Video.nVidia.GeForce.8600.GTS.crack.exe
Resource
win7v20201028
General
-
Target
Video.nVidia.GeForce.8600.GTS.crack.exe
-
Size
8.6MB
-
MD5
4c5d5630a17759bff9cb25a75a6de902
-
SHA1
7e30a081298ef34a5f7db00607f10c72464e4c96
-
SHA256
45411d2b5bf4e2d0e75af577252aba0a84ccc51e7b05e9b67a54390bb7aab8d8
-
SHA512
09d2a7fa28f88dd5c622b99318a7d68b1c3f9f6fa3edbe589cb067478dba73e790346b967599dde0745e8afeded0096c99d796206f691c34c903c97a01db80f3
Malware Config
Extracted
azorult
http://kvaka.li/1210776429.php
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Nirsoft 4 IoCs
resource yara_rule behavioral1/files/0x000200000001ab7c-125.dat Nirsoft behavioral1/files/0x000200000001ab7c-126.dat Nirsoft behavioral1/files/0x000200000001abb8-138.dat Nirsoft behavioral1/files/0x000200000001abb8-137.dat Nirsoft -
Executes dropped EXE 20 IoCs
pid Process 3084 keygen-pr.exe 3316 keygen-step-1.exe 2272 keygen-step-3.exe 2104 keygen-step-4.exe 636 file.exe 2116 key.exe 3852 key.exe 3372 F264.tmp.exe 4004 F264.tmp.exe 3172 Setup.exe 744 C0CA61A12E4C8B38.exe 4072 C0CA61A12E4C8B38.exe 1724 Install.exe 1772 multitimer.exe 4032 askinstall20.exe 4220 1614924631923.exe 4404 md2_2efs.exe 4764 1614924636798.exe 4908 BTRSetp.exe 4976 multitimer.exe -
resource yara_rule behavioral1/files/0x000200000001a0e3-65.dat office_xlm_macros -
Loads dropped DLL 1 IoCs
pid Process 2572 MsiExec.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 api.ipify.org -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Setup.exe File opened for modification \??\PhysicalDrive0 C0CA61A12E4C8B38.exe File opened for modification \??\PhysicalDrive0 C0CA61A12E4C8B38.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3172 Setup.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2116 set thread context of 3852 2116 key.exe 91 PID 3372 set thread context of 4004 3372 F264.tmp.exe 96 PID 744 set thread context of 3816 744 C0CA61A12E4C8B38.exe 113 PID 744 set thread context of 4752 744 C0CA61A12E4C8B38.exe 125 -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C0CA61A12E4C8B38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C0CA61A12E4C8B38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName C0CA61A12E4C8B38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName C0CA61A12E4C8B38.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 C0CA61A12E4C8B38.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc C0CA61A12E4C8B38.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString F264.tmp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 F264.tmp.exe -
Kills process with taskkill 2 IoCs
pid Process 3568 taskkill.exe 4144 taskkill.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\PegasPc file.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e file.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Setup.exe -
Runs ping.exe 1 TTPs 4 IoCs
pid Process 3856 PING.EXE 3580 PING.EXE 3464 PING.EXE 4376 PING.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2116 key.exe 2116 key.exe 636 file.exe 636 file.exe 4004 F264.tmp.exe 4004 F264.tmp.exe 636 file.exe 636 file.exe 636 file.exe 636 file.exe 636 file.exe 636 file.exe 4220 1614924631923.exe 4220 1614924631923.exe 4764 1614924636798.exe 4764 1614924636798.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeImpersonatePrivilege 2116 key.exe Token: SeTcbPrivilege 2116 key.exe Token: SeChangeNotifyPrivilege 2116 key.exe Token: SeCreateTokenPrivilege 2116 key.exe Token: SeBackupPrivilege 2116 key.exe Token: SeRestorePrivilege 2116 key.exe Token: SeIncreaseQuotaPrivilege 2116 key.exe Token: SeAssignPrimaryTokenPrivilege 2116 key.exe Token: SeImpersonatePrivilege 2116 key.exe Token: SeTcbPrivilege 2116 key.exe Token: SeChangeNotifyPrivilege 2116 key.exe Token: SeCreateTokenPrivilege 2116 key.exe Token: SeBackupPrivilege 2116 key.exe Token: SeRestorePrivilege 2116 key.exe Token: SeIncreaseQuotaPrivilege 2116 key.exe Token: SeAssignPrimaryTokenPrivilege 2116 key.exe Token: SeImpersonatePrivilege 2116 key.exe Token: SeTcbPrivilege 2116 key.exe Token: SeChangeNotifyPrivilege 2116 key.exe Token: SeCreateTokenPrivilege 2116 key.exe Token: SeBackupPrivilege 2116 key.exe Token: SeRestorePrivilege 2116 key.exe Token: SeIncreaseQuotaPrivilege 2116 key.exe Token: SeAssignPrimaryTokenPrivilege 2116 key.exe Token: SeImpersonatePrivilege 2116 key.exe Token: SeTcbPrivilege 2116 key.exe Token: SeChangeNotifyPrivilege 2116 key.exe Token: SeCreateTokenPrivilege 2116 key.exe Token: SeBackupPrivilege 2116 key.exe Token: SeRestorePrivilege 2116 key.exe Token: SeIncreaseQuotaPrivilege 2116 key.exe Token: SeAssignPrimaryTokenPrivilege 2116 key.exe Token: SeImpersonatePrivilege 2116 key.exe Token: SeTcbPrivilege 2116 key.exe Token: SeChangeNotifyPrivilege 2116 key.exe Token: SeCreateTokenPrivilege 2116 key.exe Token: SeBackupPrivilege 2116 key.exe Token: SeRestorePrivilege 2116 key.exe Token: SeIncreaseQuotaPrivilege 2116 key.exe Token: SeAssignPrimaryTokenPrivilege 2116 key.exe Token: SeDebugPrivilege 636 file.exe Token: SeShutdownPrivilege 2328 msiexec.exe Token: SeIncreaseQuotaPrivilege 2328 msiexec.exe Token: SeSecurityPrivilege 3828 msiexec.exe Token: SeCreateTokenPrivilege 2328 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2328 msiexec.exe Token: SeLockMemoryPrivilege 2328 msiexec.exe Token: SeIncreaseQuotaPrivilege 2328 msiexec.exe Token: SeMachineAccountPrivilege 2328 msiexec.exe Token: SeTcbPrivilege 2328 msiexec.exe Token: SeSecurityPrivilege 2328 msiexec.exe Token: SeTakeOwnershipPrivilege 2328 msiexec.exe Token: SeLoadDriverPrivilege 2328 msiexec.exe Token: SeSystemProfilePrivilege 2328 msiexec.exe Token: SeSystemtimePrivilege 2328 msiexec.exe Token: SeProfSingleProcessPrivilege 2328 msiexec.exe Token: SeIncBasePriorityPrivilege 2328 msiexec.exe Token: SeCreatePagefilePrivilege 2328 msiexec.exe Token: SeCreatePermanentPrivilege 2328 msiexec.exe Token: SeBackupPrivilege 2328 msiexec.exe Token: SeRestorePrivilege 2328 msiexec.exe Token: SeShutdownPrivilege 2328 msiexec.exe Token: SeDebugPrivilege 2328 msiexec.exe Token: SeAuditPrivilege 2328 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2328 msiexec.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 3172 Setup.exe 744 C0CA61A12E4C8B38.exe 4072 C0CA61A12E4C8B38.exe 3816 firefox.exe 4220 1614924631923.exe 4752 firefox.exe 4764 1614924636798.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 880 wrote to memory of 3520 880 Video.nVidia.GeForce.8600.GTS.crack.exe 79 PID 880 wrote to memory of 3520 880 Video.nVidia.GeForce.8600.GTS.crack.exe 79 PID 880 wrote to memory of 3520 880 Video.nVidia.GeForce.8600.GTS.crack.exe 79 PID 3520 wrote to memory of 3084 3520 cmd.exe 82 PID 3520 wrote to memory of 3084 3520 cmd.exe 82 PID 3520 wrote to memory of 3084 3520 cmd.exe 82 PID 3520 wrote to memory of 3316 3520 cmd.exe 83 PID 3520 wrote to memory of 3316 3520 cmd.exe 83 PID 3520 wrote to memory of 3316 3520 cmd.exe 83 PID 3520 wrote to memory of 2272 3520 cmd.exe 84 PID 3520 wrote to memory of 2272 3520 cmd.exe 84 PID 3520 wrote to memory of 2272 3520 cmd.exe 84 PID 3520 wrote to memory of 2104 3520 cmd.exe 85 PID 3520 wrote to memory of 2104 3520 cmd.exe 85 PID 3520 wrote to memory of 2104 3520 cmd.exe 85 PID 2104 wrote to memory of 636 2104 keygen-step-4.exe 86 PID 2104 wrote to memory of 636 2104 keygen-step-4.exe 86 PID 2104 wrote to memory of 636 2104 keygen-step-4.exe 86 PID 3084 wrote to memory of 2116 3084 keygen-pr.exe 87 PID 3084 wrote to memory of 2116 3084 keygen-pr.exe 87 PID 3084 wrote to memory of 2116 3084 keygen-pr.exe 87 PID 2272 wrote to memory of 420 2272 keygen-step-3.exe 88 PID 2272 wrote to memory of 420 2272 keygen-step-3.exe 88 PID 2272 wrote to memory of 420 2272 keygen-step-3.exe 88 PID 420 wrote to memory of 3856 420 cmd.exe 90 PID 420 wrote to memory of 3856 420 cmd.exe 90 PID 420 wrote to memory of 3856 420 cmd.exe 90 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 2116 wrote to memory of 3852 2116 key.exe 91 PID 636 wrote to memory of 3372 636 file.exe 94 PID 636 wrote to memory of 3372 636 file.exe 94 PID 636 wrote to memory of 3372 636 file.exe 94 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 3372 wrote to memory of 4004 3372 F264.tmp.exe 96 PID 636 wrote to memory of 856 636 file.exe 97 PID 636 wrote to memory of 856 636 file.exe 97 PID 636 wrote to memory of 856 636 file.exe 97 PID 856 wrote to memory of 3580 856 cmd.exe 100 PID 856 wrote to memory of 3580 856 cmd.exe 100 PID 856 wrote to memory of 3580 856 cmd.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\Video.nVidia.GeForce.8600.GTS.crack.exe"C:\Users\Admin\AppData\Local\Temp\Video.nVidia.GeForce.8600.GTS.crack.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
PID:3852
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:3316
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:420 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:3856
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Users\Admin\AppData\Roaming\F264.tmp.exe"C:\Users\Admin\AppData\Roaming\F264.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Users\Admin\AppData\Roaming\F264.tmp.exe"C:\Users\Admin\AppData\Roaming\F264.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:3580
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3172 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeC:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 0011 installp15⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:744 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:3816
-
-
C:\Users\Admin\AppData\Roaming\1614924631923.exe"C:\Users\Admin\AppData\Roaming\1614924631923.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614924631923.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4220
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4752
-
-
C:\Users\Admin\AppData\Roaming\1614924636798.exe"C:\Users\Admin\AppData\Roaming\1614924636798.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614924636798.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4764
-
-
-
C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exeC:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe 200 installp15⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4072 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:1380
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:3568
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\C0CA61A12E4C8B38.exe"6⤵PID:4328
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
PID:4376
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"5⤵PID:1856
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
PID:3464
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"4⤵
- Executes dropped EXE
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\W4O481FE7O\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\W4O481FE7O\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\W4O481FE7O\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\W4O481FE7O\multitimer.exe" 1 3.1614921253.6041be254aaae 1016⤵
- Executes dropped EXE
PID:4976 -
C:\Users\Admin\AppData\Local\Temp\W4O481FE7O\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\W4O481FE7O\multitimer.exe" 2 3.1614921253.6041be254aaae7⤵PID:5084
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"4⤵
- Executes dropped EXE
PID:4032 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:2300
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
PID:4144
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4404
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"4⤵
- Executes dropped EXE
PID:4908 -
C:\ProgramData\3933505.43"C:\ProgramData\3933505.43"5⤵PID:2796
-
-
C:\ProgramData\1176841.12"C:\ProgramData\1176841.12"5⤵PID:4168
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3828 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 63A366DA7638C1295CF9F9F4F330009D C2⤵
- Loads dropped DLL
PID:2572
-