plugx | hxxp://crackdj[.]com

Analysis

max time kernel
80s
max time network
151s
platform
windows10_x64
resource
win10v20210410
submitted
21-06-2021 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://crackdj.com
Sample

210621-adz9hax4rn

Score

10^/10

plugx redline aspackv2 evasion infostealer themida trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral1/memory/912-226-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/912-229-0x0000000000417DBE-mapping.dmp	family_redline
behavioral1/files/0x000100000001ac07-306.dat	family_redline
behavioral1/files/0x000100000001ac07-307.dat	family_redline

ASPack v2.12-2.42 9 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000300000001a21f-142.dat	aspack_v212_v242
behavioral1/files/0x000300000001a21f-143.dat	aspack_v212_v242
behavioral1/files/0x000500000000770b-147.dat	aspack_v212_v242
behavioral1/files/0x000400000001563d-154.dat	aspack_v212_v242
behavioral1/files/0x000400000001563d-153.dat	aspack_v212_v242
behavioral1/files/0x000500000000770b-150.dat	aspack_v212_v242
behavioral1/files/0x000500000000770b-149.dat	aspack_v212_v242
behavioral1/files/0x0007000000015639-148.dat	aspack_v212_v242
behavioral1/files/0x0007000000015639-146.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
4544	setup_x86_x64_install.exe
4736	setup_installer.exe
4192	setup_install.exe
1924	arnatic_3.exe
3924	arnatic_2.exe
4976	arnatic_1.exe
4360	arnatic_4.exe
1112	arnatic_7.exe
5052	arnatic_6.exe
4412	arnatic_5.exe
4892	arnatic_8.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001a8ff-211.dat	upx
behavioral1/files/0x000700000001a8ff-210.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	arnatic_3.exe

Loads dropped DLL 6 IoCs

pid	Process
4192	setup_install.exe
4192	setup_install.exe
4192	setup_install.exe
4192	setup_install.exe
4192	setup_install.exe
4192	setup_install.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000100000001ac07-306.dat	themida
behavioral1/files/0x000100000001ac07-307.dat	themida

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
163	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000fffffffffffffffffffffffffffffffff8fffffff8ffffff08050000b0020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2592383636"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30893725"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad98e1c4c5c1f64cbad3c833b8884b2700000000020000000000106600000001000020000000214d4819418bab59dcb11551378b57acc9e8a3fabbdcca6fb372224f76478fad000000000e8000000002000020000000d7cc7cd23fb7ed28862ab57861849e94d375ad11167be75cedca6ab726409d1f20000000ea08b2a621f6da424f5cf5a53c68a2482adc279c8c44f0b90c2186238c8741294000000080943a5fae367215ee34f2b9083c6bba84503543a005c84f712e3f1138fccbdcddbc1c69b1f102c397f7154572a596c22a2c91b0b77d9acb0c6281bd7f91112d	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30893725"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad98e1c4c5c1f64cbad3c833b8884b27000000000200000000001066000000010000200000009bc9d717f572f5121fb04a96752c3185857d303f5f2015090465a8da224a9c0b000000000e8000000002000020000000b78e00fa402a1227d0a6e52bba4782a5cb160344b921ff4038f4a460a9a7d4c720000000c4e239a184b7ae7619e29748f72bdb7b47a001db70842ff1cd35475441238cb440000000e8480c619dd87bf09418b6402f07119da4bc3a49bec31488933bde29284572d2ac9a4ab176a1c8679ecbc30ecd5fdf664b8833f05a646c1e19038ba4176751e9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C5A3A0EF-D290-11EB-A11C-F6AF56FFA818} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e05b079e9d66d701	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2592540040"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0057009e9d66d701	iexplore.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	arnatic_3.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\60d08c_Screenpresso-Pr.zip:Zone.Identifier	firefox.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	firefox.exe
Token: SeDebugPrivilege	2808	firefox.exe
Token: SeDebugPrivilege	2808	firefox.exe
Token: SeRestorePrivilege	4000	7zG.exe
Token: 35	4000	7zG.exe
Token: SeSecurityPrivilege	4000	7zG.exe
Token: SeSecurityPrivilege	4000	7zG.exe
Token: SeRestorePrivilege	4488	7zG.exe
Token: 35	4488	7zG.exe
Token: SeSecurityPrivilege	4488	7zG.exe
Token: SeSecurityPrivilege	4488	7zG.exe
Token: SeDebugPrivilege	1112	arnatic_7.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3256	iexplore.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
4000	7zG.exe
4488	7zG.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
3256	iexplore.exe
3256	iexplore.exe
200	IEXPLORE.EXE
200	IEXPLORE.EXE
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
2808	firefox.exe
4544	setup_x86_x64_install.exe
4736	setup_installer.exe
4192	setup_install.exe
1924	arnatic_3.exe
3924	arnatic_2.exe
4976	arnatic_1.exe
5052	arnatic_6.exe
4892	arnatic_8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 200	3256	iexplore.exe	75
PID 3256 wrote to memory of 200	3256	iexplore.exe	75
PID 3256 wrote to memory of 200	3256	iexplore.exe	75
PID 2128 wrote to memory of 2808	2128	firefox.exe	81
PID 2128 wrote to memory of 2808	2128	firefox.exe	81
PID 2128 wrote to memory of 2808	2128	firefox.exe	81
PID 2128 wrote to memory of 2808	2128	firefox.exe	81
PID 2128 wrote to memory of 2808	2128	firefox.exe	81
PID 2128 wrote to memory of 2808	2128	firefox.exe	81
PID 2128 wrote to memory of 2808	2128	firefox.exe	81
PID 2128 wrote to memory of 2808	2128	firefox.exe	81
PID 2128 wrote to memory of 2808	2128	firefox.exe	81
PID 2808 wrote to memory of 3408	2808	firefox.exe	82
PID 2808 wrote to memory of 3408	2808	firefox.exe	82
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 1548	2808	firefox.exe	83
PID 2808 wrote to memory of 4336	2808	firefox.exe	85
PID 2808 wrote to memory of 4336	2808	firefox.exe	85
PID 2808 wrote to memory of 4336	2808	firefox.exe	85
PID 2808 wrote to memory of 4336	2808	firefox.exe	85
PID 2808 wrote to memory of 4336	2808	firefox.exe	85
PID 2808 wrote to memory of 4336	2808	firefox.exe	85
PID 2808 wrote to memory of 4336	2808	firefox.exe	85

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://crackdj.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3256 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.0.1360953480\810964231" -parentBuildID 20200403170909 -prefsHandle 1560 -prefMapHandle 1552 -prefsLen 1 -prefMapSize 219680 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 1636 gpu
    3⤵
    PID:3408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.3.144028769\845470030" -childID 1 -isForBrowser -prefsHandle 2264 -prefMapHandle 2260 -prefsLen 156 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 2276 tab
    3⤵
    PID:1548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.13.100353945\1508981201" -childID 2 -isForBrowser -prefsHandle 3380 -prefMapHandle 3376 -prefsLen 7013 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 3404 tab
    3⤵
    PID:4336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.20.120305182\1578533028" -childID 3 -isForBrowser -prefsHandle 4556 -prefMapHandle 4552 -prefsLen 7941 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 4780 tab
    3⤵
    PID:4748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2808.27.1493678793\1488221995" -childID 4 -isForBrowser -prefsHandle 8676 -prefMapHandle 8692 -prefsLen 8649 -prefMapSize 219680 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2808 "\\.\pipe\gecko-crash-server-pipe.2808" 8660 tab
    3⤵
    PID:5020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4324

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\60d08c_Screenpresso-Pr\" -spe -an -ai#7zMap27803:106:7zEvent18588
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4000

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\60d08c_Screenpresso-Pr\Screenpresso-Pro-1101-Crack---Keygen-Free-Download-2021\60d08cf46650060d08cf4_setupInstall\" -spe -an -ai#7zMap5177:288:7zEvent22568
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4488

C:\Users\Admin\Downloads\60d08c_Screenpresso-Pr\Screenpresso-Pro-1101-Crack---Keygen-Free-Download-2021\60d08cf46650060d08cf4_setupInstall\setup_x86_x64_install.exe
"C:\Users\Admin\Downloads\60d08c_Screenpresso-Pr\Screenpresso-Pro-1101-Crack---Keygen-Free-Download-2021\60d08cf46650060d08cf4_setupInstall\setup_x86_x64_install.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4544
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\7zS08284F75\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS08284F75\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_1.exe
      4⤵
      PID:2316
    - - C:\Users\Admin\AppData\Local\Temp\7zS08284F75\arnatic_1.exe
        
        arnatic_1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_3.exe
      4⤵
      PID:2240
    - - C:\Users\Admin\AppData\Local\Temp\7zS08284F75\arnatic_3.exe
        
        arnatic_3.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1924
      - C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
        6⤵
        
        PID:4944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_4.exe
      4⤵
      PID:4704
    - - C:\Users\Admin\AppData\Local\Temp\7zS08284F75\arnatic_4.exe
        
        arnatic_4.exe
        5⤵
        Executes dropped EXE
        
        PID:4360
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_6.exe
      4⤵
      PID:4056
    - - C:\Users\Admin\AppData\Local\Temp\7zS08284F75\arnatic_6.exe
        
        arnatic_6.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5052
      - C:\Users\Admin\Documents\qFmeAJmWyYvSOtYe81CuJXb2.exe
        
        "C:\Users\Admin\Documents\qFmeAJmWyYvSOtYe81CuJXb2.exe"
        6⤵
        
        PID:4872
      - C:\Users\Admin\Documents\k9gJjkfu1KmIPTL_lNndb3xZ.exe
        
        "C:\Users\Admin\Documents\k9gJjkfu1KmIPTL_lNndb3xZ.exe"
        6⤵
        
        PID:2312
      - C:\Users\Admin\Documents\BHmg5FcXQ2Elap2CE15fEK5I.exe
        
        "C:\Users\Admin\Documents\BHmg5FcXQ2Elap2CE15fEK5I.exe"
        6⤵
        
        PID:4684
      - C:\Users\Admin\Documents\504iic878sQwZHjmdqVYbYLM.exe
        
        "C:\Users\Admin\Documents\504iic878sQwZHjmdqVYbYLM.exe"
        6⤵
        
        PID:4632
      - C:\Users\Admin\Documents\sN3IRFQk3gPBYDb6MOdCbjXP.exe
        
        "C:\Users\Admin\Documents\sN3IRFQk3gPBYDb6MOdCbjXP.exe"
        6⤵
        
        PID:4424
      - C:\Users\Admin\Documents\ON16XAbcgog4PpgEg7RFdY8c.exe
        
        "C:\Users\Admin\Documents\ON16XAbcgog4PpgEg7RFdY8c.exe"
        6⤵
        
        PID:3288
      - C:\Users\Admin\Documents\zXu9Ifmw3G02XZSD9o2eVt0T.exe
        
        "C:\Users\Admin\Documents\zXu9Ifmw3G02XZSD9o2eVt0T.exe"
        6⤵
        
        PID:3868
      - C:\Users\Admin\Documents\IWjDqoksLqywLyyWKYXfMF8Y.exe
        
        "C:\Users\Admin\Documents\IWjDqoksLqywLyyWKYXfMF8Y.exe"
        6⤵
        
        PID:4688
      - C:\Users\Admin\Documents\y8Z7gAFT2CaMGpdkx6bdd12P.exe
        
        "C:\Users\Admin\Documents\y8Z7gAFT2CaMGpdkx6bdd12P.exe"
        6⤵
        
        PID:3260
      - C:\Users\Admin\Documents\YiotXA2I3Jty5J0aSUMcdgsU.exe
        
        "C:\Users\Admin\Documents\YiotXA2I3Jty5J0aSUMcdgsU.exe"
        6⤵
        
        PID:4544
      - C:\Users\Admin\Documents\8FRyUn604BPZwApKgKldFx0G.exe
        
        "C:\Users\Admin\Documents\8FRyUn604BPZwApKgKldFx0G.exe"
        6⤵
        
        PID:4780
      - C:\Users\Admin\Documents\B06X52Rd8PBXdn7m9Uk8eBU_.exe
        
        "C:\Users\Admin\Documents\B06X52Rd8PBXdn7m9Uk8eBU_.exe"
        6⤵
        
        PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_7.exe
      4⤵
      PID:2104
    - - C:\Users\Admin\AppData\Local\Temp\7zS08284F75\arnatic_7.exe
        
        arnatic_7.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
      - C:\Users\Admin\AppData\Local\Temp\7zS08284F75\arnatic_7.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS08284F75\arnatic_7.exe
        6⤵
        
        PID:912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_8.exe
      4⤵
      PID:1008
    - - C:\Users\Admin\AppData\Local\Temp\7zS08284F75\arnatic_8.exe
        
        arnatic_8.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_5.exe
      4⤵
      PID:4276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_2.exe
      4⤵
      PID:2272

C:\Users\Admin\AppData\Local\Temp\7zS08284F75\arnatic_5.exe
arnatic_5.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Users\Admin\AppData\Local\Temp\7zS08284F75\arnatic_2.exe
arnatic_2.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/492-237-0x000002382A030000-0x000002382A0A1000-memory.dmp

Filesize
452KB

Download
memory/912-260-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/912-242-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/912-238-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/912-240-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/912-226-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/912-250-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/912-245-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/1016-224-0x000001AE9FB00000-0x000001AE9FB71000-memory.dmp

Filesize
452KB

Download
memory/1028-257-0x0000024F9F310000-0x0000024F9F381000-memory.dmp

Filesize
452KB

Download
memory/1112-195-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1112-202-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1144-252-0x00000155B2E20000-0x00000155B2E91000-memory.dmp

Filesize
452KB

Download
memory/1196-283-0x0000018854A40000-0x0000018854AB1000-memory.dmp

Filesize
452KB

Download
memory/1380-270-0x000002DE02D70000-0x000002DE02DE1000-memory.dmp

Filesize
452KB

Download
memory/1460-269-0x000001B93F270000-0x000001B93F2E1000-memory.dmp

Filesize
452KB

Download
memory/1936-276-0x0000025C9CE40000-0x0000025C9CEB1000-memory.dmp

Filesize
452KB

Download
memory/2472-246-0x00000239DFCB0000-0x00000239DFD21000-memory.dmp

Filesize
452KB

Download
memory/2528-235-0x0000022FCA010000-0x0000022FCA081000-memory.dmp

Filesize
452KB

Download
memory/2780-275-0x0000020995840000-0x00000209958B1000-memory.dmp

Filesize
452KB

Download
memory/2800-281-0x000002530BA60000-0x000002530BAD1000-memory.dmp

Filesize
452KB

Download
memory/2868-219-0x0000020002220000-0x0000020002291000-memory.dmp

Filesize
452KB

Download
memory/3256-114-0x00007FFCF2110000-0x00007FFCF217B000-memory.dmp

Filesize
428KB

Download
memory/4192-157-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4192-158-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4192-177-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4192-178-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4192-155-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4192-179-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4192-180-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4192-156-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4412-199-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/4412-201-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/4412-214-0x0000000000F30000-0x0000000000F32000-memory.dmp

Filesize
8KB

Download
memory/4412-200-0x0000000002670000-0x000000000268B000-memory.dmp

Filesize
108KB

Download
memory/4412-197-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4536-220-0x0000025385670000-0x00000253856E1000-memory.dmp

Filesize
452KB

Download
memory/4536-217-0x0000025385360000-0x00000253853AC000-memory.dmp

Filesize
304KB

Download
memory/4944-223-0x00000000046B8000-0x00000000047B9000-memory.dmp

Filesize
1.0MB

Download
memory/4944-225-0x00000000044A0000-0x00000000044FD000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads