Analysis

  • max time kernel
    99s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    23/12/2021, 19:36

General

  • Target

    03430361A6D2FE6C89D6B237CA9B887CC6269187B305A.exe

  • Size

    4.8MB

  • MD5

    5d941d663aa77335eebfc3769cbbe12c

  • SHA1

    89aba2fe3c8c7b73d95bde2cc0191caf89471627

  • SHA256

    03430361a6d2fe6c89d6b237ca9b887cc6269187b305afc9ef3d8642533698c4

  • SHA512

    f1a7069425d51860f79587846f1d1870e3f3ccdba3fd39e549beea96b3b3e555f2522a08a6af1ebf2aa3263a1e61e2af1a1eca62af11e997c8cf42cb1f95f467

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

vidar

Version

40

Botnet

916

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    916

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 8 IoCs
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer 1 IoCs
  • Blocklisted process makes network request 10 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 23 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 17 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 8 IoCs
  • NSIS installer 4 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 8 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
    1⤵
      PID:2364
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2620
      • C:\Windows\system32\wbem\WMIADAP.EXE
        wmiadap.exe /F /T /R
        2⤵
          PID:2908
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s BITS
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3960
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Modifies registry class
          PID:3728
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s WpnService
        1⤵
          PID:2656
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Browser
          1⤵
            PID:2504
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
            1⤵
              PID:2328
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1892
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                1⤵
                  PID:1484
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1288
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1240
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                      1⤵
                        PID:1108
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                        1⤵
                          PID:968
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                          1⤵
                            PID:316
                          • C:\Users\Admin\AppData\Local\Temp\03430361A6D2FE6C89D6B237CA9B887CC6269187B305A.exe
                            "C:\Users\Admin\AppData\Local\Temp\03430361A6D2FE6C89D6B237CA9B887CC6269187B305A.exe"
                            1⤵
                            • Drops file in Program Files directory
                            • Suspicious use of WriteProcessMemory
                            PID:3372
                            • C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe
                              "C:\Program Files (x86)\GameBox INC\GameBox\runvd.exe"
                              2⤵
                              • Executes dropped EXE
                              • Modifies system certificate store
                              PID:3416
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 920
                                3⤵
                                • Suspicious use of NtCreateProcessExOtherParentProcess
                                • Program crash
                                • Suspicious behavior: EnumeratesProcesses
                                PID:3676
                            • C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
                              "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:3676
                              • C:\Users\Admin\AppData\Local\Temp\is-GHSJE.tmp\MediaBurner2.tmp
                                "C:\Users\Admin\AppData\Local\Temp\is-GHSJE.tmp\MediaBurner2.tmp" /SL5="$101E2,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
                                3⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                PID:1000
                            • C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
                              "C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:588
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /c taskkill /f /im chrome.exe
                                3⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1852
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /f /im chrome.exe
                                  4⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3488
                              • C:\Windows\SysWOW64\WerFault.exe
                                C:\Windows\SysWOW64\WerFault.exe -u -p 588 -s 1808
                                3⤵
                                • Program crash
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2044
                            • C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
                              "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
                              2⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Enumerates connected drives
                              • Modifies system certificate store
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of WriteProcessMemory
                              PID:1148
                              • C:\Windows\SysWOW64\msiexec.exe
                                "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1640291574 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
                                3⤵
                                  PID:2760
                              • C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe
                                "C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3148
                              • C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
                                "C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
                                2⤵
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Drops file in Program Files directory
                                PID:2228
                              • C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe
                                "C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:856
                                • C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe
                                  "C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe" -a
                                  3⤵
                                  • Executes dropped EXE
                                  PID:3972
                              • C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
                                "C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
                                2⤵
                                • Executes dropped EXE
                                • Checks computer location settings
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of WriteProcessMemory
                                PID:3916
                                • C:\Users\Admin\Pictures\Adobe Films\GewCupYlV_iiVo0qXYveLUwk.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\GewCupYlV_iiVo0qXYveLUwk.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:2804
                                • C:\Users\Admin\Pictures\Adobe Films\xM1P9NKBBdiVOS1FP_KadwCb.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\xM1P9NKBBdiVOS1FP_KadwCb.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  PID:3276
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 664
                                    4⤵
                                    • Program crash
                                    PID:5012
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 652
                                    4⤵
                                    • Program crash
                                    PID:2344
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 684
                                    4⤵
                                    • Program crash
                                    PID:4460
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 660
                                    4⤵
                                    • Program crash
                                    PID:3476
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 1068
                                    4⤵
                                    • Program crash
                                    PID:4372
                                • C:\Users\Admin\Pictures\Adobe Films\GHJuvfcJyseji4fd9OA5Yv2p.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\GHJuvfcJyseji4fd9OA5Yv2p.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                  PID:1148
                                • C:\Users\Admin\Pictures\Adobe Films\E0WOjJpmIn_gsvCjz5tUuM82.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\E0WOjJpmIn_gsvCjz5tUuM82.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  PID:1472
                                • C:\Users\Admin\Pictures\Adobe Films\EN2wZSa05mBnAQehK4lokiHo.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\EN2wZSa05mBnAQehK4lokiHo.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  PID:1260
                                • C:\Users\Admin\Pictures\Adobe Films\EfHVp39OI71zf5YswxnWFWjQ.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\EfHVp39OI71zf5YswxnWFWjQ.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  PID:1564
                                  • C:\Users\Admin\AppData\Local\Temp\InstallDriverVBS.exe
                                    "C:\Users\Admin\AppData\Local\Temp\InstallDriverVBS.exe"
                                    4⤵
                                      PID:4548
                                    • C:\Users\Admin\AppData\Local\Temp\Zexan_crypted.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Zexan_crypted.exe"
                                      4⤵
                                        PID:5040
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 632
                                          5⤵
                                          • Program crash
                                          PID:2788
                                    • C:\Users\Admin\Pictures\Adobe Films\Gr03clyiwapKfRgqtVOSXUYM.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\Gr03clyiwapKfRgqtVOSXUYM.exe"
                                      3⤵
                                      • Executes dropped EXE
                                      PID:2244
                                    • C:\Users\Admin\Pictures\Adobe Films\byh9drDJmXLOSDw6InoXAzs4.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\byh9drDJmXLOSDw6InoXAzs4.exe"
                                      3⤵
                                      • Executes dropped EXE
                                      PID:1476
                                      • C:\Windows\SysWOW64\mshta.exe
                                        "C:\Windows\System32\mshta.exe" vbsCrIPT: cLose ( CREatEObJECT ( "wSCripT.sHeLl" ).Run ( "C:\Windows\system32\cmd.exe /q /r TyPE ""C:\Users\Admin\Pictures\Adobe Films\byh9drDJmXLOSDw6InoXAzs4.exe"" > ..\ZCJQBxDe1bLl.exE && staRT ..\zCjQBxDe1bLl.exE /pVxJDYWtOoH4fPZQYK~Ihe & If """" == """" for %e In ( ""C:\Users\Admin\Pictures\Adobe Films\byh9drDJmXLOSDw6InoXAzs4.exe"" ) do taskkill /iM ""%~Nxe"" -f ", 0 , TrUe ) )
                                        4⤵
                                          PID:4700
                                      • C:\Users\Admin\Pictures\Adobe Films\pVIVesayezD7wxd9Okyybp7Y.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\pVIVesayezD7wxd9Okyybp7Y.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        PID:3172
                                      • C:\Users\Admin\Pictures\Adobe Films\tePtsMsDc42w6uQFtbvtffq7.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\tePtsMsDc42w6uQFtbvtffq7.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        PID:2544
                                      • C:\Users\Admin\Pictures\Adobe Films\S1n1NAt4Mi8RhhTz10GRuNYC.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\S1n1NAt4Mi8RhhTz10GRuNYC.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        PID:1588
                                      • C:\Users\Admin\Pictures\Adobe Films\zQIG55QNaDd6JyXQQXSPviyR.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\zQIG55QNaDd6JyXQQXSPviyR.exe"
                                        3⤵
                                          PID:3700
                                          • C:\Users\Admin\AppData\Local\Temp\7zS934E.tmp\Install.exe
                                            .\Install.exe
                                            4⤵
                                              PID:4580
                                              • C:\Users\Admin\AppData\Local\Temp\7zSFB2.tmp\Install.exe
                                                .\Install.exe /S /site_id "525403"
                                                5⤵
                                                  PID:4908
                                            • C:\Users\Admin\Pictures\Adobe Films\kp9Crqo3qNyuiZAgZgbDReet.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\kp9Crqo3qNyuiZAgZgbDReet.exe"
                                              3⤵
                                                PID:3928
                                              • C:\Users\Admin\Pictures\Adobe Films\Iir47yV0ATOrNdjtqu7K7kG1.exe
                                                "C:\Users\Admin\Pictures\Adobe Films\Iir47yV0ATOrNdjtqu7K7kG1.exe"
                                                3⤵
                                                  PID:4072
                                                • C:\Users\Admin\Pictures\Adobe Films\DNbiDhCVeChR893CBvW0s2_k.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\DNbiDhCVeChR893CBvW0s2_k.exe"
                                                  3⤵
                                                    PID:4064
                                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                      4⤵
                                                        PID:4432
                                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                        4⤵
                                                          PID:4952
                                                      • C:\Users\Admin\Pictures\Adobe Films\yGOtpV4wla9LkX_wU6rzQbv6.exe
                                                        "C:\Users\Admin\Pictures\Adobe Films\yGOtpV4wla9LkX_wU6rzQbv6.exe"
                                                        3⤵
                                                          PID:3344
                                                          • C:\Users\Public\Videos\hgfdfds.exe
                                                            "C:\Users\Public\Videos\hgfdfds.exe"
                                                            4⤵
                                                              PID:4776
                                                          • C:\Users\Admin\Pictures\Adobe Films\m6Sxx3U8sU1Gpr8XJZcPyDTK.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\m6Sxx3U8sU1Gpr8XJZcPyDTK.exe"
                                                            3⤵
                                                              PID:4144
                                                            • C:\Users\Admin\Pictures\Adobe Films\yM9uWI5giOnQ0WFnsYHU0DRB.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\yM9uWI5giOnQ0WFnsYHU0DRB.exe"
                                                              3⤵
                                                                PID:4120
                                                              • C:\Users\Admin\Pictures\Adobe Films\dXzogWI2g_ECoWCSrmOHfFvb.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\dXzogWI2g_ECoWCSrmOHfFvb.exe"
                                                                3⤵
                                                                  PID:4108
                                                                • C:\Users\Admin\Pictures\Adobe Films\STzWGxoCboHBYrmUi7f1nSkA.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\STzWGxoCboHBYrmUi7f1nSkA.exe"
                                                                  3⤵
                                                                    PID:4240
                                                                  • C:\Users\Admin\Pictures\Adobe Films\WKsUXex1Eemsxn2PLqDaWKEM.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\WKsUXex1Eemsxn2PLqDaWKEM.exe"
                                                                    3⤵
                                                                      PID:4320
                                                                    • C:\Users\Admin\Pictures\Adobe Films\FUTg6kbZYPQq4C_f2hw8CR_D.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\FUTg6kbZYPQq4C_f2hw8CR_D.exe"
                                                                      3⤵
                                                                        PID:4744
                                                                      • C:\Users\Admin\Pictures\Adobe Films\e9NKI61RfozELE55EpBwaPN9.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\e9NKI61RfozELE55EpBwaPN9.exe"
                                                                        3⤵
                                                                          PID:5096
                                                                        • C:\Users\Admin\Pictures\Adobe Films\WnmxjjASLO86wq1ks__NFQ3e.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\WnmxjjASLO86wq1ks__NFQ3e.exe"
                                                                          3⤵
                                                                            PID:4168
                                                                          • C:\Users\Admin\Pictures\Adobe Films\s7u_VbYuhr1npMCXsNvcpbGm.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\s7u_VbYuhr1npMCXsNvcpbGm.exe"
                                                                            3⤵
                                                                              PID:3900
                                                                            • C:\Users\Admin\Pictures\Adobe Films\FoYhBbiCadr_MblfxCz1Hb0j.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\FoYhBbiCadr_MblfxCz1Hb0j.exe"
                                                                              3⤵
                                                                                PID:3852
                                                                          • C:\Windows\system32\rUNdlL32.eXe
                                                                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:1632
                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                              2⤵
                                                                              • Loads dropped DLL
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:1804
                                                                          • C:\Windows\system32\msiexec.exe
                                                                            C:\Windows\system32\msiexec.exe /V
                                                                            1⤵
                                                                            • Enumerates connected drives
                                                                            • Drops file in Windows directory
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:3640
                                                                            • C:\Windows\syswow64\MsiExec.exe
                                                                              C:\Windows\syswow64\MsiExec.exe -Embedding 8C4B8FCBE9DDCEF8D53C7F0DA7E83573 C
                                                                              2⤵
                                                                              • Loads dropped DLL
                                                                              PID:1452
                                                                            • C:\Windows\syswow64\MsiExec.exe
                                                                              C:\Windows\syswow64\MsiExec.exe -Embedding 7E8CA3C5D299CF88E37E37BFC81DB770
                                                                              2⤵
                                                                              • Blocklisted process makes network request
                                                                              • Loads dropped DLL
                                                                              PID:1040
                                                                            • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
                                                                              "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
                                                                              2⤵
                                                                              • Executes dropped EXE
                                                                              • Adds Run key to start application
                                                                              PID:348
                                                                              • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
                                                                                "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
                                                                                3⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                PID:1964

                                                                          Network

                                                                                MITRE ATT&CK Enterprise v6

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads

                                                                                • memory/316-176-0x0000022DE5E90000-0x0000022DE5F01000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/316-172-0x0000022DE5BF0000-0x0000022DE5BF2000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/316-174-0x0000022DE5BF0000-0x0000022DE5BF2000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/968-184-0x000002A56F550000-0x000002A56F552000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/968-183-0x000002A56F550000-0x000002A56F552000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/968-202-0x000002A56FB60000-0x000002A56FBD1000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/1000-148-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1040-246-0x0000000000770000-0x0000000000771000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1040-245-0x0000000000770000-0x0000000000771000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1108-182-0x0000021C866A0000-0x0000021C866A2000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/1108-181-0x0000021C866A0000-0x0000021C866A2000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/1108-201-0x0000021C87000000-0x0000021C87071000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/1148-364-0x00000000057F0000-0x0000000005802000-memory.dmp

                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/1148-330-0x0000000000A60000-0x0000000000C26000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/1148-287-0x0000000000A60000-0x0000000000C26000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/1148-307-0x0000000074E90000-0x0000000075052000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/1148-336-0x0000000000A60000-0x0000000000C26000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/1148-291-0x0000000000A60000-0x0000000000C26000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/1148-353-0x0000000005EB0000-0x00000000064B6000-memory.dmp

                                                                                  Filesize

                                                                                  6.0MB

                                                                                • memory/1148-370-0x00000000059B0000-0x0000000005ABA000-memory.dmp

                                                                                  Filesize

                                                                                  1.0MB

                                                                                • memory/1148-288-0x0000000000A40000-0x0000000000A41000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1148-286-0x0000000001000000-0x000000000114A000-memory.dmp

                                                                                  Filesize

                                                                                  1.3MB

                                                                                • memory/1240-205-0x0000021B21E10000-0x0000021B21E81000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/1240-189-0x0000021B21690000-0x0000021B21692000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/1240-190-0x0000021B21690000-0x0000021B21692000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/1288-191-0x000002ADEB1C0000-0x000002ADEB1C2000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/1288-192-0x000002ADEB1C0000-0x000002ADEB1C2000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/1288-206-0x000002ADEBC00000-0x000002ADEBC71000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/1452-228-0x0000000000830000-0x0000000000831000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1452-229-0x0000000000830000-0x0000000000831000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1476-302-0x00000000001A0000-0x00000000001A1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1476-297-0x00000000001A0000-0x00000000001A1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1484-203-0x000001E892B60000-0x000001E892BD1000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/1484-186-0x000001E892750000-0x000001E892752000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/1484-185-0x000001E892750000-0x000001E892752000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/1588-377-0x0000000004DA0000-0x0000000004DDE000-memory.dmp

                                                                                  Filesize

                                                                                  248KB

                                                                                • memory/1588-366-0x0000000004EB0000-0x0000000004FBA000-memory.dmp

                                                                                  Filesize

                                                                                  1.0MB

                                                                                • memory/1588-361-0x0000000002D20000-0x0000000002D32000-memory.dmp

                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/1588-340-0x0000000000210000-0x00000000003D8000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/1588-299-0x00000000021E0000-0x0000000002225000-memory.dmp

                                                                                  Filesize

                                                                                  276KB

                                                                                • memory/1588-375-0x0000000002D10000-0x0000000002D11000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/1588-303-0x0000000000210000-0x00000000003D8000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/1588-335-0x0000000000210000-0x00000000003D8000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/1588-357-0x00000000053B0000-0x00000000059B6000-memory.dmp

                                                                                  Filesize

                                                                                  6.0MB

                                                                                • memory/1804-163-0x0000000000D68000-0x0000000000E69000-memory.dmp

                                                                                  Filesize

                                                                                  1.0MB

                                                                                • memory/1804-166-0x0000000000ED0000-0x0000000000F2D000-memory.dmp

                                                                                  Filesize

                                                                                  372KB

                                                                                • memory/1892-204-0x0000024AB2370000-0x0000024AB23E1000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/1892-187-0x0000024AB23F0000-0x0000024AB23F2000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/1892-188-0x0000024AB23F0000-0x0000024AB23F2000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2228-218-0x0000000004E70000-0x0000000004E78000-memory.dmp

                                                                                  Filesize

                                                                                  32KB

                                                                                • memory/2228-211-0x0000000003970000-0x0000000003980000-memory.dmp

                                                                                  Filesize

                                                                                  64KB

                                                                                • memory/2228-149-0x0000000000030000-0x0000000000033000-memory.dmp

                                                                                  Filesize

                                                                                  12KB

                                                                                • memory/2228-217-0x0000000003B10000-0x0000000003B20000-memory.dmp

                                                                                  Filesize

                                                                                  64KB

                                                                                • memory/2244-367-0x0000000005100000-0x000000000520A000-memory.dmp

                                                                                  Filesize

                                                                                  1.0MB

                                                                                • memory/2244-347-0x00000000001C0000-0x0000000000388000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/2244-344-0x00000000001C0000-0x0000000000388000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/2244-305-0x0000000002460000-0x00000000024A5000-memory.dmp

                                                                                  Filesize

                                                                                  276KB

                                                                                • memory/2244-362-0x0000000002DB0000-0x0000000002DC2000-memory.dmp

                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/2244-358-0x0000000005710000-0x0000000005D16000-memory.dmp

                                                                                  Filesize

                                                                                  6.0MB

                                                                                • memory/2244-310-0x00000000001C0000-0x0000000000388000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/2328-179-0x00000147440E0000-0x00000147440E2000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2328-200-0x0000014744940000-0x00000147449B1000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/2328-180-0x00000147440E0000-0x00000147440E2000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2364-178-0x000001DA27F80000-0x000001DA27F82000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2364-198-0x000001DA28840000-0x000001DA288B1000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/2364-177-0x000001DA27F80000-0x000001DA27F82000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2504-164-0x0000014EF7C80000-0x0000014EF7C82000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2504-167-0x0000014EF7C80000-0x0000014EF7C82000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2504-170-0x0000014EF8670000-0x0000014EF86E1000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/2620-207-0x0000026E39400000-0x0000026E39471000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/2620-195-0x0000026E389E0000-0x0000026E389E2000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2620-194-0x0000026E389E0000-0x0000026E389E2000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2656-199-0x00000230C7F70000-0x00000230C7FE1000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/2656-197-0x00000230C7540000-0x00000230C7542000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2656-196-0x00000230C7540000-0x00000230C7542000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/2760-235-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/2760-236-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                • memory/3148-141-0x0000000000E70000-0x0000000000E94000-memory.dmp

                                                                                  Filesize

                                                                                  144KB

                                                                                • memory/3148-156-0x0000000001610000-0x0000000001612000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/3148-140-0x0000000000E70000-0x0000000000E94000-memory.dmp

                                                                                  Filesize

                                                                                  144KB

                                                                                • memory/3148-147-0x00000000015A0000-0x00000000015BC000-memory.dmp

                                                                                  Filesize

                                                                                  112KB

                                                                                • memory/3172-354-0x0000000001490000-0x0000000001492000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/3172-333-0x0000000001460000-0x0000000001466000-memory.dmp

                                                                                  Filesize

                                                                                  24KB

                                                                                • memory/3172-359-0x0000000002DB0000-0x0000000002DE6000-memory.dmp

                                                                                  Filesize

                                                                                  216KB

                                                                                • memory/3172-373-0x0000000001470000-0x0000000001476000-memory.dmp

                                                                                  Filesize

                                                                                  24KB

                                                                                • memory/3172-315-0x0000000000E30000-0x0000000000E7A000-memory.dmp

                                                                                  Filesize

                                                                                  296KB

                                                                                • memory/3172-308-0x0000000000E30000-0x0000000000E7A000-memory.dmp

                                                                                  Filesize

                                                                                  296KB

                                                                                • memory/3416-150-0x0000000000950000-0x0000000000A9A000-memory.dmp

                                                                                  Filesize

                                                                                  1.3MB

                                                                                • memory/3416-151-0x0000000000400000-0x000000000094E000-memory.dmp

                                                                                  Filesize

                                                                                  5.3MB

                                                                                • memory/3416-118-0x0000000000C41000-0x0000000000CA6000-memory.dmp

                                                                                  Filesize

                                                                                  404KB

                                                                                • memory/3640-208-0x0000018B4A040000-0x0000018B4A042000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/3640-209-0x0000018B4A040000-0x0000018B4A042000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/3676-129-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                  Filesize

                                                                                  436KB

                                                                                • memory/3728-169-0x000001C415250000-0x000001C415252000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/3728-171-0x000001C415250000-0x000001C415252000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/3728-175-0x000001C4154D0000-0x000001C415541000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/3916-269-0x00000000037F0000-0x000000000393E000-memory.dmp

                                                                                  Filesize

                                                                                  1.3MB

                                                                                • memory/3960-162-0x0000028CF8400000-0x0000028CF8402000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/3960-304-0x0000028CF87D0000-0x0000028CF87D4000-memory.dmp

                                                                                  Filesize

                                                                                  16KB

                                                                                • memory/3960-173-0x0000028CF8830000-0x0000028CF88A1000-memory.dmp

                                                                                  Filesize

                                                                                  452KB

                                                                                • memory/3960-168-0x0000028CF8770000-0x0000028CF87BC000-memory.dmp

                                                                                  Filesize

                                                                                  304KB

                                                                                • memory/3960-161-0x0000028CF8400000-0x0000028CF8402000-memory.dmp

                                                                                  Filesize

                                                                                  8KB

                                                                                • memory/4108-348-0x0000000000880000-0x00000000008FF000-memory.dmp

                                                                                  Filesize

                                                                                  508KB

                                                                                • memory/4108-327-0x0000000002A80000-0x0000000002AC5000-memory.dmp

                                                                                  Filesize

                                                                                  276KB

                                                                                • memory/4108-365-0x0000000005BA0000-0x00000000061A6000-memory.dmp

                                                                                  Filesize

                                                                                  6.0MB

                                                                                • memory/4108-371-0x0000000005590000-0x00000000055A2000-memory.dmp

                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/4108-374-0x00000000056C0000-0x00000000057CA000-memory.dmp

                                                                                  Filesize

                                                                                  1.0MB

                                                                                • memory/4108-351-0x0000000000880000-0x00000000008FF000-memory.dmp

                                                                                  Filesize

                                                                                  508KB

                                                                                • memory/4144-332-0x0000000000F00000-0x000000000104A000-memory.dmp

                                                                                  Filesize

                                                                                  1.3MB

                                                                                • memory/4144-360-0x00000000002B0000-0x0000000000475000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB

                                                                                • memory/4144-372-0x0000000005C70000-0x0000000006276000-memory.dmp

                                                                                  Filesize

                                                                                  6.0MB

                                                                                • memory/4144-376-0x0000000005580000-0x0000000005592000-memory.dmp

                                                                                  Filesize

                                                                                  72KB

                                                                                • memory/4144-356-0x00000000002B0000-0x0000000000475000-memory.dmp

                                                                                  Filesize

                                                                                  1.8MB