Analysis
-
max time kernel
596s -
max time network
596s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 10:19
General
-
Target
June-06028_65-Report.iso
-
Size
1.9MB
-
MD5
472097d742b7a64531766ec22826bcad
-
SHA1
ef95618ef18e7feb5b0d0563a47acea38b03b94c
-
SHA256
45ff00e7a848fdb2c5ecb5fbdf608c492c20fdf68ecbe12637f599ed0aea7f6b
-
SHA512
3ff26d6c8b7a62ce902006a6f78e1aa5bdb6fe19dc008855f39df2a7de8f5a7ed50c2015dc3183c973ac8fd18a3c310dd9f8f90ce0988a1978226370ab9880c5
Malware Config
Extracted
icedid
3568430872
alionavon.com
Signatures
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
suricata: ET MALWARE Win32/IcedID Request Cookie
suricata: ET MALWARE Win32/IcedID Request Cookie
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 6 IoCs
-
Registers COM server for autorun 1 TTPs 6 IoCs
-
Loads dropped DLL 45 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 55 IoCs
-
Suspicious use of SendNotifyMessage 33 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\June-06028_65-Report.iso1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\isoburn.exe"C:\Windows\System32\isoburn.exe" "C:\Users\Admin\AppData\Local\Temp\June-06028_65-Report.iso"2⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ec4f50,0x7fef6ec4f60,0x7fef6ec4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1052 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1544 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3276 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3448 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3592 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3652 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3656 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3572 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3492 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3740 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3812 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4668 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4764 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4368 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4416 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5232 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5128 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5020 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4900 /prefetch:82⤵
-
C:\Users\Admin\Downloads\PowerISO8-x64.exe"C:\Users\Admin\Downloads\PowerISO8-x64.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s /u "C:\Program Files\PowerISO\PWRISOSH.DLL"3⤵
-
C:\Program Files\PowerISO\devcon.exe"C:\Program Files\PowerISO\devcon.exe" remove *scdbusDevice3⤵
- Executes dropped EXE
-
C:\Program Files\PowerISO\setup64.exe"C:\Program Files\PowerISO\setup64.exe" cp C:\Users\Admin\AppData\Local\Temp\nseFAD7.tmp "C:\Windows\system32\Drivers\scdemu.sys"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\PowerISO\PWRISOSH.DLL"3⤵
- Loads dropped DLL
-
C:\Windows\system32\regsvr32.exe/s "C:\Program Files\PowerISO\PWRISOSH.DLL"4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files\PowerISO\PWRISOVM.EXE"C:\Program Files\PowerISO\PWRISOVM.EXE" 9993⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.poweriso.com/thankyou.htm3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:984 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=544 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2412 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:82⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=632 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 /prefetch:82⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1528 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3432 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=940,18162008149550183799,3825456137996483475,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1472 /prefetch:82⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5341⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\PowerISO\PowerISO.exe"C:\Program Files\PowerISO\PowerISO.exe" -pf C:\Users\Admin\AppData\Local\Temp\E496.tmp1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s "C:\Program Files\PowerISO\PWRISOSH.DLL"2⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" r7kom.dll, #11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1832_1211053155\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1832_1211053155\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={fde86788-15b7-4bd7-a7a1-98cafb998845} --system2⤵
- Executes dropped EXE
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" r7kom.dll, #11⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\r7kom.dll1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\PowerISO\PWRISOSH.DLLFilesize
325KB
MD5751457ed43b489beb89b86fa01d0edf6
SHA1e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6
SHA256dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e
SHA5125a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590
-
C:\Program Files\PowerISO\PWRISOVM.EXEFilesize
449KB
MD5af7ede04850080dee68fe70e4e774530
SHA1ca364f1790e31f4414d8a3f3b475e4008dd8f4b5
SHA256526b768cd980f474751037bbc4db979764e0090c629cb40aa3fcfc107f04a641
SHA512f4c0a27a3db4f73082f99a79cefaaa21f96583fc416a83896b83876e39264413cb3de5e8abb97be34c61e1d068c60c56b02ef7bb5c98913b9cd244a3ab789ad2
-
C:\Program Files\PowerISO\devcon.exeFilesize
69KB
MD59d199564b65a91a531b23844649459e9
SHA18d84359ced1c51d14e70cb5ed36a6083c8b914cf
SHA2568dc2490d1d650e3ffbf70922b81ae9800ddd29a644e4d7d29e9616e22a7d0f42
SHA512ae522945d3ddcd7c2d99da14ba62d556928b7e6dfcb07114f13481777878a8ffa448170cebbf76da80d9ae45d0e3a509b0f2a7bd702773c1efcaca26496010d1
-
C:\Program Files\PowerISO\setup64.exeFilesize
18KB
MD5edda92af8f1a180c165f92951ed55a42
SHA11eb86ca757395527fd5d32bc3f8dbd482e3f6b51
SHA2564d23f626854a739b5805199e710f9d4c55c4e89aa9dc00491cfbb0b990707738
SHA51226a6f72544c8f4ea89af3b16a60e2a9f0d1e5f9575a14a43f0c96b78a6e8f29595b38c109688bd21418955b57d45805980dd2d1ea76504e08c94e09bb506f873
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.datFilesize
9KB
MD55af5e4dd7376a0b402b380bb6b9e543a
SHA1cbc5e0ca2637f39d0690dd23a15e58401e57f631
SHA2562f2aec1087f6d91e37dcff2c53e4d887c6db487d363c28be9aa790cb99ece15e
SHA512300ad8483a4331e38b3dee82b49e97a26aabd645db3b9b6b576ae5d9c8e2da8a9fcc26c896b406a01f83d7e90bc1eeccc316511e938642c9e5722a375a6aeac2
-
C:\Users\Admin\AppData\Local\Temp\nseFAD7.tmpFilesize
135KB
MD592eae8dec1f992db12aa23d9d55f264a
SHA1add6697b8c1c71980e391619e81e0bada05e38ee
SHA256d01a58e0a222e4d301b75ae80150d8cbc17f56b3f6458352d2c7c449be302eee
SHA512443a12a1a49e388725ee347e650297ba5268d655acd08e623ea988cde07ae08ae861620b600fb223358339eeab926fee1c8377386501310c68a3eb9515649441
-
C:\Users\Admin\Downloads\PowerISO8-x64.exeFilesize
4.3MB
MD57749f78b2213b9d29ad0a615cd9811b7
SHA1ee24f55ecb0a4e2318f9a5a8a73af2679a395a79
SHA256ddfda881e7f0806cec42e0148c9b357d0b877e95c03db491c5a66f516f4ba4bf
SHA51216b9b2a669ad846934612fe2957cdb8799b7062f2a08bb9a68e16f222ff3ea1436a030e67ec43584255e51746d70cb6ce6a5e70101e7a9fd245e23ee34693446
-
C:\Users\Admin\Downloads\PowerISO8-x64.exeFilesize
4.3MB
MD57749f78b2213b9d29ad0a615cd9811b7
SHA1ee24f55ecb0a4e2318f9a5a8a73af2679a395a79
SHA256ddfda881e7f0806cec42e0148c9b357d0b877e95c03db491c5a66f516f4ba4bf
SHA51216b9b2a669ad846934612fe2957cdb8799b7062f2a08bb9a68e16f222ff3ea1436a030e67ec43584255e51746d70cb6ce6a5e70101e7a9fd245e23ee34693446
-
\??\pipe\crashpad_268_PLOQLELMBLZOWHYQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\PowerISO\PWRISOSH.DLLFilesize
325KB
MD5751457ed43b489beb89b86fa01d0edf6
SHA1e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6
SHA256dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e
SHA5125a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590
-
\Program Files\PowerISO\PWRISOSH.DLLFilesize
325KB
MD5751457ed43b489beb89b86fa01d0edf6
SHA1e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6
SHA256dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e
SHA5125a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590
-
\Program Files\PowerISO\PWRISOSH.DLLFilesize
325KB
MD5751457ed43b489beb89b86fa01d0edf6
SHA1e5c8c98de0e3e13f3102a89546ee811cbd4c9bf6
SHA256dce4c19e87fa27dcbd82750edba77a95ef8e40845fbc8eb9f928bce0ea22179e
SHA5125a9eb89f6fc27d2200db12cc01a670fe3382a9d5993cd9fcb7670b9ccbc2278a02a1aab92ec0cfa820f3f161dbcfa035e930cb9585d9e3bd3109fb5a2dac9590
-
\Program Files\PowerISO\PWRISOVM.EXEFilesize
449KB
MD5af7ede04850080dee68fe70e4e774530
SHA1ca364f1790e31f4414d8a3f3b475e4008dd8f4b5
SHA256526b768cd980f474751037bbc4db979764e0090c629cb40aa3fcfc107f04a641
SHA512f4c0a27a3db4f73082f99a79cefaaa21f96583fc416a83896b83876e39264413cb3de5e8abb97be34c61e1d068c60c56b02ef7bb5c98913b9cd244a3ab789ad2
-
\Program Files\PowerISO\PWRISOVM.EXEFilesize
449KB
MD5af7ede04850080dee68fe70e4e774530
SHA1ca364f1790e31f4414d8a3f3b475e4008dd8f4b5
SHA256526b768cd980f474751037bbc4db979764e0090c629cb40aa3fcfc107f04a641
SHA512f4c0a27a3db4f73082f99a79cefaaa21f96583fc416a83896b83876e39264413cb3de5e8abb97be34c61e1d068c60c56b02ef7bb5c98913b9cd244a3ab789ad2
-
\Program Files\PowerISO\PWRISOVM.EXEFilesize
449KB
MD5af7ede04850080dee68fe70e4e774530
SHA1ca364f1790e31f4414d8a3f3b475e4008dd8f4b5
SHA256526b768cd980f474751037bbc4db979764e0090c629cb40aa3fcfc107f04a641
SHA512f4c0a27a3db4f73082f99a79cefaaa21f96583fc416a83896b83876e39264413cb3de5e8abb97be34c61e1d068c60c56b02ef7bb5c98913b9cd244a3ab789ad2
-
\Program Files\PowerISO\PowerISO.exeFilesize
5.7MB
MD55bcf67b332de5c126694d0247af2fc37
SHA155a6c8ac48c79f69b1be5e88e0ef8ac87bfa500c
SHA2561cdeb23890e8017cb0cffebc5c8fdfda4f0eb1f2bc556ee7e078081ad3e8918e
SHA51235b237312120a282fa667e9b6392b3e29a775f1fc1bc98eadf9bbcf8c32586db8960c5353588df0fea33e007dc1ca37612896e828253992a0b44329a55190796
-
\Program Files\PowerISO\PowerISO.exeFilesize
5.7MB
MD55bcf67b332de5c126694d0247af2fc37
SHA155a6c8ac48c79f69b1be5e88e0ef8ac87bfa500c
SHA2561cdeb23890e8017cb0cffebc5c8fdfda4f0eb1f2bc556ee7e078081ad3e8918e
SHA51235b237312120a282fa667e9b6392b3e29a775f1fc1bc98eadf9bbcf8c32586db8960c5353588df0fea33e007dc1ca37612896e828253992a0b44329a55190796
-
\Program Files\PowerISO\PowerISO.exeFilesize
5.7MB
MD55bcf67b332de5c126694d0247af2fc37
SHA155a6c8ac48c79f69b1be5e88e0ef8ac87bfa500c
SHA2561cdeb23890e8017cb0cffebc5c8fdfda4f0eb1f2bc556ee7e078081ad3e8918e
SHA51235b237312120a282fa667e9b6392b3e29a775f1fc1bc98eadf9bbcf8c32586db8960c5353588df0fea33e007dc1ca37612896e828253992a0b44329a55190796
-
\Program Files\PowerISO\PowerISO.exeFilesize
5.7MB
MD55bcf67b332de5c126694d0247af2fc37
SHA155a6c8ac48c79f69b1be5e88e0ef8ac87bfa500c
SHA2561cdeb23890e8017cb0cffebc5c8fdfda4f0eb1f2bc556ee7e078081ad3e8918e
SHA51235b237312120a282fa667e9b6392b3e29a775f1fc1bc98eadf9bbcf8c32586db8960c5353588df0fea33e007dc1ca37612896e828253992a0b44329a55190796
-
\Program Files\PowerISO\PowerISO.exeFilesize
5.7MB
MD55bcf67b332de5c126694d0247af2fc37
SHA155a6c8ac48c79f69b1be5e88e0ef8ac87bfa500c
SHA2561cdeb23890e8017cb0cffebc5c8fdfda4f0eb1f2bc556ee7e078081ad3e8918e
SHA51235b237312120a282fa667e9b6392b3e29a775f1fc1bc98eadf9bbcf8c32586db8960c5353588df0fea33e007dc1ca37612896e828253992a0b44329a55190796
-
\Program Files\PowerISO\PowerISO.exeFilesize
5.7MB
MD55bcf67b332de5c126694d0247af2fc37
SHA155a6c8ac48c79f69b1be5e88e0ef8ac87bfa500c
SHA2561cdeb23890e8017cb0cffebc5c8fdfda4f0eb1f2bc556ee7e078081ad3e8918e
SHA51235b237312120a282fa667e9b6392b3e29a775f1fc1bc98eadf9bbcf8c32586db8960c5353588df0fea33e007dc1ca37612896e828253992a0b44329a55190796
-
\Program Files\PowerISO\PowerISO.exeFilesize
5.7MB
MD55bcf67b332de5c126694d0247af2fc37
SHA155a6c8ac48c79f69b1be5e88e0ef8ac87bfa500c
SHA2561cdeb23890e8017cb0cffebc5c8fdfda4f0eb1f2bc556ee7e078081ad3e8918e
SHA51235b237312120a282fa667e9b6392b3e29a775f1fc1bc98eadf9bbcf8c32586db8960c5353588df0fea33e007dc1ca37612896e828253992a0b44329a55190796
-
\Program Files\PowerISO\PowerISO.exeFilesize
5.7MB
MD55bcf67b332de5c126694d0247af2fc37
SHA155a6c8ac48c79f69b1be5e88e0ef8ac87bfa500c
SHA2561cdeb23890e8017cb0cffebc5c8fdfda4f0eb1f2bc556ee7e078081ad3e8918e
SHA51235b237312120a282fa667e9b6392b3e29a775f1fc1bc98eadf9bbcf8c32586db8960c5353588df0fea33e007dc1ca37612896e828253992a0b44329a55190796
-
\Program Files\PowerISO\PowerISO.exeFilesize
5.7MB
MD55bcf67b332de5c126694d0247af2fc37
SHA155a6c8ac48c79f69b1be5e88e0ef8ac87bfa500c
SHA2561cdeb23890e8017cb0cffebc5c8fdfda4f0eb1f2bc556ee7e078081ad3e8918e
SHA51235b237312120a282fa667e9b6392b3e29a775f1fc1bc98eadf9bbcf8c32586db8960c5353588df0fea33e007dc1ca37612896e828253992a0b44329a55190796
-
\Program Files\PowerISO\devcon.exeFilesize
69KB
MD59d199564b65a91a531b23844649459e9
SHA18d84359ced1c51d14e70cb5ed36a6083c8b914cf
SHA2568dc2490d1d650e3ffbf70922b81ae9800ddd29a644e4d7d29e9616e22a7d0f42
SHA512ae522945d3ddcd7c2d99da14ba62d556928b7e6dfcb07114f13481777878a8ffa448170cebbf76da80d9ae45d0e3a509b0f2a7bd702773c1efcaca26496010d1
-
\Program Files\PowerISO\devcon.exeFilesize
69KB
MD59d199564b65a91a531b23844649459e9
SHA18d84359ced1c51d14e70cb5ed36a6083c8b914cf
SHA2568dc2490d1d650e3ffbf70922b81ae9800ddd29a644e4d7d29e9616e22a7d0f42
SHA512ae522945d3ddcd7c2d99da14ba62d556928b7e6dfcb07114f13481777878a8ffa448170cebbf76da80d9ae45d0e3a509b0f2a7bd702773c1efcaca26496010d1
-
\Program Files\PowerISO\setup64.exeFilesize
18KB
MD5edda92af8f1a180c165f92951ed55a42
SHA11eb86ca757395527fd5d32bc3f8dbd482e3f6b51
SHA2564d23f626854a739b5805199e710f9d4c55c4e89aa9dc00491cfbb0b990707738
SHA51226a6f72544c8f4ea89af3b16a60e2a9f0d1e5f9575a14a43f0c96b78a6e8f29595b38c109688bd21418955b57d45805980dd2d1ea76504e08c94e09bb506f873
-
\Program Files\PowerISO\setup64.exeFilesize
18KB
MD5edda92af8f1a180c165f92951ed55a42
SHA11eb86ca757395527fd5d32bc3f8dbd482e3f6b51
SHA2564d23f626854a739b5805199e710f9d4c55c4e89aa9dc00491cfbb0b990707738
SHA51226a6f72544c8f4ea89af3b16a60e2a9f0d1e5f9575a14a43f0c96b78a6e8f29595b38c109688bd21418955b57d45805980dd2d1ea76504e08c94e09bb506f873
-
\Program Files\PowerISO\setup64.exeFilesize
18KB
MD5edda92af8f1a180c165f92951ed55a42
SHA11eb86ca757395527fd5d32bc3f8dbd482e3f6b51
SHA2564d23f626854a739b5805199e710f9d4c55c4e89aa9dc00491cfbb0b990707738
SHA51226a6f72544c8f4ea89af3b16a60e2a9f0d1e5f9575a14a43f0c96b78a6e8f29595b38c109688bd21418955b57d45805980dd2d1ea76504e08c94e09bb506f873
-
\Program Files\PowerISO\uninstall.exeFilesize
137KB
MD5e4895fbcee307538dc6344371e649cc1
SHA19c2f028694e7d34215acb06901b2f1e4bb44e416
SHA2565d987f547ac3dc7e9f28a6746af08d7c6fcfb869f2f2bcebf5ad54d1d89bd4ca
SHA512d7a747f3f391122642d8e0598343d09399ee23934931ebc6995219892432eb2c9cb0dd4e4982ecab355a8984b1f69ee3884f692bf37385d71abbc6ef56dea418
-
\Users\Admin\AppData\Local\Temp\nstD56B.tmp\InstOpt.dllFilesize
25KB
MD56a45ec125830c244261b28fe97fb9f9d
SHA1f30e65fa3a84c9078bf29af4b4d08ec618a8e44f
SHA256fa8b56b52dc7130d924d0060633b5763c032408385a47ec7438d5e1d481d2fe5
SHA5125387439a2a1f235a2ffe934570db8ab200e2688496d2be39d8f6a47dc7fb55e6e30e957b5b2f6d79799581278bd57c03dc81908afa5e9707375a14ec8a34e4e2
-
\Users\Admin\AppData\Local\Temp\nstD56B.tmp\System.dllFilesize
12KB
MD58cf2ac271d7679b1d68eefc1ae0c5618
SHA17cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA2566950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3
-
memory/1048-96-0x0000000000000000-mapping.dmp
-
memory/1560-92-0x0000000000000000-mapping.dmp
-
memory/1916-76-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x000007FEFC061000-0x000007FEFC063000-memory.dmpFilesize
8KB
-
memory/2080-84-0x0000000076011000-0x0000000076013000-memory.dmpFilesize
8KB
-
memory/2080-82-0x0000000000000000-mapping.dmp
-
memory/2128-109-0x0000000000000000-mapping.dmp
-
memory/2184-113-0x0000000000000000-mapping.dmp
-
memory/2256-87-0x0000000000000000-mapping.dmp
-
memory/2308-118-0x0000000000000000-mapping.dmp
-
memory/2468-129-0x0000000180000000-0x0000000180009000-memory.dmpFilesize
36KB
-
memory/2580-135-0x0000000000000000-mapping.dmp
-
memory/2712-127-0x0000000000000000-mapping.dmp