Analysis
-
max time kernel
184s -
max time network
196s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 13:12
Static task
static1
Behavioral task
behavioral1
Sample
e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe
Resource
win10v2004-20221111-en
General
-
Target
e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe
-
Size
5.7MB
-
MD5
2edad48321223ce46e3b1b567cbe7eca
-
SHA1
9f6bb6230bab8143c64bf4179b1cf6a22e7c4818
-
SHA256
e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06
-
SHA512
c41ca288b3637784e913a04759615f8484e0b815410f4013ef0a025d27e13c374d5f4f7d15b0dc99e7c3d0d82d753514cdf6e390f2536b25880c4ca6212fc5af
-
SSDEEP
98304:rL+wWs7EMO5L6LeyN4mB7ksBDfkPfurxqftiHaSWHD+JiQ0NSHtj5zV:nfE15eiyNqcDAfhVR+JifYtdB
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
optprosetup.exeoptprosetup.tmpOptProStart.exepid process 2036 optprosetup.exe 1092 optprosetup.tmp 2032 OptProStart.exe -
Modifies AppInit DLL entries 2 TTPs
-
Loads dropped DLL 21 IoCs
Processes:
e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exeoptprosetup.exeoptprosetup.tmprundll32.exerundll32.exepid process 1224 e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe 2036 optprosetup.exe 1092 optprosetup.tmp 1092 optprosetup.tmp 1092 optprosetup.tmp 1092 optprosetup.tmp 1092 optprosetup.tmp 1092 optprosetup.tmp 1092 optprosetup.tmp 1092 optprosetup.tmp 692 rundll32.exe 692 rundll32.exe 692 rundll32.exe 692 rundll32.exe 780 rundll32.exe 780 rundll32.exe 780 rundll32.exe 780 rundll32.exe 1092 optprosetup.tmp 1092 optprosetup.tmp 780 rundll32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
optprosetup.tmpdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run optprosetup.tmp Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Optimizer Pro = "C:\\Program Files (x86)\\Optimizer Pro\\OptProLauncher.exe" optprosetup.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 36 IoCs
Processes:
optprosetup.tmpdescription ioc process File created C:\Program Files (x86)\Optimizer Pro\OptProCrash.dll optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProSchedule.exe optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-4A4R7.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-8A8MJ.tmp optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\unins000.dat optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-Q6PQ8.tmp optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProUninstaller.exe optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProSmartScan.exe optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-QEEOS.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-JO04B.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-7PFGQ.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\unins000.msg optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\sqlite3.dll optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProHelper.dll optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-GUBRH.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-BQSSJ.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-ESPIN.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-8JKFG.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-KR1GV.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-GKOH8.tmp optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptimizerPro.chm optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-SCHL0.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-NVK2F.tmp optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProReminder.exe optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-9PNVF.tmp optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptimizerPro.exe optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\itdownload.dll optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-RL39F.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-70EFI.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-MSIQ3.tmp optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-GN3EF.tmp optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProStart.exe optprosetup.tmp File opened for modification C:\Program Files (x86)\Optimizer Pro\OptProGuard.exe optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\unins000.dat optprosetup.tmp File created C:\Program Files (x86)\Optimizer Pro\is-K4RCS.tmp optprosetup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 51 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\00000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\6185d035 = "VP/h/CP/V//l////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\65114b36 = "VP/+////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\a1dcff5b = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\bbf88800 = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\d94388d2 = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\f0bf0bde = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\fe94ce1e = "V/////%%" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\00000000\3efeb33e = 6e0055003100550030003700780030006d00300031004d00300036004500300071006c0031004d0030003600450030006900550031004e0030003600740030006d006c003000530030003600680030006e006c0031004100300036004500300000006e0055003100550030003700780030006d00300031004d0030003600450030006d00550031005000300037003800300070006c00310044003000360049003000700055003000530030003600680030006e006c0031004100300036004500300000006e0055003100550030003700780030006d00300031004d0030003600450030006900780031004f0030003600680030006e0030003100440030003700780030006a0078003000530030003600680030006e006c0031004100300036004500300000006e0055003100550030003700780030006d00300031004d0030003600450030006d00550031005000300037003800300070006c003000530030003600680030006e006c0031004100300036004500300000000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\0dc3ee96 = "/P////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\340d3099 = "/P////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\a0743acc = "N/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\c24899a6 = "Vx/g/C//M/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\d1abcdb6 = "///%" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\00000000\a47da861 = 6f00300031004f0030003700780030006d00300030004b00300032004500300061005500310054003000370030003000690030003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e0030003100550030003700380030006e0055003000530030003600490030007000780031004f003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310054003000370030003000690030003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e0030003100550030003700380030006e0055003000530030003600680030006e006c00310041003000360045003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310054003000370030003000690030003100550030003700380030006e00550031004d0030003600740030006e007800310054003000370071003000710078003100590030003200490030006f0078003100530030003600710030006e0055003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310054003000370030003000690030003100550030003700380030006e00550031004d0030003600740030006e007800310054003000370071003000710078003100590030003200490030007100550031005400300036004f003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e0030003000530030003600680030006e006c00310041003000360045003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100540030003700300030006900300031004400300036004f0030006f00780031004b0030003600740030006d006c003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e0030003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\2d71d5ab = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\2e22d94e = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\51d2f2ea = "IlAl/YP/J/Af/X6/PlAf/XD/blAq/B//VP/j/Cx/V//j/CZ/V//l/CZ////%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\8b9e4cbc = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\a2e3b941 = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\c6c5dd44 = "V/////%%" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\0c230bcb = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\27ddcf6f = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\587b5709 = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\72758a5d = "///%" rundll32.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\iiid = "1" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\e8f9dcc7 = "UlAr/XJ/c//k////" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\00000000\493c7345 = 00000000 rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\0e93c3f3 = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\1520c6f1 = "V/////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\7367429f = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\c99a5f5c = "///%" rundll32.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\00000000\370856c7 = 6e0055003100550030003700780030006d00300031004d00300036004500300071006c0031004d0030003600450030006900550031004e0030003600740030006d006c003000530030003600680030006e006c0031004100300036004500300000006e0055003100550030003700780030006d00300031004d0030003600450030006d00550031005000300037003800300070006c00310044003000360049003000700055003000530030003600680030006e006c0031004100300036004500300000006e0055003100550030003700780030006d00300031004d0030003600450030006900780031004f0030003600680030006e0030003100440030003700780030006a0078003000530030003600680030006e006c0031004100300036004500300000006e0055003100550030003700780030006d00300031004d0030003600450030006d00550031005000300037003800300070006c003000530030003600680030006e006c0031004100300036004500300000000000 rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\1c311243 = "alAl/YP/b/Af/X6/clAu/XZ/UxAp/X2/GxAk////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\37b7a6d8 = "UlAr/XJ/c//k////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\f2c53c49 = "UlAr/XJ/c//k////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\f6ad6fa6 = "VP/l/C//V/////%%" rundll32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\3c09c42b = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\414bc593 = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\48bd1aff = "VP/l/C//N//l////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\7f69fa1f = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\c5705860 = "Vx////%%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\e46c271e = "///%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\060df2cd = "alAl/YP/b/Af/X6/UxAp/X2/GxAk////" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\38583bc3 = "Ml/2/CF/M//g/CZ////%" rundll32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}\_70e6ca8c\eae10f9d\f1f24e29 = "Vl/l/C/////%" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
optprosetup.tmprundll32.exepid process 1092 optprosetup.tmp 1092 optprosetup.tmp 780 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
optprosetup.tmppid process 1092 optprosetup.tmp -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exeoptprosetup.exeoptprosetup.tmprundll32.exedescription pid process target process PID 1224 wrote to memory of 2036 1224 e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe optprosetup.exe PID 1224 wrote to memory of 2036 1224 e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe optprosetup.exe PID 1224 wrote to memory of 2036 1224 e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe optprosetup.exe PID 1224 wrote to memory of 2036 1224 e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe optprosetup.exe PID 1224 wrote to memory of 2036 1224 e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe optprosetup.exe PID 1224 wrote to memory of 2036 1224 e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe optprosetup.exe PID 1224 wrote to memory of 2036 1224 e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe optprosetup.exe PID 2036 wrote to memory of 1092 2036 optprosetup.exe optprosetup.tmp PID 2036 wrote to memory of 1092 2036 optprosetup.exe optprosetup.tmp PID 2036 wrote to memory of 1092 2036 optprosetup.exe optprosetup.tmp PID 2036 wrote to memory of 1092 2036 optprosetup.exe optprosetup.tmp PID 2036 wrote to memory of 1092 2036 optprosetup.exe optprosetup.tmp PID 2036 wrote to memory of 1092 2036 optprosetup.exe optprosetup.tmp PID 2036 wrote to memory of 1092 2036 optprosetup.exe optprosetup.tmp PID 1092 wrote to memory of 692 1092 optprosetup.tmp rundll32.exe PID 1092 wrote to memory of 692 1092 optprosetup.tmp rundll32.exe PID 1092 wrote to memory of 692 1092 optprosetup.tmp rundll32.exe PID 1092 wrote to memory of 692 1092 optprosetup.tmp rundll32.exe PID 1092 wrote to memory of 692 1092 optprosetup.tmp rundll32.exe PID 1092 wrote to memory of 692 1092 optprosetup.tmp rundll32.exe PID 1092 wrote to memory of 692 1092 optprosetup.tmp rundll32.exe PID 1016 wrote to memory of 780 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 780 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 780 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 780 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 780 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 780 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 780 1016 rundll32.exe rundll32.exe PID 1092 wrote to memory of 2032 1092 optprosetup.tmp OptProStart.exe PID 1092 wrote to memory of 2032 1092 optprosetup.tmp OptProStart.exe PID 1092 wrote to memory of 2032 1092 optprosetup.tmp OptProStart.exe PID 1092 wrote to memory of 2032 1092 optprosetup.tmp OptProStart.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe"C:\Users\Admin\AppData\Local\Temp\e3a2008dd8a115dda9e5109b0965744e591f00ceafbdedc8291594feef251f06.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\optprosetup.exeC:\Users\Admin\AppData\Local\Temp\\optprosetup.exe /VERYSILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-N1FHD.tmp\optprosetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-N1FHD.tmp\optprosetup.tmp" /SL5="$60128,5283427,118784,C:\Users\Admin\AppData\Local\Temp\optprosetup.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll",ENT -install4⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Optimizer Pro\OptProStart.exe"C:\Program Files (x86)\Optimizer Pro\OptProStart.exe"4⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll",ENT1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll",ENT2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Optimizer Pro\OptProStart.exeFilesize
643KB
MD51713fa8e8ecdfb32c46dd466c63107c6
SHA13798f368de630f751d3c05de7f9cfe7134caa604
SHA2568e8c99cbefb1e13e19b730c287f8a46b175f888d1959948bb9540008233dca2f
SHA51271bf969af56061520a534ed5c25bed4fca5fbda02218fe79eab1bb32912c7e3da6bd3071ed5b3a1259205e145d1251ab4dd74cc2afc99ab708b50c39e98470c1
-
C:\Users\Admin\AppData\Local\Temp\is-N1FHD.tmp\optprosetup.tmpFilesize
1.1MB
MD550488cf899d007d697893fc72a823fb0
SHA1bc5512f623656ad69a054d558c35d463a5a8a6c1
SHA256d9b74c8ed046400b8966ca503bc5a4f0445736949651c4af8faefc68265652cf
SHA5122b275262a2f7a4a55bc40a8e3e264831273d04f197f52fabfbdb9720f0754da17d3da6a872590aebd5e4fc462b25b55c34c45e56fd7319bf1b52d847dd4f74a0
-
C:\Users\Admin\AppData\Local\Temp\is-N1FHD.tmp\optprosetup.tmpFilesize
1.1MB
MD550488cf899d007d697893fc72a823fb0
SHA1bc5512f623656ad69a054d558c35d463a5a8a6c1
SHA256d9b74c8ed046400b8966ca503bc5a4f0445736949651c4af8faefc68265652cf
SHA5122b275262a2f7a4a55bc40a8e3e264831273d04f197f52fabfbdb9720f0754da17d3da6a872590aebd5e4fc462b25b55c34c45e56fd7319bf1b52d847dd4f74a0
-
C:\Users\Admin\AppData\Local\Temp\optprosetup.exeFilesize
5.5MB
MD524bcaf1bbb1f29e0245416b5d2873e46
SHA1ebf1d052c13b9f415afe09541bdab68f37429922
SHA256fe4797861027b93ec089ffb3c3adcfc35c56a91839cfe5fcff79eeb8ea520d40
SHA512aeff74eecba81fa8ca6afba44628e725e65334e8f712e5a7c0ab14fb48b1b495730d69a3264258ecbe01ae1693b3781db4b08221bc377d8a11e29e0c3766d55c
-
C:\Users\Admin\AppData\Local\Temp\optprosetup.exeFilesize
5.5MB
MD524bcaf1bbb1f29e0245416b5d2873e46
SHA1ebf1d052c13b9f415afe09541bdab68f37429922
SHA256fe4797861027b93ec089ffb3c3adcfc35c56a91839cfe5fcff79eeb8ea520d40
SHA512aeff74eecba81fa8ca6afba44628e725e65334e8f712e5a7c0ab14fb48b1b495730d69a3264258ecbe01ae1693b3781db4b08221bc377d8a11e29e0c3766d55c
-
\??\c:\Program Files (x86)\Optimizer Pro\OptProCrash.dllFilesize
3.4MB
MD58565b14afbe6625e11065a3526c75192
SHA12eff65173426ca303dec447d66028552629836d5
SHA256da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11
SHA5122740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9
-
\Program Files (x86)\Optimizer Pro\OptProCrash.dllFilesize
3.4MB
MD58565b14afbe6625e11065a3526c75192
SHA12eff65173426ca303dec447d66028552629836d5
SHA256da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11
SHA5122740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9
-
\Program Files (x86)\Optimizer Pro\OptProCrash.dllFilesize
3.4MB
MD58565b14afbe6625e11065a3526c75192
SHA12eff65173426ca303dec447d66028552629836d5
SHA256da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11
SHA5122740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9
-
\Program Files (x86)\Optimizer Pro\OptProCrash.dllFilesize
3.4MB
MD58565b14afbe6625e11065a3526c75192
SHA12eff65173426ca303dec447d66028552629836d5
SHA256da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11
SHA5122740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9
-
\Program Files (x86)\Optimizer Pro\OptProCrash.dllFilesize
3.4MB
MD58565b14afbe6625e11065a3526c75192
SHA12eff65173426ca303dec447d66028552629836d5
SHA256da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11
SHA5122740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9
-
\Program Files (x86)\Optimizer Pro\OptProCrash.dllFilesize
3.4MB
MD58565b14afbe6625e11065a3526c75192
SHA12eff65173426ca303dec447d66028552629836d5
SHA256da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11
SHA5122740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9
-
\Program Files (x86)\Optimizer Pro\OptProCrash.dllFilesize
3.4MB
MD58565b14afbe6625e11065a3526c75192
SHA12eff65173426ca303dec447d66028552629836d5
SHA256da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11
SHA5122740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9
-
\Program Files (x86)\Optimizer Pro\OptProCrash.dllFilesize
3.4MB
MD58565b14afbe6625e11065a3526c75192
SHA12eff65173426ca303dec447d66028552629836d5
SHA256da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11
SHA5122740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9
-
\Program Files (x86)\Optimizer Pro\OptProCrash.dllFilesize
3.4MB
MD58565b14afbe6625e11065a3526c75192
SHA12eff65173426ca303dec447d66028552629836d5
SHA256da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11
SHA5122740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9
-
\Program Files (x86)\Optimizer Pro\OptProCrash.dllFilesize
3.4MB
MD58565b14afbe6625e11065a3526c75192
SHA12eff65173426ca303dec447d66028552629836d5
SHA256da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11
SHA5122740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9
-
\Program Files (x86)\Optimizer Pro\OptProStart.exeFilesize
643KB
MD51713fa8e8ecdfb32c46dd466c63107c6
SHA13798f368de630f751d3c05de7f9cfe7134caa604
SHA2568e8c99cbefb1e13e19b730c287f8a46b175f888d1959948bb9540008233dca2f
SHA51271bf969af56061520a534ed5c25bed4fca5fbda02218fe79eab1bb32912c7e3da6bd3071ed5b3a1259205e145d1251ab4dd74cc2afc99ab708b50c39e98470c1
-
\Program Files (x86)\Optimizer Pro\OptProStart.exeFilesize
643KB
MD51713fa8e8ecdfb32c46dd466c63107c6
SHA13798f368de630f751d3c05de7f9cfe7134caa604
SHA2568e8c99cbefb1e13e19b730c287f8a46b175f888d1959948bb9540008233dca2f
SHA51271bf969af56061520a534ed5c25bed4fca5fbda02218fe79eab1bb32912c7e3da6bd3071ed5b3a1259205e145d1251ab4dd74cc2afc99ab708b50c39e98470c1
-
\Program Files (x86)\Optimizer Pro\OptimizerPro.exeFilesize
3.1MB
MD570e0dbcb86cc0f5bbc30bcd282d9af3a
SHA1b053662df60bc86e87201fffa40d1784db85ce9d
SHA256e5af651f8fe7f90fff783548d212baae195e11495ae7bd8fc900097b40b53123
SHA51294529d2ddbfe09d4948ea7ddd76669be5d7dc5918c2c439d6552794b6490d41624b68401457db2efc1de31ce25bd111c84e7616ae9dd2f93488ea8dd84d5ac13
-
\Program Files (x86)\Optimizer Pro\OptimizerPro.exeFilesize
3.1MB
MD570e0dbcb86cc0f5bbc30bcd282d9af3a
SHA1b053662df60bc86e87201fffa40d1784db85ce9d
SHA256e5af651f8fe7f90fff783548d212baae195e11495ae7bd8fc900097b40b53123
SHA51294529d2ddbfe09d4948ea7ddd76669be5d7dc5918c2c439d6552794b6490d41624b68401457db2efc1de31ce25bd111c84e7616ae9dd2f93488ea8dd84d5ac13
-
\Program Files (x86)\Optimizer Pro\OptimizerPro.exeFilesize
3.1MB
MD570e0dbcb86cc0f5bbc30bcd282d9af3a
SHA1b053662df60bc86e87201fffa40d1784db85ce9d
SHA256e5af651f8fe7f90fff783548d212baae195e11495ae7bd8fc900097b40b53123
SHA51294529d2ddbfe09d4948ea7ddd76669be5d7dc5918c2c439d6552794b6490d41624b68401457db2efc1de31ce25bd111c84e7616ae9dd2f93488ea8dd84d5ac13
-
\Program Files (x86)\Optimizer Pro\unins000.exeFilesize
1.1MB
MD550488cf899d007d697893fc72a823fb0
SHA1bc5512f623656ad69a054d558c35d463a5a8a6c1
SHA256d9b74c8ed046400b8966ca503bc5a4f0445736949651c4af8faefc68265652cf
SHA5122b275262a2f7a4a55bc40a8e3e264831273d04f197f52fabfbdb9720f0754da17d3da6a872590aebd5e4fc462b25b55c34c45e56fd7319bf1b52d847dd4f74a0
-
\Users\Admin\AppData\Local\Temp\is-6IMAJ.tmp\OptProCrash.dllFilesize
3.4MB
MD58565b14afbe6625e11065a3526c75192
SHA12eff65173426ca303dec447d66028552629836d5
SHA256da5cd23d75fb370d412568ae909e113145e0e472d8a9a80b3e06ed3c8f839c11
SHA5122740810ab2042e8dd3b887566b0f2bc540ff07737a079c32cf35498e32729651db9466d2db33ff092d43b8735a0b6b83571a146e5503152ced971b23b9e56dd9
-
\Users\Admin\AppData\Local\Temp\is-6IMAJ.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-6IMAJ.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-6IMAJ.tmp\itdownload.dllFilesize
200KB
MD5d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
\Users\Admin\AppData\Local\Temp\is-N1FHD.tmp\optprosetup.tmpFilesize
1.1MB
MD550488cf899d007d697893fc72a823fb0
SHA1bc5512f623656ad69a054d558c35d463a5a8a6c1
SHA256d9b74c8ed046400b8966ca503bc5a4f0445736949651c4af8faefc68265652cf
SHA5122b275262a2f7a4a55bc40a8e3e264831273d04f197f52fabfbdb9720f0754da17d3da6a872590aebd5e4fc462b25b55c34c45e56fd7319bf1b52d847dd4f74a0
-
\Users\Admin\AppData\Local\Temp\optprosetup.exeFilesize
5.5MB
MD524bcaf1bbb1f29e0245416b5d2873e46
SHA1ebf1d052c13b9f415afe09541bdab68f37429922
SHA256fe4797861027b93ec089ffb3c3adcfc35c56a91839cfe5fcff79eeb8ea520d40
SHA512aeff74eecba81fa8ca6afba44628e725e65334e8f712e5a7c0ab14fb48b1b495730d69a3264258ecbe01ae1693b3781db4b08221bc377d8a11e29e0c3766d55c
-
memory/692-77-0x0000000000000000-mapping.dmp
-
memory/780-84-0x0000000000000000-mapping.dmp
-
memory/1092-71-0x0000000073DF1000-0x0000000073DF3000-memory.dmpFilesize
8KB
-
memory/1092-62-0x0000000000000000-mapping.dmp
-
memory/2032-92-0x0000000000000000-mapping.dmp
-
memory/2036-67-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2036-58-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2036-57-0x0000000075291000-0x0000000075293000-memory.dmpFilesize
8KB
-
memory/2036-95-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2036-55-0x0000000000000000-mapping.dmp