privateloader | af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903

Analysis

max time kernel
150s
max time network
143s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
Size

1.5MB
MD5

f851db8aac31ab23a106496336b8a3a7
SHA1

8f8b9d388d0273cbb14e574b84c9714a966bd576
SHA256

af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903
SHA512

e5032f1d8b4e70f06ef93619dba8d97b451dbdec410c21cf1b820b612168008b0d6be9b7538398acd01c3d6b2500644dc859f525618035f6ed000f3d8117e1cb
SSDEEP

24576:Bk74Y8deUAsBeZYyYoMGYVl2Jjj/O3O3al5e6Lz4/9j3tC2lyUJaRy8:3Y8dhedMfQGWal5ngFjdC2lcQ8

Score

10^/10

privateloader evasion loader main spyware stealer themida trojan vmprotect

Malware Config

Extracted

Family

privateloader

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

pbWlRiVtT0XPahkf0NiZCAdI.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ pbWlRiVtT0XPahkf0NiZCAdI.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	pbWlRiVtT0XPahkf0NiZCAdI.exe

Executes dropped EXE 10 IoCs

Processes:

pbWlRiVtT0XPahkf0NiZCAdI.exeqw6OAgJSy5EwW_poeagpgue6.exeHjPoBf8hli_q_CaYX4lEG2yV.exes8_stbvNmqy7GjceMFXStno9.exebO4BVTZZbTyBlSJdpwcT1T8B.exeeJIQRFhIbjaq2tLMUW0YuzQ6.exeNaBHDLth27S6jKW_Zj7p74HM.exePo__pVp1XuK8OpGQxazOuNkJ.exemDFsGOp3MNr2n0XK4JAExmOa.exeVaU79gU5up_Nau5eQ1t01s45.exe

pid	process
1120	pbWlRiVtT0XPahkf0NiZCAdI.exe
1032	qw6OAgJSy5EwW_poeagpgue6.exe
944	HjPoBf8hli_q_CaYX4lEG2yV.exe
340	s8_stbvNmqy7GjceMFXStno9.exe
1884	bO4BVTZZbTyBlSJdpwcT1T8B.exe
1200	eJIQRFhIbjaq2tLMUW0YuzQ6.exe
1476	NaBHDLth27S6jKW_Zj7p74HM.exe
1484	Po__pVp1XuK8OpGQxazOuNkJ.exe
1644	mDFsGOp3MNr2n0XK4JAExmOa.exe
592	VaU79gU5up_Nau5eQ1t01s45.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\Pictures\Adobe Films\RnmveBzrtB6_IHeA024R5xvJ.exe	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pbWlRiVtT0XPahkf0NiZCAdI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pbWlRiVtT0XPahkf0NiZCAdI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pbWlRiVtT0XPahkf0NiZCAdI.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe

Loads dropped DLL 16 IoCs

Processes:

af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe

pid	process
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\Pictures\Adobe Films\pbWlRiVtT0XPahkf0NiZCAdI.exe	themida
C:\Users\Admin\Pictures\Adobe Films\pbWlRiVtT0XPahkf0NiZCAdI.exe	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

pbWlRiVtT0XPahkf0NiZCAdI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	pbWlRiVtT0XPahkf0NiZCAdI.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 ipinfo.io
11 ipinfo.io
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

pbWlRiVtT0XPahkf0NiZCAdI.exe

pid process

1120 pbWlRiVtT0XPahkf0NiZCAdI.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe

pid process

784 af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe

flow	ioc
10	ipinfo.io
11	ipinfo.io

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe

description	pid	process	target process
PID 784 wrote to memory of 1032	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	qw6OAgJSy5EwW_poeagpgue6.exe
PID 784 wrote to memory of 1032	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	qw6OAgJSy5EwW_poeagpgue6.exe
PID 784 wrote to memory of 1032	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	qw6OAgJSy5EwW_poeagpgue6.exe
PID 784 wrote to memory of 1032	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	qw6OAgJSy5EwW_poeagpgue6.exe
PID 784 wrote to memory of 1120	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	pbWlRiVtT0XPahkf0NiZCAdI.exe
PID 784 wrote to memory of 1120	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	pbWlRiVtT0XPahkf0NiZCAdI.exe
PID 784 wrote to memory of 1120	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	pbWlRiVtT0XPahkf0NiZCAdI.exe
PID 784 wrote to memory of 1120	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	pbWlRiVtT0XPahkf0NiZCAdI.exe
PID 784 wrote to memory of 1784	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	RnmveBzrtB6_IHeA024R5xvJ.exe
PID 784 wrote to memory of 1784	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	RnmveBzrtB6_IHeA024R5xvJ.exe
PID 784 wrote to memory of 1784	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	RnmveBzrtB6_IHeA024R5xvJ.exe
PID 784 wrote to memory of 1784	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	RnmveBzrtB6_IHeA024R5xvJ.exe
PID 784 wrote to memory of 944	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	HjPoBf8hli_q_CaYX4lEG2yV.exe
PID 784 wrote to memory of 944	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	HjPoBf8hli_q_CaYX4lEG2yV.exe
PID 784 wrote to memory of 944	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	HjPoBf8hli_q_CaYX4lEG2yV.exe
PID 784 wrote to memory of 944	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	HjPoBf8hli_q_CaYX4lEG2yV.exe
PID 784 wrote to memory of 340	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	s8_stbvNmqy7GjceMFXStno9.exe
PID 784 wrote to memory of 340	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	s8_stbvNmqy7GjceMFXStno9.exe
PID 784 wrote to memory of 340	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	s8_stbvNmqy7GjceMFXStno9.exe
PID 784 wrote to memory of 340	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	s8_stbvNmqy7GjceMFXStno9.exe
PID 784 wrote to memory of 592	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	VaU79gU5up_Nau5eQ1t01s45.exe
PID 784 wrote to memory of 592	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	VaU79gU5up_Nau5eQ1t01s45.exe
PID 784 wrote to memory of 592	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	VaU79gU5up_Nau5eQ1t01s45.exe
PID 784 wrote to memory of 592	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	VaU79gU5up_Nau5eQ1t01s45.exe
PID 784 wrote to memory of 1476	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	NaBHDLth27S6jKW_Zj7p74HM.exe
PID 784 wrote to memory of 1476	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	NaBHDLth27S6jKW_Zj7p74HM.exe
PID 784 wrote to memory of 1476	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	NaBHDLth27S6jKW_Zj7p74HM.exe
PID 784 wrote to memory of 1476	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	NaBHDLth27S6jKW_Zj7p74HM.exe
PID 784 wrote to memory of 1644	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	mDFsGOp3MNr2n0XK4JAExmOa.exe
PID 784 wrote to memory of 1644	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	mDFsGOp3MNr2n0XK4JAExmOa.exe
PID 784 wrote to memory of 1644	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	mDFsGOp3MNr2n0XK4JAExmOa.exe
PID 784 wrote to memory of 1644	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	mDFsGOp3MNr2n0XK4JAExmOa.exe
PID 784 wrote to memory of 1884	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	bO4BVTZZbTyBlSJdpwcT1T8B.exe
PID 784 wrote to memory of 1884	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	bO4BVTZZbTyBlSJdpwcT1T8B.exe
PID 784 wrote to memory of 1884	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	bO4BVTZZbTyBlSJdpwcT1T8B.exe
PID 784 wrote to memory of 1884	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	bO4BVTZZbTyBlSJdpwcT1T8B.exe
PID 784 wrote to memory of 1200	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	eJIQRFhIbjaq2tLMUW0YuzQ6.exe
PID 784 wrote to memory of 1200	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	eJIQRFhIbjaq2tLMUW0YuzQ6.exe
PID 784 wrote to memory of 1200	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	eJIQRFhIbjaq2tLMUW0YuzQ6.exe
PID 784 wrote to memory of 1200	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	eJIQRFhIbjaq2tLMUW0YuzQ6.exe
PID 784 wrote to memory of 1484	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	Po__pVp1XuK8OpGQxazOuNkJ.exe
PID 784 wrote to memory of 1484	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	Po__pVp1XuK8OpGQxazOuNkJ.exe
PID 784 wrote to memory of 1484	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	Po__pVp1XuK8OpGQxazOuNkJ.exe
PID 784 wrote to memory of 1484	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	Po__pVp1XuK8OpGQxazOuNkJ.exe
PID 784 wrote to memory of 1484	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	Po__pVp1XuK8OpGQxazOuNkJ.exe
PID 784 wrote to memory of 1484	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	Po__pVp1XuK8OpGQxazOuNkJ.exe
PID 784 wrote to memory of 1484	784	af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe	Po__pVp1XuK8OpGQxazOuNkJ.exe

C:\Users\Admin\AppData\Local\Temp\af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe
"C:\Users\Admin\AppData\Local\Temp\af9556b0b019ae8c9fa2d87471b64c6d96c3d725ab48ec634ba2e0a4f6f7a903.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\Pictures\Adobe Films\pbWlRiVtT0XPahkf0NiZCAdI.exe
"C:\Users\Admin\Pictures\Adobe Films\pbWlRiVtT0XPahkf0NiZCAdI.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1120

C:\Users\Admin\Pictures\Adobe Films\qw6OAgJSy5EwW_poeagpgue6.exe
"C:\Users\Admin\Pictures\Adobe Films\qw6OAgJSy5EwW_poeagpgue6.exe"
2⤵
- Executes dropped EXE
PID:1032

C:\Users\Admin\Pictures\Adobe Films\RnmveBzrtB6_IHeA024R5xvJ.exe
"C:\Users\Admin\Pictures\Adobe Films\RnmveBzrtB6_IHeA024R5xvJ.exe"
2⤵
PID:1784

C:\Users\Admin\Pictures\Adobe Films\s8_stbvNmqy7GjceMFXStno9.exe
"C:\Users\Admin\Pictures\Adobe Films\s8_stbvNmqy7GjceMFXStno9.exe"
2⤵
- Executes dropped EXE
PID:340

C:\Users\Admin\Pictures\Adobe Films\VaU79gU5up_Nau5eQ1t01s45.exe
"C:\Users\Admin\Pictures\Adobe Films\VaU79gU5up_Nau5eQ1t01s45.exe"
2⤵
- Executes dropped EXE
PID:592

C:\Users\Admin\Pictures\Adobe Films\HjPoBf8hli_q_CaYX4lEG2yV.exe
"C:\Users\Admin\Pictures\Adobe Films\HjPoBf8hli_q_CaYX4lEG2yV.exe"
2⤵
- Executes dropped EXE
PID:944

C:\Users\Admin\Pictures\Adobe Films\eJIQRFhIbjaq2tLMUW0YuzQ6.exe
"C:\Users\Admin\Pictures\Adobe Films\eJIQRFhIbjaq2tLMUW0YuzQ6.exe"
2⤵
- Executes dropped EXE
PID:1200

C:\Users\Admin\Pictures\Adobe Films\NaBHDLth27S6jKW_Zj7p74HM.exe
"C:\Users\Admin\Pictures\Adobe Films\NaBHDLth27S6jKW_Zj7p74HM.exe"
2⤵
- Executes dropped EXE
PID:1476

C:\Users\Admin\Pictures\Adobe Films\mDFsGOp3MNr2n0XK4JAExmOa.exe
"C:\Users\Admin\Pictures\Adobe Films\mDFsGOp3MNr2n0XK4JAExmOa.exe"
2⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\Pictures\Adobe Films\bO4BVTZZbTyBlSJdpwcT1T8B.exe
"C:\Users\Admin\Pictures\Adobe Films\bO4BVTZZbTyBlSJdpwcT1T8B.exe"
2⤵
- Executes dropped EXE
PID:1884

C:\Users\Admin\Pictures\Adobe Films\Po__pVp1XuK8OpGQxazOuNkJ.exe
"C:\Users\Admin\Pictures\Adobe Films\Po__pVp1XuK8OpGQxazOuNkJ.exe"
2⤵
- Executes dropped EXE
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\Adobe Films\HjPoBf8hli_q_CaYX4lEG2yV.exe
Filesize
330KB

MD5
cceeb294bd5e7b01e40f94616ae20df4

SHA1
6850d9bfbcc00b9cae98f197350905e3c2eca4e8

SHA256
91fde83c85a83a2ce242a1ebb819fd0eddc7291562d3cc756d64b6fd0a386b94

SHA512
121d63205c67b1bb7df41dc27169930a3f8acff7e16b1cdb39082e9d92c669348fc962b0b3d09e661c7e39f39c4a18a45db11918879f3e278d57d5774b0e4d10

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NaBHDLth27S6jKW_Zj7p74HM.exe
Filesize
400KB

MD5
9519c85c644869f182927d93e8e25a33

SHA1
eadc9026e041f7013056f80e068ecf95940ea060

SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Po__pVp1XuK8OpGQxazOuNkJ.exe
Filesize
2.2MB

MD5
9c3d3e2ac022d61bf5e9c9d40c787283

SHA1
58ab3dc617dfbec2442409494c8d62872dc7bc14

SHA256
c4b55b325234a761e340f704c2eebf1e2ce53bfa2cf15684dd298a3d5674d568

SHA512
ff0e79faef38834f3aa0284bc911f2fd5976011a34d77e00ec12834bf243b41fc3ad3ac0743e514fc1ab6dfd31dc715474458fd80225f61417f117776e6ed4e0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Po__pVp1XuK8OpGQxazOuNkJ.exe
Filesize
2.2MB

MD5
9c3d3e2ac022d61bf5e9c9d40c787283

SHA1
58ab3dc617dfbec2442409494c8d62872dc7bc14

SHA256
c4b55b325234a761e340f704c2eebf1e2ce53bfa2cf15684dd298a3d5674d568

SHA512
ff0e79faef38834f3aa0284bc911f2fd5976011a34d77e00ec12834bf243b41fc3ad3ac0743e514fc1ab6dfd31dc715474458fd80225f61417f117776e6ed4e0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VaU79gU5up_Nau5eQ1t01s45.exe
Filesize
348KB

MD5
6769f8ded9254765a851e0987753f357

SHA1
83f84ee62729844ef206d2cf0d7a18fe20fa5ff9

SHA256
6b2e3ed5c3e90f211fd187a2a010054d4ce49d3d1a3cdc03468d484f8e4adadb

SHA512
c3afd398f65e5920a64fe1721852772e063a00eacab8f5248ede2018b3f33e4e97fbad0205f878eeb87169a8883c4b384260470cb6e6ab6bc3b53eeb9d8c270d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bO4BVTZZbTyBlSJdpwcT1T8B.exe
Filesize
379KB

MD5
69872f3fe7ee1646a3e9db70060aed5b

SHA1
fc5e7b4caa8af614a34ea1288472b10d884183f5

SHA256
3d70e4d045f4c5dd9beb0da9be2bf9930bf57c85d45dd9664f9ba940b38c2123

SHA512
04eaf76e0b8f0128419bc595604f91ea49ac5dd028b6cd9ec2949f080e65f1066d05e25880f375664a808ab795cac8b436a0b3aba3d55a751fe086d519a8db42

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eJIQRFhIbjaq2tLMUW0YuzQ6.exe
Filesize
1.5MB

MD5
8ae3eec3627c21ce291f07c239aa43b3

SHA1
2f949c4ca792423ebb7108e58e06b8c6ad64b514

SHA256
8b7a712bec86037d7d2fcae89b0bfa1ea33bd14e1e34ddf823208182f164cab2

SHA512
94a1da3664a8dac7df12989e9cef9f187bde721b3f086433fbe6293fa6a5ba5cbee2328f44c986ff726b9c92dd669c6d21be7f38fde6b5e465d090976f3f7765

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mDFsGOp3MNr2n0XK4JAExmOa.exe
Filesize
323KB

MD5
fcfda76cb3018597a88307695af60907

SHA1
3d1e9a848ae52d6148f8bedd306eddeee938661c

SHA256
a5c537c7b6003cc06d6602ed94c89a0f18ff62d36f7c7037db36c9c6242bfd3a

SHA512
b0f66e09219b56c1c149972165aa650745661cd513d725655975c854d931cdb89049adbf6e2d08614730aa0e19b9d0ae4704949407f1a3a0f2b728d6bf1d06c2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pbWlRiVtT0XPahkf0NiZCAdI.exe
Filesize
2.1MB

MD5
e6c958d6186aa63eb6064737178b6951

SHA1
bb32ce0a30cdc7e39e8f3ef93c7420c1c9dffa7a

SHA256
eebeb8f37bef6e92068903c7a0dafa6a1a5f86f987ba1ad3336ccc855bfd317e

SHA512
c7c3d8b15452d43f7e603f1154142cfa47c6fb01b2a9fc774ecb875f7f71274b1c1a9de71e8b4a732ab5a9cc671106b9766855ebca45d05c6d4aa5ec91a35a8d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qw6OAgJSy5EwW_poeagpgue6.exe
Filesize
207KB

MD5
3e2c5562d9a65a751704427b8434c490

SHA1
8cabd55a1bb4f2dd106a01be4e40bd581067bbe7

SHA256
43b37157c5d5822b61744dcb961fb1fa0beebb5c54ae24be8e81b1a747f4b291

SHA512
8859f41a49f72ed923ede2c1b286f28ed4285c51556ceca135f1d2cadd2f0ac83135bf4d022a3b319f09098f20f05a0e65d72d368ad70178af3f9685ea6ddd82

Download Submit
C:\Users\Admin\Pictures\Adobe Films\s8_stbvNmqy7GjceMFXStno9.exe
Filesize
322KB

MD5
83d7560e37c5a2d3f891e0a568279005

SHA1
a941483be8ea1e189f1111f9858322c88d94e8a8

SHA256
160af97e68142c8ed61b395e43beda19186a513a1e96d5d282be377c3ef92fe7

SHA512
17191a92442b1dd9675d7b3b9a583e8c34927df274d4bf7b6e15282d251ead2ba66ca935e9b88657f6a3aa84591faab5edcb996a6fa250f1f92725bbc3c11a3f

Download Submit
\Users\Admin\Pictures\Adobe Films\HjPoBf8hli_q_CaYX4lEG2yV.exe
Filesize
330KB

MD5
cceeb294bd5e7b01e40f94616ae20df4

SHA1
6850d9bfbcc00b9cae98f197350905e3c2eca4e8

SHA256
91fde83c85a83a2ce242a1ebb819fd0eddc7291562d3cc756d64b6fd0a386b94

SHA512
121d63205c67b1bb7df41dc27169930a3f8acff7e16b1cdb39082e9d92c669348fc962b0b3d09e661c7e39f39c4a18a45db11918879f3e278d57d5774b0e4d10

Download Submit
\Users\Admin\Pictures\Adobe Films\HjPoBf8hli_q_CaYX4lEG2yV.exe
Filesize
330KB

MD5
cceeb294bd5e7b01e40f94616ae20df4

SHA1
6850d9bfbcc00b9cae98f197350905e3c2eca4e8

SHA256
91fde83c85a83a2ce242a1ebb819fd0eddc7291562d3cc756d64b6fd0a386b94

SHA512
121d63205c67b1bb7df41dc27169930a3f8acff7e16b1cdb39082e9d92c669348fc962b0b3d09e661c7e39f39c4a18a45db11918879f3e278d57d5774b0e4d10

Download Submit
\Users\Admin\Pictures\Adobe Films\NaBHDLth27S6jKW_Zj7p74HM.exe
Filesize
400KB

MD5
9519c85c644869f182927d93e8e25a33

SHA1
eadc9026e041f7013056f80e068ecf95940ea060

SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Download Submit
\Users\Admin\Pictures\Adobe Films\Po__pVp1XuK8OpGQxazOuNkJ.exe
Filesize
2.2MB

MD5
9c3d3e2ac022d61bf5e9c9d40c787283

SHA1
58ab3dc617dfbec2442409494c8d62872dc7bc14

SHA256
c4b55b325234a761e340f704c2eebf1e2ce53bfa2cf15684dd298a3d5674d568

SHA512
ff0e79faef38834f3aa0284bc911f2fd5976011a34d77e00ec12834bf243b41fc3ad3ac0743e514fc1ab6dfd31dc715474458fd80225f61417f117776e6ed4e0

Download Submit
\Users\Admin\Pictures\Adobe Films\RnmveBzrtB6_IHeA024R5xvJ.exe
Filesize
3.5MB

MD5
9ef13c56fed313c0726f8715c824ac80

SHA1
0f45abfd9cd263f8c93aaf43932caf7c00fa2754

SHA256
b55375af99e54da2ae6877ff642c5b85a0238992c0ae5b3703d1e0b650cf090b

SHA512
6e267fd129c95c507ad2d52d353448fc277fcc0f0a8cffd39d5c26e3a328aee97a1cadd987dc8ffa1a90ef008cb1a9e2d74791b39624e9fc6769ff331b10f21e

Download Submit
\Users\Admin\Pictures\Adobe Films\VaU79gU5up_Nau5eQ1t01s45.exe
Filesize
348KB

MD5
6769f8ded9254765a851e0987753f357

SHA1
83f84ee62729844ef206d2cf0d7a18fe20fa5ff9

SHA256
6b2e3ed5c3e90f211fd187a2a010054d4ce49d3d1a3cdc03468d484f8e4adadb

SHA512
c3afd398f65e5920a64fe1721852772e063a00eacab8f5248ede2018b3f33e4e97fbad0205f878eeb87169a8883c4b384260470cb6e6ab6bc3b53eeb9d8c270d

Download Submit
\Users\Admin\Pictures\Adobe Films\VaU79gU5up_Nau5eQ1t01s45.exe
Filesize
348KB

MD5
6769f8ded9254765a851e0987753f357

SHA1
83f84ee62729844ef206d2cf0d7a18fe20fa5ff9

SHA256
6b2e3ed5c3e90f211fd187a2a010054d4ce49d3d1a3cdc03468d484f8e4adadb

SHA512
c3afd398f65e5920a64fe1721852772e063a00eacab8f5248ede2018b3f33e4e97fbad0205f878eeb87169a8883c4b384260470cb6e6ab6bc3b53eeb9d8c270d

Download Submit
\Users\Admin\Pictures\Adobe Films\bO4BVTZZbTyBlSJdpwcT1T8B.exe
Filesize
379KB

MD5
69872f3fe7ee1646a3e9db70060aed5b

SHA1
fc5e7b4caa8af614a34ea1288472b10d884183f5

SHA256
3d70e4d045f4c5dd9beb0da9be2bf9930bf57c85d45dd9664f9ba940b38c2123

SHA512
04eaf76e0b8f0128419bc595604f91ea49ac5dd028b6cd9ec2949f080e65f1066d05e25880f375664a808ab795cac8b436a0b3aba3d55a751fe086d519a8db42

Download Submit
\Users\Admin\Pictures\Adobe Films\bO4BVTZZbTyBlSJdpwcT1T8B.exe
Filesize
379KB

MD5
69872f3fe7ee1646a3e9db70060aed5b

SHA1
fc5e7b4caa8af614a34ea1288472b10d884183f5

SHA256
3d70e4d045f4c5dd9beb0da9be2bf9930bf57c85d45dd9664f9ba940b38c2123

SHA512
04eaf76e0b8f0128419bc595604f91ea49ac5dd028b6cd9ec2949f080e65f1066d05e25880f375664a808ab795cac8b436a0b3aba3d55a751fe086d519a8db42

Download Submit
\Users\Admin\Pictures\Adobe Films\eJIQRFhIbjaq2tLMUW0YuzQ6.exe
Filesize
1.5MB

MD5
8ae3eec3627c21ce291f07c239aa43b3

SHA1
2f949c4ca792423ebb7108e58e06b8c6ad64b514

SHA256
8b7a712bec86037d7d2fcae89b0bfa1ea33bd14e1e34ddf823208182f164cab2

SHA512
94a1da3664a8dac7df12989e9cef9f187bde721b3f086433fbe6293fa6a5ba5cbee2328f44c986ff726b9c92dd669c6d21be7f38fde6b5e465d090976f3f7765

Download Submit
\Users\Admin\Pictures\Adobe Films\mDFsGOp3MNr2n0XK4JAExmOa.exe
Filesize
323KB

MD5
fcfda76cb3018597a88307695af60907

SHA1
3d1e9a848ae52d6148f8bedd306eddeee938661c

SHA256
a5c537c7b6003cc06d6602ed94c89a0f18ff62d36f7c7037db36c9c6242bfd3a

SHA512
b0f66e09219b56c1c149972165aa650745661cd513d725655975c854d931cdb89049adbf6e2d08614730aa0e19b9d0ae4704949407f1a3a0f2b728d6bf1d06c2

Download Submit
\Users\Admin\Pictures\Adobe Films\mDFsGOp3MNr2n0XK4JAExmOa.exe
Filesize
323KB

MD5
fcfda76cb3018597a88307695af60907

SHA1
3d1e9a848ae52d6148f8bedd306eddeee938661c

SHA256
a5c537c7b6003cc06d6602ed94c89a0f18ff62d36f7c7037db36c9c6242bfd3a

SHA512
b0f66e09219b56c1c149972165aa650745661cd513d725655975c854d931cdb89049adbf6e2d08614730aa0e19b9d0ae4704949407f1a3a0f2b728d6bf1d06c2

Download Submit
\Users\Admin\Pictures\Adobe Films\pbWlRiVtT0XPahkf0NiZCAdI.exe
Filesize
2.1MB

MD5
e6c958d6186aa63eb6064737178b6951

SHA1
bb32ce0a30cdc7e39e8f3ef93c7420c1c9dffa7a

SHA256
eebeb8f37bef6e92068903c7a0dafa6a1a5f86f987ba1ad3336ccc855bfd317e

SHA512
c7c3d8b15452d43f7e603f1154142cfa47c6fb01b2a9fc774ecb875f7f71274b1c1a9de71e8b4a732ab5a9cc671106b9766855ebca45d05c6d4aa5ec91a35a8d

Download Submit
\Users\Admin\Pictures\Adobe Films\qw6OAgJSy5EwW_poeagpgue6.exe
Filesize
207KB

MD5
3e2c5562d9a65a751704427b8434c490

SHA1
8cabd55a1bb4f2dd106a01be4e40bd581067bbe7

SHA256
43b37157c5d5822b61744dcb961fb1fa0beebb5c54ae24be8e81b1a747f4b291

SHA512
8859f41a49f72ed923ede2c1b286f28ed4285c51556ceca135f1d2cadd2f0ac83135bf4d022a3b319f09098f20f05a0e65d72d368ad70178af3f9685ea6ddd82

Download Submit
\Users\Admin\Pictures\Adobe Films\s8_stbvNmqy7GjceMFXStno9.exe
Filesize
322KB

MD5
83d7560e37c5a2d3f891e0a568279005

SHA1
a941483be8ea1e189f1111f9858322c88d94e8a8

SHA256
160af97e68142c8ed61b395e43beda19186a513a1e96d5d282be377c3ef92fe7

SHA512
17191a92442b1dd9675d7b3b9a583e8c34927df274d4bf7b6e15282d251ead2ba66ca935e9b88657f6a3aa84591faab5edcb996a6fa250f1f92725bbc3c11a3f

Download Submit
\Users\Admin\Pictures\Adobe Films\s8_stbvNmqy7GjceMFXStno9.exe
Filesize
322KB

MD5
83d7560e37c5a2d3f891e0a568279005

SHA1
a941483be8ea1e189f1111f9858322c88d94e8a8

SHA256
160af97e68142c8ed61b395e43beda19186a513a1e96d5d282be377c3ef92fe7

SHA512
17191a92442b1dd9675d7b3b9a583e8c34927df274d4bf7b6e15282d251ead2ba66ca935e9b88657f6a3aa84591faab5edcb996a6fa250f1f92725bbc3c11a3f

Download Submit
memory/340-74-0x0000000000000000-mapping.dmp

Download
memory/592-76-0x0000000000000000-mapping.dmp

Download
memory/784-66-0x0000000005C30000-0x00000000062E0000-memory.dmp

Filesize
6.7MB

Download
memory/784-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/784-55-0x00000000039E0000-0x0000000003C34000-memory.dmp

Filesize
2.3MB

Download
memory/784-56-0x00000000039E0000-0x0000000003C34000-memory.dmp

Filesize
2.3MB

Download
memory/784-57-0x0000000002520000-0x000000000254E000-memory.dmp

Filesize
184KB

Download
memory/944-69-0x0000000000000000-mapping.dmp

Download
memory/1032-60-0x0000000000000000-mapping.dmp

Download
memory/1120-62-0x0000000000000000-mapping.dmp

Download
memory/1120-95-0x0000000000F10000-0x00000000015C0000-memory.dmp

Filesize
6.7MB

Download
memory/1200-87-0x0000000000000000-mapping.dmp

Download
memory/1476-79-0x0000000000000000-mapping.dmp

Download
memory/1484-88-0x0000000000000000-mapping.dmp

Download
memory/1644-82-0x0000000000000000-mapping.dmp

Download
memory/1784-63-0x0000000000000000-mapping.dmp

Download
memory/1884-86-0x0000000000000000-mapping.dmp

Download
memory/1884-99-0x0000000000538000-0x000000000054E000-memory.dmp

Filesize
88KB

Download