ffdroider | 4f51e87555adc3b2b1246354e767c52737d30a1e0b2372e38e9c0883f37f6d75

Analysis

max time kernel
5s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-01-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ddf5c869fe110170ac9c29c01d1f56c.exe
Size

7.0MB
MD5

7ddf5c869fe110170ac9c29c01d1f56c
SHA1

32a6e107399e1afa6e3a0d7efc086fe12fe5225c
SHA256

4f51e87555adc3b2b1246354e767c52737d30a1e0b2372e38e9c0883f37f6d75
SHA512

b59a746baa31b3d3936cdcc2ef0ed3afa1b9942358faed38cd68e7ffd92c237a1c3caebbcf0b0e7e6df1f0d3437434199dd871be332fc57b59c9a4c7ad21e598
SSDEEP

196608:it0YTgHgUzjMHERRTNn3IeXgg9qKJgfL4CDs:gp0RRJ7Xgg9q0aLBs

Score

10^/10

ffdroider privateloader socelars vidar 916 discovery loader stealer

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.171/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.185

Extracted

Family

vidar

Version

40.1

Botnet

916

https://eduarroma.tumblr.com/

Attributes

profile_id
916

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral1/memory/2964-378-0x0000000000400000-0x000000000062B000-memory.dmp	family_ffdroider
behavioral1/memory/2964-741-0x0000000000400000-0x000000000062B000-memory.dmp	family_ffdroider

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016d46-115.dat	family_socelars
behavioral1/files/0x0009000000016d46-134.dat	family_socelars
behavioral1/files/0x0009000000016d46-114.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/760-71-0x00000000002E0000-0x000000000037D000-memory.dmp	family_vidar
behavioral1/memory/760-355-0x0000000000400000-0x0000000002D12000-memory.dmp	family_vidar
behavioral1/memory/760-980-0x00000000002E0000-0x000000000037D000-memory.dmp	family_vidar

Executes dropped EXE 16 IoCs

pid	Process
760	LGCH2-401_2021-08-18_14-40.exe
2568	Inlog.exe
1976	Inlog.tmp
2984	Cleaner Installation.exe
1684	WEATHER Manager.exe
680	VPN.exe
2964	md7_7dfj.exe
1308	MediaBurner2.exe
1488	askinstall53.exe
2240	PBrowFile15.exe
2992	VPN.tmp
2760	zhaoy-game.exe
2744	LivelyScreenRecS1.9.exe
2872	xtect12.exe
2064	WEATHER Manager.tmp
2424	zhaoy-game.exe

Loads dropped DLL 26 IoCs

pid	Process
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
2568	Inlog.exe
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
1976	Inlog.tmp
1976	Inlog.tmp
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
680	VPN.exe
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
1976	Inlog.tmp
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
2196	7ddf5c869fe110170ac9c29c01d1f56c.exe
2992	VPN.tmp
2992	VPN.tmp
2992	VPN.tmp
1684	WEATHER Manager.exe
2064	WEATHER Manager.tmp
2064	WEATHER Manager.tmp
2064	WEATHER Manager.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
63	iplogger.org
64	iplogger.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
11	ipinfo.io
17	ipinfo.io
18	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe	7ddf5c869fe110170ac9c29c01d1f56c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
584	760	WerFault.exe	28

Kills process with taskkill 1 IoCs

evasion

pid	Process
2192	taskkill.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1488	askinstall53.exe
Token: SeAssignPrimaryTokenPrivilege	1488	askinstall53.exe
Token: SeLockMemoryPrivilege	1488	askinstall53.exe
Token: SeIncreaseQuotaPrivilege	1488	askinstall53.exe
Token: SeMachineAccountPrivilege	1488	askinstall53.exe
Token: SeTcbPrivilege	1488	askinstall53.exe
Token: SeSecurityPrivilege	1488	askinstall53.exe
Token: SeTakeOwnershipPrivilege	1488	askinstall53.exe
Token: SeLoadDriverPrivilege	1488	askinstall53.exe
Token: SeSystemProfilePrivilege	1488	askinstall53.exe
Token: SeSystemtimePrivilege	1488	askinstall53.exe
Token: SeProfSingleProcessPrivilege	1488	askinstall53.exe
Token: SeIncBasePriorityPrivilege	1488	askinstall53.exe
Token: SeCreatePagefilePrivilege	1488	askinstall53.exe
Token: SeCreatePermanentPrivilege	1488	askinstall53.exe
Token: SeBackupPrivilege	1488	askinstall53.exe
Token: SeRestorePrivilege	1488	askinstall53.exe
Token: SeShutdownPrivilege	1488	askinstall53.exe
Token: SeDebugPrivilege	1488	askinstall53.exe
Token: SeAuditPrivilege	1488	askinstall53.exe
Token: SeSystemEnvironmentPrivilege	1488	askinstall53.exe
Token: SeChangeNotifyPrivilege	1488	askinstall53.exe
Token: SeRemoteShutdownPrivilege	1488	askinstall53.exe
Token: SeUndockPrivilege	1488	askinstall53.exe
Token: SeSyncAgentPrivilege	1488	askinstall53.exe
Token: SeEnableDelegationPrivilege	1488	askinstall53.exe
Token: SeManageVolumePrivilege	1488	askinstall53.exe
Token: SeImpersonatePrivilege	1488	askinstall53.exe
Token: SeCreateGlobalPrivilege	1488	askinstall53.exe
Token: 31	1488	askinstall53.exe
Token: 32	1488	askinstall53.exe
Token: 33	1488	askinstall53.exe
Token: 34	1488	askinstall53.exe
Token: 35	1488	askinstall53.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 760	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	28
PID 2196 wrote to memory of 760	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	28
PID 2196 wrote to memory of 760	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	28
PID 2196 wrote to memory of 760	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	28
PID 2196 wrote to memory of 2568	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	29
PID 2196 wrote to memory of 2568	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	29
PID 2196 wrote to memory of 2568	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	29
PID 2196 wrote to memory of 2568	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	29
PID 2196 wrote to memory of 2568	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	29
PID 2196 wrote to memory of 2568	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	29
PID 2196 wrote to memory of 2568	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	29
PID 2568 wrote to memory of 1976	2568	Inlog.exe	31
PID 2568 wrote to memory of 1976	2568	Inlog.exe	31
PID 2568 wrote to memory of 1976	2568	Inlog.exe	31
PID 2568 wrote to memory of 1976	2568	Inlog.exe	31
PID 2568 wrote to memory of 1976	2568	Inlog.exe	31
PID 2568 wrote to memory of 1976	2568	Inlog.exe	31
PID 2568 wrote to memory of 1976	2568	Inlog.exe	31
PID 2196 wrote to memory of 2984	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	30
PID 2196 wrote to memory of 2984	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	30
PID 2196 wrote to memory of 2984	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	30
PID 2196 wrote to memory of 2984	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	30
PID 2196 wrote to memory of 2984	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	30
PID 2196 wrote to memory of 2984	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	30
PID 2196 wrote to memory of 2984	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	30
PID 2196 wrote to memory of 1684	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	32
PID 2196 wrote to memory of 1684	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	32
PID 2196 wrote to memory of 1684	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	32
PID 2196 wrote to memory of 1684	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	32
PID 2196 wrote to memory of 1684	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	32
PID 2196 wrote to memory of 1684	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	32
PID 2196 wrote to memory of 1684	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	32
PID 2196 wrote to memory of 680	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	33
PID 2196 wrote to memory of 680	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	33
PID 2196 wrote to memory of 680	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	33
PID 2196 wrote to memory of 680	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	33
PID 2196 wrote to memory of 680	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	33
PID 2196 wrote to memory of 680	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	33
PID 2196 wrote to memory of 680	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	33
PID 2196 wrote to memory of 2964	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	34
PID 2196 wrote to memory of 2964	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	34
PID 2196 wrote to memory of 2964	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	34
PID 2196 wrote to memory of 2964	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	34
PID 2196 wrote to memory of 1488	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	46
PID 2196 wrote to memory of 1488	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	46
PID 2196 wrote to memory of 1488	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	46
PID 2196 wrote to memory of 1488	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	46
PID 2196 wrote to memory of 1488	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	46
PID 2196 wrote to memory of 1488	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	46
PID 2196 wrote to memory of 1488	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	46
PID 2196 wrote to memory of 1308	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	45
PID 2196 wrote to memory of 1308	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	45
PID 2196 wrote to memory of 1308	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	45
PID 2196 wrote to memory of 1308	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	45
PID 2196 wrote to memory of 1308	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	45
PID 2196 wrote to memory of 1308	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	45
PID 2196 wrote to memory of 1308	2196	7ddf5c869fe110170ac9c29c01d1f56c.exe	45
PID 680 wrote to memory of 2992	680	VPN.exe	37
PID 680 wrote to memory of 2992	680	VPN.exe	37
PID 680 wrote to memory of 2992	680	VPN.exe	37
PID 680 wrote to memory of 2992	680	VPN.exe	37
PID 680 wrote to memory of 2992	680	VPN.exe	37
PID 680 wrote to memory of 2992	680	VPN.exe	37
PID 680 wrote to memory of 2992	680	VPN.exe	37

C:\Users\Admin\AppData\Local\Temp\7ddf5c869fe110170ac9c29c01d1f56c.exe
"C:\Users\Admin\AppData\Local\Temp\7ddf5c869fe110170ac9c29c01d1f56c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"
  2⤵
  - Executes dropped EXE
  PID:760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 888
    3⤵
    - Program crash
    PID:584
- C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\is-2NALG.tmp\Inlog.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-2NALG.tmp\Inlog.tmp" /SL5="$201D6,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1976
- C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
  2⤵
  - Executes dropped EXE
  PID:2984
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706212715 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
    3⤵
    PID:2780
- C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\is-HV3PE.tmp\WEATHER Manager.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-HV3PE.tmp\WEATHER Manager.tmp" /SL5="$201E4,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2064
- C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Users\Admin\AppData\Local\Temp\is-KEFI2.tmp\VPN.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KEFI2.tmp\VPN.tmp" /SL5="$20198,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2992
- C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
  2⤵
  - Executes dropped EXE
  PID:2760
- - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
    3⤵
    - Executes dropped EXE
    PID:2424
- C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:2416
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      PID:2192

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1632
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 99B62449A7E9FC527129C729E95EAD31 C
  2⤵
  PID:3024
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 71A5AA6BDCD717170327DF5FA8F8F10B
  2⤵
  PID:1512
- C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
  2⤵
  PID:2988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_820B.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
    3⤵
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f771604.rbs

Filesize
1KB

MD5
27d51fb273415584013aaf13170a7f07

SHA1
50dec68a2e3082bdf80f8b73650ff6dd64532518

SHA256
223a1518a94b21aa8d1695e8066d97d5e2b5ede4f932a06af7c76d4b3919981f

SHA512
2ff0028a198eb687ba4619a0a360a81178be311bd358e1dd3518b0019938d4dd2e158c4469e4c5a727cb35df8dd4496f9faa4a6b5c213dbeb1db7af61ef66119

Download Submit
C:\Config.Msi\f771605.rbs

Filesize
395B

MD5
4950900e9639e38e52f2acac851b2fa3

SHA1
9cca9fbd5e73b8fdd5e14aa49b58ee9df21716f6

SHA256
d95f27f1829ad5d8ebae6fd7577ab66ff2966cf29fb74151336dde8e3fe34eb9

SHA512
a1c4f544ebb150291a98e30d35536273d7043697d88b206c8b7eb9a95a2694bf3fa15c8052d28620e671fa33cb9a51be01f91691712f24e390d9c303713893f5

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe

Filesize
174KB

MD5
09e641857a8b49d9884af49f3b8e8a95

SHA1
4d10b91adbf6d42c281c428407992f7cb405874f

SHA256
139571aaa0d24db3d40e119522ced215229b94a7e3b73d1420a0dae21ca40ad0

SHA512
304c9b78218620c5f660de086568acc5cee1f347efb7e792375ed0650d5d324973d1ade1cb6b156ad4b85caf1b39822b9c5e12b71ecc9d955594179d9b65f601

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe

Filesize
1.1MB

MD5
94778a24f7050ddfad486099b096e0d8

SHA1
481f0bed84f947723843e85a35504859cca107f2

SHA256
04999e768a9d4b114e7cc05f9e00ac14902837c006da14efd90f7075d6724c23

SHA512
498734150d98dea0402a2c3b59b25a3776f880af2eb9a2545f29bbb934254e5917a684a6b0d0f542171c9621f7ebb7a76c3a81782d7e1b15baca72d639a4486b

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe

Filesize
1.3MB

MD5
ee62880d608ba6e326b030625c2cb97b

SHA1
de706ae4e8b6f233b049ae9615d24a4d4926779a

SHA256
e6ba9e564058bf8eda4fdac342c3faf2719edc3c19bca24b844226d4c4cd61cd

SHA512
4340d1c084ebdb74c228e99412e093cad5e93b576173178352976d1d90a8009dd24992a1ffcb66d4aafbd3e4ef9edb2656f317cfde4c0f3bc368186dfd54c772

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe

Filesize
528KB

MD5
6d214751879d25d83a6be49eceb10b6e

SHA1
d44b2908b2132d911692c16c5b7b5be499d77350

SHA256
5b7c221291b9c0deafdb5e0f3fdfb160ea24d78ed970b145d669f96a2d9ec862

SHA512
e59e569cefebaffd202b1e3a50c6c41d05055e962914020e0173ed4657b27b2a396f44368ed0536c46b86af2fba07604002aa9bdd77ae65a821e1e3379e7729e

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe

Filesize
291KB

MD5
da3ff8ab874dbf4e57d38dad5cc56537

SHA1
eaeb37bd7143ebc64ce93158b15f3de84624b35c

SHA256
0137b885cc47ecc7d299dc17b66b44c438bd830828b02b9efdf3f48a7c64dcff

SHA512
1d3dbbac874a749b09ae43b6e43581a77c78124a813d1171f04193945832c1d4a36129adff86b8a5c6f4d3dc016eb219955d52ebcc7c31f01918283a74c562ef

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe

Filesize
180KB

MD5
d5892af7491e565d3a76633d067773f8

SHA1
01dd1a3205b7da1eaf83c08906d2128de7433ae6

SHA256
5d43d42387c22846c038afbc38dde0ec0a0f1507a0016e26b34647f62a0f8dff

SHA512
5ff18e3131ac29f7d142ec0006f410de015cbd399d5c8db27187ea68f6f29aa35b2433dd2e7604b89d6188ac60e2a43e7bc92026e03485b1df928ad2f3528858

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe

Filesize
92KB

MD5
df4ca4d94fdb293b853f434c88992540

SHA1
2938466bb3c934c935c68d545bb2e56d39821e8f

SHA256
29c9b3fcaf74f0dc67477fa8896de6c8e8303b434dc803d96a1ccc93789cdd29

SHA512
46683e51529f0ce23758c841f6fbf33ee88c75c37c78ddb8d2d7c0bd37ecb3b98740000d43a0883c03f5171213826610fd69eda4286768babc741534f2492a04

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe

Filesize
192KB

MD5
ecebc5926902e49586daf98a6afea18b

SHA1
994d2fef16a546c0c8126f4734d057b60df69d4b

SHA256
3d68ac3c30fdc87c2c35cfcac55d9ca2d0e5fd69e83184bb69974537c5f1148f

SHA512
3055add70f1c8e0249a3fa24ef7c748284fc1605288e3de93f5adb853cd839aee6ca3b0637c1f87625ea82f6ece19ea61a2f49f0370582c93b2823e8bcf341a6

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe

Filesize
65KB

MD5
be48a3d2c0167f7338bec301d5fa3ab6

SHA1
a968d6d9470c6f6e06e0126f805f242da3c8d7b5

SHA256
85f8941fca4b9ff66cd75c9dcbe7056215bf09bd5339df4ef29d4574550233f1

SHA512
1adea665634ce50c05f2f1b073e516ddff685956ca51fa9d17bca5687266bdfbf93f11231853e93be37e515cb163a9be3dc89519b786339349eecae1af726200

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe

Filesize
113KB

MD5
68d0ab9d3a1bacdd52379e744cbfcc12

SHA1
8b01ee9f5a91323d0d2320b936a8ac4eb17cf692

SHA256
796dab8079ce71555b11dbe889894f0e6dc8d5626ebea96c62539cacd6ed6588

SHA512
c14f553172a2375748733dcaec4df67929f189bff6c3ee616696210a9ad4b9f6656fd83cf8e2b30a74dc0c0807fd7b22801cfc34f2048bd038b00d8523016b6b

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe

Filesize
380KB

MD5
28b20d90d1efa7800697bc323b01a378

SHA1
8ed124ddc8a7861df1822196d0929908ee010528

SHA256
cdc9a15859638b1abfa09483088b78bbf51ae92c6f9434a92f1ea7d93122de69

SHA512
858c4e4596611b9ff04461adbd2c0bc01077829e246367d5c7185729c3aaf7bf185f6d69d05f52ca671320f2b6a72e70612422df7e0dffd4b3f096c96b96dec6

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe

Filesize
381KB

MD5
405f32d7d1c647b66c3f6b9a5355791a

SHA1
e242181372ce53855995de4bacc9cbf340ec081f

SHA256
3b4c4c4e34e28d067dce529db28cd17d85365bbf0934afead71aa034a115163a

SHA512
ab61b02b542c3f209fb9172fbbb79747eb93b48d6a5b1871b7bdace0ad0fc0aa9550504698ed1457f9eb5436c19b0ffec1adda9fa94aebab7452316bb53f6e25

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe

Filesize
406KB

MD5
b2e68ecea1a358cb408814f3b5d6ac9b

SHA1
6e84edbc2cbf915ad4a5dede96923872638be75d

SHA256
94799eb5684aa9bb8311542b6da38fc340722521fc4fc87a974fc54cdcc48c1f

SHA512
8dc85b95c8b8b92cc1c4d99902588e43b2f1d4cf1c477ea85bcb8d5c6696a270dc4a384b6c3d05973b8a425be6c8574bcb930ad2349dd876b5a2061e9d83cf10

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe

Filesize
269KB

MD5
76db087749e83ce5f9fac3793b2b0c13

SHA1
7fc87f16185828afc1e08249ebf25f19d40fb47c

SHA256
3cc2604d58b7f7869a2e69ec123f384d211c2d3d4441af0903050a5bea2f2758

SHA512
b96769ec01db947b794bc5875ad6cd4702a6091609ebe6317073977e7b3452320f9381afd3d4b36bf44fed073c84818800b476502259adbd2486f45160fe7a1b

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe

Filesize
921KB

MD5
a3ec5ee946f7b93287ba9cf7facc6647

SHA1
3595b700f8e41d45d8a8d15b42cd00cc19922647

SHA256
5816801baeff9b520d4dfd930ccf147ae31a1742ff0c111c6becc87d402434f0

SHA512
63efc7b19cd3301bdb4902d8ea59cae4e6c96475f6ea8215f9656a503ad763af0453e255a05dedce6dd1f6d17db964e9da1a243824676cf9611dc22974d687a6

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe

Filesize
346KB

MD5
0d3446a23cee3cbddd0ec2506d2b22e6

SHA1
851bfb4531b48057eb7f707166dcc035d80e3dd2

SHA256
a5b4f696f0b3424e135a97cf5ce1d1764f12760ac1dc31b371088922c34f1287

SHA512
222da7512010ea848c6eb5af0013690f346e1d02c964ee8ac674120066cecaee60d50317de5373feb198444276b42a72af0151e2f149e7445e795c8ae52fd90f

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe

Filesize
224KB

MD5
c788400630d5eefabc85204dda30ab4e

SHA1
f1010807390563ca1ec43b3c0e457596fc71bada

SHA256
c981199b4635b949d50bf9e34e20f58fac52c3d357e8db85bfee26804a6f83c5

SHA512
2a44203f5798e2294b1a1173785cb8d895cc5ebb356442348bbc2d77f246e5b37578ecf5a9ca7f9d0ba7af7f43b3291cde7aead73f20d4295368f1d4f2d7b4f9

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe

Filesize
135KB

MD5
39433404dd14815933638c0d5c3ca8d5

SHA1
095bb05416ce918dc9112ff592798d92cfeefa08

SHA256
284f17eacd356be1d22b95984dc8d105ee3baadeb88a60fed2e8518d06592748

SHA512
1a591b1efa8371d42e0b385b6bb590acf83d8a7d419dca4d1ca84aca985d945800b47acad5d4e515f2dc593c996009835990732b0b3890291febcf9f8f869437

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe

Filesize
92KB

MD5
871dfa6b9a56ac4bf9feae18018b4e4f

SHA1
4c928426bb81ceec27d90a3970695416e34fcdb8

SHA256
1e71a711db951d5c229e6e183315a3d6788be7386c28027b249fe979f02f9922

SHA512
d887403d4b77efb3408d8f6662598a6b0e2ae8fc8719b822903ded845f66c57829a490ac8129165ca0d5786ba33c623e28d1fc297608f86a72851120a56522fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
867B

MD5
c5dfb849ca051355ee2dba1ac33eb028

SHA1
d69b561148f01c77c54578c10926df5b856976ad

SHA256
cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b

SHA512
88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d061a2b1eaee2e42b5ce830d4e37c64

SHA1
2f80a97e8f468067543cb575436d86c4bf21482b

SHA256
c4b66e11584c7ac9018c32b2eea69603467887b18734f76e7d65b9eb0dfa8814

SHA512
a8f5eb3e3a0e5d3bef875c00e425d430b5186be031ce5923a7428ff2c4f8566be166cbd01ca885ca1266351eb6f056b0e91dd97429e70c5066ae9639cf97eff5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
26ae814b10e72f7335818ee23e4b5130

SHA1
c4b62cea918b2878c988efc317e4559088f23ba6

SHA256
c78ccb88fdd14315c3f99c2b03bd4736d8cbcc4454df17e6fe29460a957b8e91

SHA512
b7566c3d585e35f8ce7c9bd761843e5881f995313d9402d54b7e2795895e0c319947b7f2a7354a5a410af563db4179a1385005f80ecc0f4e559add27de0abaab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5335a4da2d1d7f22545a66a624b69600

SHA1
c94be1effe1854636b583aad33d34742871a4235

SHA256
efb9cd038b7d1c694c2e30ddfe3961566b5e92835ef850ade9a08eecc663eae7

SHA512
9622137b3ea7b0b0068d0783985c8e9a8ae5d49e4c322fcd250bea7a3ee4c6eec17df3ec34087a6b5043de427aa08bdb767e263f519647cea9463659a3b3ce36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d53fea43158bc69d5c3f16db5ef18aeb

SHA1
84c8ae2f9b061fdeb8a050c9b8a30915554a5609

SHA256
7cfa1f32b0dc1900a116f38f4fd6167cdcb46d0ea9c9b2df61c2f7f7016ea71f

SHA512
d02809d974ba8f9087c03ec85bfeb6bc8db60d24e5761340defb949eef4e76191883a2732d81e31b43d598ced0c103a1cf418c22e34bf1617779f2000ac9e91b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3d00dd3657d338feedf70b73d61e769

SHA1
7e488ab612d29113af26ff59faefcac691ff8548

SHA256
0d0f215df04f39b73acb3f727f68bacd13ddcc25d043436e5867a1ffd008e960

SHA512
635955ef749c3a833096a4ebb28a83746a1bf9f86cc956596a09cf33dae56a1d971b10a51e3abc7ba080b2114bee34483fe418220ca4f7d3d33f43288af183a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f5bc4e496c68b12907898b8bea2516cd

SHA1
6b0bb682afb2a820da82c421585d79e44c0376c5

SHA256
50d0f25c2e72c8f8e74ce3897cdaf204d776b942cca0993ed9e73e44eb3f251e

SHA512
11a5e8bc71f29ddb8c349e417c26fd4617c726d282161bb146d3a3cd09263d835f06103d09684720cbff1ee4315358f4015529b42352b5f9155bffee95558748

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10393d4870a33c9bba6beceaa90eb6b5

SHA1
70636395977bce7bd9feed1b1a688302211b7f00

SHA256
bd2f33e7ff95f54a6ed299ee0351548942243fd7ad36f31da95cc32d79c1e609

SHA512
f8480ad6b68818fc4e560cebba5087d00659850ccaeb804f1d969518049c1b173a99e1d3d19a7420ccbad720683c2e2ccaf6ba1ac08b5d5f5e0f02562ba1d3cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45f2146667fc48f489d742651c7416e5

SHA1
2c56a9fc6fa1b75023e53e1098606133c44950b5

SHA256
4ffb379d3b528b837ec0a007c62173f49aedce020ce6bc4b7afae267c53e8919

SHA512
95a20d3ddd7612ff8839f13e8ae4150d02b5b30848341bacd798b38e0367f1df0548b3bada079970c4b91bb02c40f0db0cbe4f72ff8792f45c65ce65f70dc094

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb8b5478a6d9fa7c828c7ed897138057

SHA1
b5afc00219155b8d740e6012363ab831b9a74db8

SHA256
8fc25718ca7d74c6defb2996f215a87e5cecad917cc909e0629fbb4a45866c83

SHA512
314e82df547c45099cf7510a93fb3664919972b2eac4cbb779503186c2a103436e8a8b46f2b910bb3f83ed66cdf5bc82c5ae5be9c8f526fd142babfcb076da72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

Filesize
242B

MD5
b3d67c53db6cbf1dbb364bf57c5e1ef9

SHA1
74d825035758bf9a270a7f6524be177f79ead1db

SHA256
d40298c29477023c5e1a1ba0ab332d80df6adfff995704ee85422328be2c8bfb

SHA512
fa3479baa34210b9f2380b10379d4905a82fce247ae591d69da39a5fb8006e105d99a18d7bdc3b7eb26a66138c5b550d2b834dff3fae1d4fac0a9d1185baef02

Download Submit
C:\Users\Admin\AppData\Local\Module_Art\LivelyScreenRecS1.9.exe_Url_xaous4coxn5ui44j4ipxklrh2bbp1aef\1.2.1.0\hainc5qm.newcfg

Filesize
1KB

MD5
d71a12b7aa02592b03878877eb133425

SHA1
899c5404464c3efed66534207d0245e0cf050488

SHA256
b44c3fa39198be28e0e723fd458eae31a5f05041926917fe11e2b265aa0cbee4

SHA512
ae0733fe01b479f4ad291ac1180ae9f9b5833fa072001c40728d9f26d4aa9e94ec0239432df16cad35c2675b41d58c6e599fbd0dbc1354d297ab8bca30cd4441

Download Submit
C:\Users\Admin\AppData\Local\Module_Art\LivelyScreenRecS1.9.exe_Url_xaous4coxn5ui44j4ipxklrh2bbp1aef\1.2.1.0\qrkb0lrd.newcfg

Filesize
964B

MD5
8e18625cd36f0075da4bf0ce8fac8204

SHA1
0df80ad1c5ea9bddcb5cfcf2c60c6fb3db903216

SHA256
35799f5570b76aa51478e74ea9d1c42b39be157c3953a2b44047dd3ed2e629b1

SHA512
74d8be6cddfc1c13acb30c18752d93ef8d57348b8b29220914ecb126ae8459318dd150b2f51299870119bdb6483f35417baa988c688f0f621512c5a47e227c26

Download Submit
C:\Users\Admin\AppData\Local\Module_Art\LivelyScreenRecS1.9.exe_Url_xaous4coxn5ui44j4ipxklrh2bbp1aef\1.2.1.0\user.config

Filesize
842B

MD5
1b02b89ab3872d00c6a46cb4a7048dc9

SHA1
0840aefbbe40a00d7290d32ce8243de3cf98339e

SHA256
ac8517efbed88850a40943fbd667d9a06f6a156f0031109f59b4ca821aa22fd4

SHA512
0eeee6c2cf1eaa11d561ba17ed65caf97e069b5ccbf7420c3ae4bf88859f1273034a600da91620411b12cd3241dcfabdc8d4ddd58218f2781254ac6ccf1fa419

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6EBA.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6ECD.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2NALG.tmp\Inlog.tmp

Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-80EFA.tmp\itdownload.dll

Filesize
152KB

MD5
c529f496b37e1cb500e4c655be2c89ba

SHA1
d1274fa354bdcccad1a46b15fa2e280b4f9e0b62

SHA256
f7b5a4bcd427521148071636eff1997c00be517c72ce471c37637b25a9ed3bfa

SHA512
359d2dfac304ebbc9d51f88cae101887fc8970749c2a59d800a83dd140666823795e7fd7ca6411f47d50de1b02415440c9f006cb5fa0fb5c23d5e78bee7147b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HV3PE.tmp\WEATHER Manager.tmp

Filesize
11KB

MD5
308c9705136c79e58e4a914cfe1b424c

SHA1
3d85fe494cb7f3052eb1c6ee1295c6a812ef0538

SHA256
4cf9780c70bab19db5f30e4673d203dc1f5009a901b3c55d8ec8f3704fd2da33

SHA512
a43721bae3b17bd101cf2f789128754ff98eb07c2b01f7ee3298e87c9bef25193829f69dbda2c5ad70e555124a26e945bfbd20327e2a90e16950a5047ef15afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HV3PE.tmp\WEATHER Manager.tmp

Filesize
272KB

MD5
5374f117554ec1242de50a450bcd037e

SHA1
7d435fa580669735b1a43a87685e9a45ac718aed

SHA256
4d6941fc486d3a8769e49d82a3a79b4df5358e2a5d789e3de744644f59517142

SHA512
569930e05bf025d0ca4e761d1bc6463c3a544220053e9cb0f561a34147cfbf60c99903e351817f59b4b1b5f4838b1d489b49a0d58ae78016ef849bdec49879c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KEFI2.tmp\VPN.tmp

Filesize
555KB

MD5
917c923d90957f2e26742bac9ea4723a

SHA1
c348b014a2ecea482337255515be1b307350c5d0

SHA256
899750f06a1459a1583687a10ac452da8a32943cc3896a771f144547df0e68b4

SHA512
052b57bddfd0e3127ac2dce62d50b19abfc636db4c174b6f3236eb359d16bc5dc98f3263cc7011b40778041ad10bfd39303f2241adb3350189f46483703dbc98

Download Submit
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi

Filesize
2.2MB

MD5
18e72e318b3704c7b8d8bceb16373ba2

SHA1
6406ee7c8f26ff055ed75db5361341f22e3da549

SHA256
01222e6738fb541f9d160eb967e459c251acf4919cb74900b8abde91d647f618

SHA512
2c208060e3d130697d77bbf9bba436a6d1c9127d0fa05b31f19ba94b43c5f4d442cb52cda850875befe80d06b34820da02caaa55e4599c9aff109ce99e4b881c

Download Submit
C:\Windows\Installer\MSI2416.tmp

Filesize
379KB

MD5
44a7b7525b79f0debf1b8e974fedd351

SHA1
03baf0d9da00a2b9dfb0818d611956c3ff7b10eb

SHA256
b91626906fbfbf40b95651fa6028a4600b9c55d29f39948a28d7d2debdb31880

SHA512
38aeec4d9e54a0dc459fb299e400b63320c57840afddcc64dbd7ca02f9986525cb442f5eff4c43b681da0aec71fdfa763d00dc72849c01173d719f995514b9c0

Download Submit
C:\Windows\Installer\MSI416B.tmp

Filesize
568KB

MD5
bb1d68aa6bf943fbd841c1e1695553fe

SHA1
becf40da1dcabe97cababb6c7ff6a74cb6de1c9b

SHA256
b2ce736ec48d6e9247074fbcec33246aad61f4d3ac2007ac4d8bc74ffb8c1342

SHA512
8cb6b2df8d9163f2d0e5cbe128c9c33120c9358c2b453fe2b0b63f1919b731e856c3121af305c916f80b2ddc9eca23201b47151535a8211eae40602a5ccc5be8

Download Submit
\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe

Filesize
3.1MB

MD5
637599aaec7cccd5c28e9ebdc841ff42

SHA1
0bf0646c22a48c4f3377396f8825dcc19f2f0e16

SHA256
1637b80e9cc80b8272acada26ee65b42c6395410b99da6f281658cb3f68542fc

SHA512
5d674ed4f550fb21b954ff1fce44f32d889db4863df2652c1a287a6b19be880e13f1af81c9a1c205cd36411f96277c1cce42a9be08d366f50f501f57dcc798b5

Download Submit
\Program Files (x86)\GameBox INC\GameBox\Inlog.exe

Filesize
381KB

MD5
3f9d188595f40d91b8e7c4634f89c82a

SHA1
42a4c6ded84467f59e8a0e51f2b6295bb0171994

SHA256
1e9fdba9e84dedcfdc3f69862350e56ffe8afbdcde704ad23959435b7fab79d3

SHA512
41b37dc29a3e090dcd64093592137145db8a1ff60de0cd3fd6ba4949db32603aef082e9bfed0dda4bf18c4cfa57719a426f1e3dbd3cb7942b796e4c4ec0b7694

Download Submit
\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe

Filesize
275KB

MD5
920a10d23f240c635c945e848b8f1abd

SHA1
d8ec85265d918c527ce6d1dad8c43ae1d28b82f8

SHA256
c1324cdd816224167628f90cb6e2e5b92ea8dfa1826043ab1bfe0bd033349993

SHA512
cdbb92febc1a6ae6598ce58d6c72201082ec2cec210a304691926b5c5c3431546bf5e9ace330f95922d65c94617dfa165239a5b0fa9ac5e57a666d417c88bdee

Download Submit
\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe

Filesize
447KB

MD5
eedfcd7c2bf7c9aa588abb6bd7203f86

SHA1
072a0bc7e377fc3b1a05492c70807ebfd2ffec20

SHA256
5d6821590908ba81a1762af257f23075b6ccc831343320759a65fcb6f5e79b31

SHA512
8883e466b56a8c9bb33dcdea6bcf8e6cdc9cb44416cc7bf5793f44872495d9d80bb86273d6c9a5ecf668ccd4da75b24e10bffe4ee813d1f1864e01191d6a16f4

Download Submit
\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe

Filesize
227KB

MD5
f3d59b734c87738399303f9a6935b103

SHA1
c7583811e1e79136034da809d296473d338092f9

SHA256
b9484ba69d573b6970997e0828ab849030f087fdeed3b644ada052535f00dfe7

SHA512
de1ca2a158eea16b98bcc527064fbb020fc91c5d6ae71c66e5266695c8b5b24086641bb5cab2f5b8dbcaaa66bc6339fd12e8faab1379c5508c512c94e3033885

Download Submit
\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe

Filesize
64KB

MD5
03459e806ab39cd951014b86ecdf4f13

SHA1
b84a0ed1aabe18bd9b749c99d4a0b43cf2d57ff5

SHA256
d216f833356b88a866ea71e4672c8b79f671b0a0d58bfecb9cb1755b07ee8505

SHA512
7d9f139ab31dcad1ee9182b276e8a7275886b1ec70c922dde854955d8bd2f15e0a05df0855c0866df7fa6b8f2cab8f49dfa6aa5977fa0cc8e8fe8e955ec6d381

Download Submit
\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe

Filesize
382KB

MD5
3204efb59a2c578b8dd1889bad5b91db

SHA1
7435ae3f7ded2d1fbf748ee37acbad5a27a0cff3

SHA256
835724616ecf0e8ab072f403ec89643b3b634ab667f7444b2bda5656b522395a

SHA512
693101d3c191c805a4cafe7904a3aa2fd3780972b8d29aff12ce38af2267ad97e9c783a0fa34da9ff1feb14b6dda31b2c6506bb5264627d3afa435e4f41d88f4

Download Submit
\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe

Filesize
153KB

MD5
956518e266d33bd5966f7b877043de8b

SHA1
6adf7cc855cfd5660ca881c444c877975eade605

SHA256
c2c0e415959940cf32caaca653c38afbd8aea7b138de2819a42fdf52acab8faa

SHA512
72ce617d6379080af39d94d51cbca21bfe1e8f4797a5fcad84ff59c3904e96f929873a1822ea8030905f111e511a5b2b06da869cf501d1d9533b86452a50fb84

Download Submit
\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe

Filesize
1.1MB

MD5
9468b2ec5f92bb5f86e6e3e8dbc19c9f

SHA1
ae5ebfe3ced9ab223acf625468fdcc9ab317ba42

SHA256
405480e11412f2064f7b798180f06229cbee7a71f8fc52a5f8a80848bc0fcc16

SHA512
58353051ec0815611e692d0cad6e37b2110a127b38b62220373718e83eb0f8e7bd0f0b6b434ae52238085106e60e07cc530f3f7278e9f47f940565e65170c898

Download Submit
\Program Files (x86)\GameBox INC\GameBox\xtect12.exe

Filesize
375KB

MD5
5488573023f2ea44c79a43e4540e85a8

SHA1
2ee5bb89a7a1efa28c75633e4ecc4a060e478585

SHA256
f26bdd813a423963d77f460b06632f4c093633b74f56cc1236d95f1db0cb2691

SHA512
f803ef9211e344cebdf94c38efbca6442154a4c2382a8c701e6077efd6959432c6f336c98836ce1538b27f43cc28509a3ac3979bae65ed38c21ae764f386be55

Download Submit
\Users\Admin\AppData\Local\Temp\is-1SVLE.tmp\itdownload.dll

Filesize
200KB

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-BA57V.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-BA57V.tmp\itdownload.dll

Filesize
147KB

MD5
8512ac4585707298d9207ad72f4d509c

SHA1
067f2cacfeb283209a1cd49a019aa936b3d96a9a

SHA256
702067fcb3c6b4314f856b14a6b79ecf3a94f6327f1d7a993247205821cf0c1f

SHA512
6b41b166733c71884a86cf785878824fe050bc2f0f457f56bdffc7c053bdcebe547917609d9c76ddf15fccab3b30162c6d27148e59e553b5554a631ce99e3bbe

Download Submit
\Users\Admin\AppData\Local\Temp\is-HV3PE.tmp\WEATHER Manager.tmp

Filesize
317KB

MD5
7ccee031e24c2b003395abfb2f4a63ed

SHA1
7b93892ffc966178d534a2b0fe65301529880fd4

SHA256
886e03076802844775dda486ed02f24623e967976ce9922512d2355577cf38e4

SHA512
e3ec681c9c630bba36c73e0fdee5f60cb96fa55ba406d5ea812acd17067747a33d648e9e5a75943e2d42e935bf6e9990e61955bed7decc377ab38f5e91df122a

Download Submit
\Users\Admin\AppData\Local\Temp\is-KEFI2.tmp\VPN.tmp

Filesize
45KB

MD5
b1ba0483186726bd66beb4fea2975e11

SHA1
67082736cd404eedcb088faa04ec4067058149f7

SHA256
ad6a127f0629f5fdca4bbac0a084dadb957c2f436e57c52c161e7e79d73b089c

SHA512
f900225cd2e90c93d94462d67c2e00a322b4473ba8275d6a99d4b69959154af7b977360bf9fd8d396de9d763e15598e3ac4e0c00c44deea1cf2542d5a26eefac

Download Submit
\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\decoder.dll

Filesize
202KB

MD5
a4f3eb01f1780e82360ca36510da2537

SHA1
e930449e1b5dc94e062e5ead80cdeacf164a682c

SHA256
be29096f6adb99abd29f99e0966bc9aa0f242cb46a03d5592f4a5fbeaf2f6cee

SHA512
cdd9d6b27ab488f4bb29ced7d8ebd8e9f62c79d17fbc3ff9fbde449035d5539138025826acfeb4d8528c81c9009c6e95e242639ee75d443c3a31d8ba1a4fedf9

Download Submit
memory/680-293-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/680-107-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/680-92-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/760-71-0x00000000002E0000-0x000000000037D000-memory.dmp

Filesize
628KB

Download
memory/760-979-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

Filesize
1024KB

Download
memory/760-355-0x0000000000400000-0x0000000002D12000-memory.dmp

Filesize
41.1MB

Download
memory/760-70-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

Filesize
1024KB

Download
memory/760-980-0x00000000002E0000-0x000000000037D000-memory.dmp

Filesize
628KB

Download
memory/1308-123-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1684-377-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1684-93-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1684-429-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1976-354-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1976-144-0x0000000003440000-0x000000000347C000-memory.dmp

Filesize
240KB

Download
memory/2064-409-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

Filesize
4KB

Download
memory/2064-383-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2064-387-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/2064-388-0x0000000003890000-0x0000000003891000-memory.dmp

Filesize
4KB

Download
memory/2064-389-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/2064-390-0x00000000038B0000-0x00000000038B1000-memory.dmp

Filesize
4KB

Download
memory/2064-391-0x0000000003A00000-0x0000000003A01000-memory.dmp

Filesize
4KB

Download
memory/2064-393-0x0000000003A10000-0x0000000003A11000-memory.dmp

Filesize
4KB

Download
memory/2064-394-0x0000000003A20000-0x0000000003A21000-memory.dmp

Filesize
4KB

Download
memory/2064-398-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/2064-399-0x0000000003A40000-0x0000000003A41000-memory.dmp

Filesize
4KB

Download
memory/2064-400-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

Filesize
4KB

Download
memory/2064-404-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

Filesize
4KB

Download
memory/2064-406-0x0000000003AD0000-0x0000000003AD1000-memory.dmp

Filesize
4KB

Download
memory/2064-408-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/2064-385-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2064-186-0x00000000003C0000-0x00000000003FC000-memory.dmp

Filesize
240KB

Download
memory/2064-380-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2064-381-0x00000000003C0000-0x00000000003FC000-memory.dmp

Filesize
240KB

Download
memory/2064-417-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2064-384-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2064-382-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2064-386-0x0000000003870000-0x0000000003871000-memory.dmp

Filesize
4KB

Download
memory/2196-126-0x00000000031B0000-0x00000000033DB000-memory.dmp

Filesize
2.2MB

Download
memory/2196-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-139-0x00000000031B0000-0x00000000033DB000-memory.dmp

Filesize
2.2MB

Download
memory/2240-212-0x00000000003C0000-0x00000000003DA000-memory.dmp

Filesize
104KB

Download
memory/2240-438-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-418-0x000000001B030000-0x000000001B0B0000-memory.dmp

Filesize
512KB

Download
memory/2240-350-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-176-0x00000000008C0000-0x00000000008E2000-memory.dmp

Filesize
136KB

Download
memory/2568-66-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2568-357-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2744-189-0x0000000000E80000-0x0000000001008000-memory.dmp

Filesize
1.5MB

Download
memory/2744-986-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2744-413-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2744-1002-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2744-246-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/2744-410-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-543-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/2744-492-0x000000001ADF0000-0x000000001AE74000-memory.dmp

Filesize
528KB

Download
memory/2744-984-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/2964-741-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2964-146-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2964-378-0x0000000000400000-0x000000000062B000-memory.dmp

Filesize
2.2MB

Download
memory/2984-439-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/2992-166-0x0000000001FE0000-0x000000000201C000-memory.dmp

Filesize
240KB

Download
memory/2992-291-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads