nullmixer | 4927f0b88f61a54fb9c8d14081cd5a80c6c6f358e8431af76fda5a5366d81aa8

Analysis

max time kernel
159s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

3.3MB
MD5

71f8873392df70981a5e02f4d33930dd
SHA1

66cacadd474eded6b3582389c96866d0dee8ff4b
SHA256

e17ed5dd93ee4943d5b6776705d3b149f8e426d0c1d44a57f467d31e55f47892
SHA512

e55eeedc6c114c85cb0ee13d8f11907504deeae731bcf6c4a204b394ba3e21c4a2c8ff47adb28eea979ee179050e4225f8ba57abbb2d2c361c561b89a6ca2db8
SSDEEP

98304:x6eKfE9KlGB9z8qTsF5iOew3qrCvLUBsK5L3ECz:xT/9HHoGDQLUCK5T

Score

10^/10

nullmixer privateloader risepro smokeloader vidar 706 pub6 aspackv2 backdoor dropper evasion loader stealer trojan

Malware Config

Extracted

Family

nullmixer

http://marisana.xyz/

Extracted

Family

smokeloader

Botnet

pub6

Extracted

Family

vidar

Version

39.9

Botnet

706

https://prophefliloc.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jobiea_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jobiea_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jobiea_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	jobiea_7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	jobiea_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jobiea_7.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jobiea_7.exe

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral4/memory/4012-102-0x0000000004830000-0x00000000048CD000-memory.dmp	family_vidar
behavioral4/memory/4012-107-0x0000000000400000-0x0000000002CC2000-memory.dmp	family_vidar
behavioral4/memory/4012-139-0x0000000004830000-0x00000000048CD000-memory.dmp	family_vidar

ASPack v2.12-2.42 5 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral4/files/0x000700000002326a-32.dat	aspack_v212_v242
behavioral4/files/0x0007000000023266-40.dat	aspack_v212_v242
behavioral4/files/0x0007000000023268-46.dat	aspack_v212_v242
behavioral4/files/0x0007000000023268-45.dat	aspack_v212_v242
behavioral4/files/0x0007000000023265-50.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	jobiea_7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	jobiea_1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	jobiea_4.exe

Executes dropped EXE 11 IoCs

pid	Process
3696	setup_install.exe
4308	jobiea_1.exe
2400	jobiea_6.exe
1672	jobiea_2.exe
4612	jobiea_4.exe
444	jobiea_5.exe
888	jobiea_8.exe
456	jobiea_9.exe
3004	jobiea_7.exe
4012	jobiea_3.exe
736	jobiea_1.exe

Loads dropped DLL 7 IoCs

pid	Process
3696	setup_install.exe
3696	setup_install.exe
3696	setup_install.exe
3696	setup_install.exe
3696	setup_install.exe
3696	setup_install.exe
3696	setup_install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
68	iplogger.org
64	iplogger.org
66	iplogger.org

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	ipinfo.io
49	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	3696	WerFault.exe	101

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jobiea_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jobiea_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	jobiea_2.exe

Modifies data under HKEY_USERS 26 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	jobiea_2.exe
1672	jobiea_2.exe
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found
3372	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1672	jobiea_2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	888	jobiea_8.exe
Token: SeDebugPrivilege	2400	jobiea_6.exe
Token: SeShutdownPrivilege	3372	Process not Found
Token: SeCreatePagefilePrivilege	3372	Process not Found
Token: SeShutdownPrivilege	3372	Process not Found
Token: SeCreatePagefilePrivilege	3372	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3220	OfficeClickToRun.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3372	Process not Found

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 3696	3608	setup_installer.exe	101
PID 3608 wrote to memory of 3696	3608	setup_installer.exe	101
PID 3608 wrote to memory of 3696	3608	setup_installer.exe	101
PID 3696 wrote to memory of 3020	3696	setup_install.exe	104
PID 3696 wrote to memory of 3020	3696	setup_install.exe	104
PID 3696 wrote to memory of 3020	3696	setup_install.exe	104
PID 3696 wrote to memory of 3516	3696	setup_install.exe	122
PID 3696 wrote to memory of 3516	3696	setup_install.exe	122
PID 3696 wrote to memory of 3516	3696	setup_install.exe	122
PID 3696 wrote to memory of 1880	3696	setup_install.exe	113
PID 3696 wrote to memory of 1880	3696	setup_install.exe	113
PID 3696 wrote to memory of 1880	3696	setup_install.exe	113
PID 3696 wrote to memory of 2436	3696	setup_install.exe	111
PID 3696 wrote to memory of 2436	3696	setup_install.exe	111
PID 3696 wrote to memory of 2436	3696	setup_install.exe	111
PID 3696 wrote to memory of 3524	3696	setup_install.exe	109
PID 3696 wrote to memory of 3524	3696	setup_install.exe	109
PID 3696 wrote to memory of 3524	3696	setup_install.exe	109
PID 3696 wrote to memory of 4488	3696	setup_install.exe	108
PID 3696 wrote to memory of 4488	3696	setup_install.exe	108
PID 3696 wrote to memory of 4488	3696	setup_install.exe	108
PID 3696 wrote to memory of 4944	3696	setup_install.exe	107
PID 3696 wrote to memory of 4944	3696	setup_install.exe	107
PID 3696 wrote to memory of 4944	3696	setup_install.exe	107
PID 3696 wrote to memory of 3868	3696	setup_install.exe	106
PID 3696 wrote to memory of 3868	3696	setup_install.exe	106
PID 3696 wrote to memory of 3868	3696	setup_install.exe	106
PID 3696 wrote to memory of 1528	3696	setup_install.exe	105
PID 3696 wrote to memory of 1528	3696	setup_install.exe	105
PID 3696 wrote to memory of 1528	3696	setup_install.exe	105
PID 3020 wrote to memory of 4308	3020	cmd.exe	110
PID 3020 wrote to memory of 4308	3020	cmd.exe	110
PID 3020 wrote to memory of 4308	3020	cmd.exe	110
PID 4488 wrote to memory of 2400	4488	cmd.exe	112
PID 4488 wrote to memory of 2400	4488	cmd.exe	112
PID 3516 wrote to memory of 1672	3516	cmd.exe	121
PID 3516 wrote to memory of 1672	3516	cmd.exe	121
PID 3516 wrote to memory of 1672	3516	cmd.exe	121
PID 2436 wrote to memory of 4612	2436	cmd.exe	114
PID 2436 wrote to memory of 4612	2436	cmd.exe	114
PID 2436 wrote to memory of 4612	2436	cmd.exe	114
PID 3524 wrote to memory of 444	3524	cmd.exe	119
PID 3524 wrote to memory of 444	3524	cmd.exe	119
PID 3868 wrote to memory of 888	3868	cmd.exe	115
PID 3868 wrote to memory of 888	3868	cmd.exe	115
PID 1528 wrote to memory of 456	1528	cmd.exe	118
PID 1528 wrote to memory of 456	1528	cmd.exe	118
PID 4944 wrote to memory of 3004	4944	cmd.exe	116
PID 4944 wrote to memory of 3004	4944	cmd.exe	116
PID 4944 wrote to memory of 3004	4944	cmd.exe	116
PID 1880 wrote to memory of 4012	1880	cmd.exe	117
PID 1880 wrote to memory of 4012	1880	cmd.exe	117
PID 1880 wrote to memory of 4012	1880	cmd.exe	117
PID 4308 wrote to memory of 736	4308	jobiea_1.exe	123
PID 4308 wrote to memory of 736	4308	jobiea_1.exe	123
PID 4308 wrote to memory of 736	4308	jobiea_1.exe	123

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\7zS81E06858\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS81E06858\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_1.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_1.exe
      jobiea_1.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_1.exe" -a
        5⤵
        Executes dropped EXE
        
        PID:736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_9.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_9.exe
      jobiea_9.exe
      4⤵
      Executes dropped EXE
      PID:456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_8.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_8.exe
      jobiea_8.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_7.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_7.exe
      jobiea_7.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Checks computer location settings
      Executes dropped EXE
      PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_6.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_6.exe
      jobiea_6.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_5.exe
      jobiea_5.exe
      4⤵
      Executes dropped EXE
      PID:444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_4.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_4.exe
      jobiea_4.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_3.exe
      jobiea_3.exe
      4⤵
      Executes dropped EXE
      PID:4012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c jobiea_2.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 556
    3⤵
    - Program crash
    PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3696 -ip 3696
1⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_2.exe
jobiea_2.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:3512

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3220

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_1.txt

Filesize
56KB

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_2.exe

Filesize
21KB

MD5
99307522acddef8ca03995c996e33c91

SHA1
c84aecc7b3f6391a37750946c1ec276212e74f43

SHA256
3a48fdf6bc3242b9e060b25b97fcaad87541c59ca8fe39f9260a4d492b103728

SHA512
bfe2ba550b201270d223be52d66988042d961457d480ac372153a4c076d9a59fef9091205073f27e88034a5174d12f098e960385571d8ed8781b49ad0199cbfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_2.txt

Filesize
188KB

MD5
44dc205a5701b53f391a3a750c2c4712

SHA1
14e82b1f6bb987d8f2783db2ab5f82dd9ab8eacc

SHA256
508c41442ba856a3266b3e58a31fe8c4b0ad7491e04dfead265daaa028efd768

SHA512
02890434c81867499e0911e8062797bf7fc184e05b6de2ab14ffa6f95c48f88e07250b4e5a7ff565bbf45d66d8d7cb5c1009b85085ee3a6bbdac218f356c5749

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_3.exe

Filesize
173KB

MD5
60a02988adcf55a801b2b46d6f8b7807

SHA1
7c83f0dce1f121e2493fce061188018f6f02664c

SHA256
ffa5f5fa15b36e384eab898dc8e40185ccc6ae34d4873aef5fc58899c3ef9f2d

SHA512
f774442c89e4df40765dc69750046888420cdd6223ec60cc6619ddd0cee28b0fd8146a0aeb0499d9a4589f59ed117640f995d0107f86244bb700a21c2149825b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_3.txt

Filesize
177KB

MD5
1be717841e320fe6eeac11fc18693759

SHA1
edf1ab338d7eab452987f4b31d18f1df1597caca

SHA256
7c33aa0f3069a185e474fea2e76222f981e588c1bc884e94390637b427a4e7ff

SHA512
041296471c27bfd78ce5d9f2663e75b831dbc5188adf4f55fa7edb1a7c95799f337ab96c823199bd5b87477db8636146d2bb24ba8cf4c88121c9240f753b8748

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_4.exe

Filesize
283KB

MD5
26bdd5a693948927aa30facee885cb02

SHA1
4aa131e42fac4e1bf50f795f437b57139f8c4222

SHA256
de93ce767f491acfeea3aaafdf167a4c1da7f7bcf14d0ffffcd5b77955b6b2a0

SHA512
8ea9c32477d82996b159a6d94fd52f1099abdb7c39dc44d28271e958b6b43581399434e5dfc85bc4cae9b8d8d984f6a886456aa1f3154f84efe95675bab127fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_4.txt

Filesize
206KB

MD5
a0450d044c2be98e7ce40082e43f7817

SHA1
dba93a918a9fa4c03a688e1bb2e732572c66c266

SHA256
47db2e8b68ccb12345ee604a2bc33252e14ca77a073b3de242c251bebaad93d4

SHA512
7b8b6846b2f4ec93d9d78f61da15935298aa96d38ed29159733da9aa28d3ef7f939fb8aa94d00dee03735d00cb10181643b3b382cb8ebabc8ea3a11a95501672

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_5.exe

Filesize
276KB

MD5
b64d70790c016ee8c145814e54949c39

SHA1
dfca1505da9b2aaff45d588e0e3187a4ee606211

SHA256
0394e8e30846a199ec2f8920ffa29d90ab3dd175652fd8f4201db95f4d1401cf

SHA512
aa35655153738d3c0808d2632f8f1810c096741f5a81bd9d3aecc9ac59ca53229b16dbe2c11c40b5eef05acf58502ec7c380920469ff75cf2b6425baf113ae27

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_5.txt

Filesize
376KB

MD5
7b7f6c47f6b1bdeae509bf5723d8fe9d

SHA1
fcbb0e3a333e32688c9ef2e111ea44e7093c7723

SHA256
9f5342896a4afb45dee92444df8775bd0c994db358dc217dd89332207feadae8

SHA512
626fbbd462b318c259f0045f9e1dde40977528e20ce017f931af13f94f0a7cc840320ed287ae52430e0d8fd27f442756a07dcda09041708843a687b1571687b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_6.exe

Filesize
186KB

MD5
28e40b1adae683f70b178d025ea7bf64

SHA1
24851934bbb9a67c6d07e48503e6296c91fff502

SHA256
1cde227af526781ff9553ffef5d3eb52bc5e78240150d8bddd20644f4bf80af5

SHA512
f02b499b6e10411affba70caf96694f6297f6b754c00b6a179421f5aa21a21bb8f8863d87fea358a280979dfede22a06188abc695e5be4ed578bb60d73aada57

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_6.txt

Filesize
101KB

MD5
af594e22ec67d11041c5d6e1b245adc1

SHA1
d8e82de63bf0e83bf045d06dc05a1775f7ad9ff6

SHA256
f18ec3522b5587297304845ce747bdaa08ccba53fcdf712ed1ff1dbb9b8ecfcc

SHA512
2c89f5186b3bc623d8d17e935b5043ab314255d7cca2daf989693d7ede71e6bee35f05a660a7b826cb0c5855a3acbf299c6ce8720d86fd029b2f3dd9748ae17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_7.exe

Filesize
314KB

MD5
77eca1abeef9a96931656e475388e9ab

SHA1
a3158f9ab104b8b0868c14b0570956dea5cc4f54

SHA256
b6144ac7365387c1609688db12706924be6024cc4ce19b0f9ff8ac9c7d58b5c3

SHA512
3b862666033f66f83b93a251c1f32aa71478c1f4f95656c9d8a6310a16b9c9f653e7e7ecf8c8a12328dcb2ba5cf676261c82640b1263ba1a6e65eacd8a8c146e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_7.txt

Filesize
211KB

MD5
51fc83268786de4fb63c1e075b264b64

SHA1
c3ae920e4edab473f6d40ebeb0ef6ef458d29b43

SHA256
ce2d74c6877707623d739ecf170c43611682267d5c809d4a041a9c9574ddbef0

SHA512
cab22975420b3bffbdb466b134bb17712412637bef6c2af2ea53e67e6ee4df0fe492d73c086c337b94b7a11f16aed6608cdaf2da84c9e34484d45f8bb459e251

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_8.exe

Filesize
1KB

MD5
bfe6530012dcd866fd067d9f1725996c

SHA1
752e8569d602d87c046543d48d0054f6bea3f122

SHA256
5dbc71753bca2eec2309785e6fcbcd21045c9fd2d00ee933ddd24084222e87aa

SHA512
19bdc29e7dacb1ff94c865dd353a91fd06348630b2954d50c0cdc14d79f5975e874f552bad5b27a7eb0142b6270d014e969dc457fde76c24b1a75a8e2ac9dfcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_8.txt

Filesize
8KB

MD5
c85639691074f9d98ec530901c153d2b

SHA1
cac948e5b1f9d7417e7c5ead543fda1108f0e9ed

SHA256
55701c6e51fb6a9820d8f9d2ae9db412b60f51c80d288e8baf0ea50e2d03cce4

SHA512
4911ce27e56bac29b247840e6c9de78e875210fd0588d11d9e3a3eae39764bfdd14b56de5de4cf535674a2ba0810c9d823f42b339f650dedb7af42f8b3fd4c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_9.exe

Filesize
450KB

MD5
81322ccf4951f3cfb2cd2ba3fdf1e008

SHA1
f9d3ec716d967e052dc95abd039ec8a1f198d781

SHA256
5af50ac6402c13b02a5bb656aaeddd60ec088a543a45d9da64ad2dc7cfa78e62

SHA512
e4b0f9fcbf5aee5b300ede691f4dda2e7751eadb4720bb1aa7f2716d00517b9e80b2ac23fa6a9eb6978388911f879dbb60bfe52f0c5c2a686dbd98159e496ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\jobiea_9.txt

Filesize
216KB

MD5
7dbc491fd40311f69e5b78f6054eced7

SHA1
fa960317d64951bc1ddad1dbcd1b2b290fb97eb9

SHA256
5e5725c55b29eacdbe5c7003ad67327a24adac1d9420c86fc20103d4bb9d27c5

SHA512
5c17fee5ff5086b8d2ae3d78a02cddd74934e518f2dccf9ece3e25bae2ec94d6b5fc4ef82cc48a861e08ea1af9009edf7e38e501fe0fcce7b59cda01dfab9738

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\libstdc++-6.dll

Filesize
360KB

MD5
a6439ba06a0557748d8034d14071bb90

SHA1
dd29131dd53ca21c8c0035f8edde0bdd895e0b1e

SHA256
29dbe2cd83c2d7c0f4458d431a76441f42e6283999d415a838902311105f86db

SHA512
b5d45ea31af99a4b76ccd1aada87fb8d3a85f06f5409e46f5c12d3f988ae4055da21f25fd8bd24d065859a589398b3e36ddca2e8d663cc79ae08fe16f156069a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS81E06858\setup_install.exe

Filesize
287KB

MD5
1af4f66c85d7fc29a5ab35bedffc6c37

SHA1
bfcd91d0491ff96ab7846ff1eb7d75e66b3dd13c

SHA256
66cd5d1cd30870d048de14d482b3b69a728aaa6ff0e8b4b9e4f5b5f9c7c07291

SHA512
6e4703d0f1b89ce170ecaa7cec448ced3467e4bb52a0c69c89433410c77d05e9fd58d3e2e9367a7c4c591830df4011d2ab66808ca27788cf3b9a0bfcb63d1bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome2.exe

Filesize
43KB

MD5
ad0aca1934f02768fd5fedaf4d9762a3

SHA1
0e5b8372015d81200c4eff22823e854d0030f305

SHA256
dc10f50f9761f6fbafe665e75a331b2048a285b1857ad95e0611ace825cba388

SHA512
2fba342010ba85440784190245f74ea9e7c70974df12c241ccb6b72a6e1006a72bd1fa2e657f434d7479758f9508edb315398f6e95d167a78b788cea732be3b7

Download Submit
memory/888-93-0x00007FF82C930000-0x00007FF82D3F1000-memory.dmp

Filesize
10.8MB

Download
memory/888-90-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/888-96-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/888-138-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/1672-104-0x0000000002DD0000-0x0000000002DD9000-memory.dmp

Filesize
36KB

Download
memory/1672-103-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download
memory/1672-105-0x0000000000400000-0x0000000002C66000-memory.dmp

Filesize
40.4MB

Download
memory/1672-126-0x0000000000400000-0x0000000002C66000-memory.dmp

Filesize
40.4MB

Download
memory/1672-130-0x0000000002DD0000-0x0000000002DD9000-memory.dmp

Filesize
36KB

Download
memory/2400-99-0x0000000002910000-0x0000000002916000-memory.dmp

Filesize
24KB

Download
memory/2400-91-0x0000000000840000-0x0000000000878000-memory.dmp

Filesize
224KB

Download
memory/2400-109-0x00007FF82C930000-0x00007FF82D3F1000-memory.dmp

Filesize
10.8MB

Download
memory/2400-97-0x000000001B550000-0x000000001B560000-memory.dmp

Filesize
64KB

Download
memory/2400-95-0x00000000028E0000-0x0000000002908000-memory.dmp

Filesize
160KB

Download
memory/2400-94-0x00007FF82C930000-0x00007FF82D3F1000-memory.dmp

Filesize
10.8MB

Download
memory/2400-92-0x00000000028D0000-0x00000000028D6000-memory.dmp

Filesize
24KB

Download
memory/3372-125-0x0000000003300000-0x0000000003316000-memory.dmp

Filesize
88KB

Download
memory/3696-56-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3696-53-0x00000000007A0000-0x000000000082F000-memory.dmp

Filesize
572KB

Download
memory/3696-60-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3696-63-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3696-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3696-58-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3696-59-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3696-66-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3696-67-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3696-65-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3696-55-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3696-57-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3696-36-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3696-64-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3696-54-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3696-42-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3696-51-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3696-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3696-52-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3696-68-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3696-69-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/3696-111-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3696-113-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3696-114-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3696-115-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3696-112-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/3696-110-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/4012-107-0x0000000000400000-0x0000000002CC2000-memory.dmp

Filesize
40.8MB

Download
memory/4012-101-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download
memory/4012-102-0x0000000004830000-0x00000000048CD000-memory.dmp

Filesize
628KB

Download
memory/4012-139-0x0000000004830000-0x00000000048CD000-memory.dmp

Filesize
628KB

Download
memory/4612-108-0x00000000008B0000-0x000000000099E000-memory.dmp

Filesize
952KB

Download
memory/4612-100-0x0000000072DC0000-0x0000000073570000-memory.dmp

Filesize
7.7MB

Download