18c5deaf2c328bb86d5296afc5ec288b86cf11483fcb3266e1e7dace7fa986bf

Analysis

max time kernel
20s
max time network
146s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

667.6MB
MD5

7cc20058012097efa4abde90287e38f4
SHA1

82f54527ff8cd2695dc391f39978dee0192b3080
SHA256

18aca5c964d48dc9d8cdcd4a4a7a4be5fba19f72c5aa94d2090e84dbad4ea38b
SHA512

c208d3e6fc5a0fb3b10cc8ebd69976bda8e3b2cb49debd425b1b19e49afd78795772c1c085dbd8f2e5836340bcf9ee2ef941d99e114bec7726062178a6dcd856
SSDEEP

196608:kpHkUgQgnjoklXR4R4rwEH5OTSFG+OIvcW/rBXBFIoioPPPEdAL6M6:kpHkUAckl6qPHcSBXBFOAUdk6P

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

RA5ftxMmABtT9PhOTUVi.exeaida64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RA5ftxMmABtT9PhOTUVi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	aida64.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RA5ftxMmABtT9PhOTUVi.exeaida64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RA5ftxMmABtT9PhOTUVi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RA5ftxMmABtT9PhOTUVi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aida64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aida64.exe

Executes dropped EXE 3 IoCs

Processes:

RA5ftxMmABtT9PhOTUVi.exeY1TIHdrjxCJ6NsoGpldc.exeaida64.exe

pid process

2512 RA5ftxMmABtT9PhOTUVi.exe
2564 Y1TIHdrjxCJ6NsoGpldc.exe
1948 aida64.exe

Loads dropped DLL 10 IoCs

Processes:

Loader.exeWerFault.exeservices.exe

pid	process
2644	Loader.exe
2644	Loader.exe
2644	Loader.exe
2644	Loader.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
2876	WerFault.exe
480	services.exe
480	services.exe

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe	themida
\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe	themida
C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe	themida
behavioral1/memory/2512-9-0x000000013FFD0000-0x0000000141267000-memory.dmp	themida
behavioral1/memory/2512-22-0x000000013FFD0000-0x0000000141267000-memory.dmp	themida
behavioral1/memory/2512-23-0x000000013FFD0000-0x0000000141267000-memory.dmp	themida
behavioral1/memory/2512-24-0x000000013FFD0000-0x0000000141267000-memory.dmp	themida
C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe	themida
C:\ProgramData\AIDA64\aida64.exe	themida
C:\ProgramData\AIDA64\aida64.exe	themida
behavioral1/memory/2512-242-0x000000013FFD0000-0x0000000141267000-memory.dmp	themida
\ProgramData\AIDA64\aida64.exe	themida
C:\ProgramData\AIDA64\aida64.exe	themida
\ProgramData\AIDA64\aida64.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RA5ftxMmABtT9PhOTUVi.exeaida64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RA5ftxMmABtT9PhOTUVi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aida64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 pastebin.com
5 pastebin.com

flow	ioc
4	pastebin.com
5	pastebin.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.exeRA5ftxMmABtT9PhOTUVi.exesvchost.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	RA5ftxMmABtT9PhOTUVi.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

RA5ftxMmABtT9PhOTUVi.exe

description pid process target process

PID 2512 set thread context of 1032 2512 RA5ftxMmABtT9PhOTUVi.exe dialer.exe

description	pid	process	target process
PID 2512 set thread context of 1032	2512	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe

Drops file in Windows directory 2 IoCs

Processes:

wusa.exesvchost.exe

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2952	sc.exe
1644	sc.exe
2036	sc.exe
1468	sc.exe
2692	sc.exe
2648	sc.exe
2760	sc.exe
2276	sc.exe
344	sc.exe
1628	sc.exe
1680	sc.exe
1668	sc.exe
2536	sc.exe
2548	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2876 2564 WerFault.exe

pid	pid_target	process
2876	2564	WerFault.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0fc4b9b6b98da01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RA5ftxMmABtT9PhOTUVi.exepowershell.exedialer.exe

pid	process
2512	RA5ftxMmABtT9PhOTUVi.exe
2664	powershell.exe
2512	RA5ftxMmABtT9PhOTUVi.exe
2512	RA5ftxMmABtT9PhOTUVi.exe
2512	RA5ftxMmABtT9PhOTUVi.exe
2512	RA5ftxMmABtT9PhOTUVi.exe
2512	RA5ftxMmABtT9PhOTUVi.exe
2512	RA5ftxMmABtT9PhOTUVi.exe
2512	RA5ftxMmABtT9PhOTUVi.exe
2512	RA5ftxMmABtT9PhOTUVi.exe
2512	RA5ftxMmABtT9PhOTUVi.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
2512	RA5ftxMmABtT9PhOTUVi.exe
2512	RA5ftxMmABtT9PhOTUVi.exe
2512	RA5ftxMmABtT9PhOTUVi.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe
1032	dialer.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeRA5ftxMmABtT9PhOTUVi.exedialer.exesvchost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2512	RA5ftxMmABtT9PhOTUVi.exe
Token: SeDebugPrivilege	1032	dialer.exe
Token: SeAuditPrivilege	876	svchost.exe
Token: SeDebugPrivilege	2620	powershell.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

Loader.exeY1TIHdrjxCJ6NsoGpldc.execmd.exeRA5ftxMmABtT9PhOTUVi.exedialer.execmd.exeservices.exe

description	pid	process	target process
PID 2644 wrote to memory of 2512	2644	Loader.exe	RA5ftxMmABtT9PhOTUVi.exe
PID 2644 wrote to memory of 2512	2644	Loader.exe	RA5ftxMmABtT9PhOTUVi.exe
PID 2644 wrote to memory of 2512	2644	Loader.exe	RA5ftxMmABtT9PhOTUVi.exe
PID 2644 wrote to memory of 2512	2644	Loader.exe	RA5ftxMmABtT9PhOTUVi.exe
PID 2644 wrote to memory of 2564	2644	Loader.exe	Y1TIHdrjxCJ6NsoGpldc.exe
PID 2644 wrote to memory of 2564	2644	Loader.exe	Y1TIHdrjxCJ6NsoGpldc.exe
PID 2644 wrote to memory of 2564	2644	Loader.exe	Y1TIHdrjxCJ6NsoGpldc.exe
PID 2644 wrote to memory of 2564	2644	Loader.exe	Y1TIHdrjxCJ6NsoGpldc.exe
PID 2564 wrote to memory of 2876	2564	Y1TIHdrjxCJ6NsoGpldc.exe	WerFault.exe
PID 2564 wrote to memory of 2876	2564	Y1TIHdrjxCJ6NsoGpldc.exe	WerFault.exe
PID 2564 wrote to memory of 2876	2564	Y1TIHdrjxCJ6NsoGpldc.exe	WerFault.exe
PID 2564 wrote to memory of 2876	2564	Y1TIHdrjxCJ6NsoGpldc.exe	WerFault.exe
PID 2444 wrote to memory of 1668	2444	cmd.exe	sc.exe
PID 2444 wrote to memory of 1668	2444	cmd.exe	sc.exe
PID 2444 wrote to memory of 1668	2444	cmd.exe	sc.exe
PID 2512 wrote to memory of 1032	2512	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 2512 wrote to memory of 1032	2512	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 2512 wrote to memory of 1032	2512	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 2512 wrote to memory of 1032	2512	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 2512 wrote to memory of 1032	2512	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 2512 wrote to memory of 1032	2512	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 2512 wrote to memory of 1032	2512	RA5ftxMmABtT9PhOTUVi.exe	dialer.exe
PID 1032 wrote to memory of 436	1032	dialer.exe	winlogon.exe
PID 1032 wrote to memory of 480	1032	dialer.exe	services.exe
PID 1032 wrote to memory of 496	1032	dialer.exe	lsass.exe
PID 1032 wrote to memory of 504	1032	dialer.exe	lsm.exe
PID 1032 wrote to memory of 612	1032	dialer.exe	svchost.exe
PID 1032 wrote to memory of 696	1032	dialer.exe	svchost.exe
PID 1032 wrote to memory of 768	1032	dialer.exe	svchost.exe
PID 1032 wrote to memory of 840	1032	dialer.exe	svchost.exe
PID 1032 wrote to memory of 876	1032	dialer.exe	svchost.exe
PID 1032 wrote to memory of 992	1032	dialer.exe	svchost.exe
PID 1032 wrote to memory of 296	1032	dialer.exe	svchost.exe
PID 1032 wrote to memory of 1064	1032	dialer.exe	Dwm.exe
PID 1032 wrote to memory of 1092	1032	dialer.exe	Explorer.EXE
PID 1032 wrote to memory of 1124	1032	dialer.exe	spoolsv.exe
PID 1032 wrote to memory of 1132	1032	dialer.exe	taskhost.exe
PID 1032 wrote to memory of 1184	1032	dialer.exe	svchost.exe
PID 1032 wrote to memory of 2716	1032	dialer.exe	svchost.exe
PID 1032 wrote to memory of 2744	1032	dialer.exe	sppsvc.exe
PID 1032 wrote to memory of 2512	1032	dialer.exe	RA5ftxMmABtT9PhOTUVi.exe
PID 1032 wrote to memory of 1628	1032	dialer.exe	sc.exe
PID 1032 wrote to memory of 1568	1032	dialer.exe	conhost.exe
PID 2096 wrote to memory of 2052	2096	cmd.exe	choice.exe
PID 2096 wrote to memory of 2052	2096	cmd.exe	choice.exe
PID 2096 wrote to memory of 2052	2096	cmd.exe	choice.exe
PID 480 wrote to memory of 1948	480	services.exe	aida64.exe
PID 480 wrote to memory of 1948	480	services.exe	aida64.exe
PID 480 wrote to memory of 1948	480	services.exe	aida64.exe
PID 1032 wrote to memory of 1948	1032	dialer.exe	aida64.exe
PID 1032 wrote to memory of 2760	1032	dialer.exe	sc.exe
PID 1032 wrote to memory of 2952	1032	dialer.exe	sc.exe
PID 1032 wrote to memory of 2096	1032	dialer.exe	cmd.exe
PID 1032 wrote to memory of 2700	1032	dialer.exe	conhost.exe
PID 1032 wrote to memory of 1480	1032	dialer.exe	conhost.exe
PID 1032 wrote to memory of 2052	1032	dialer.exe	choice.exe
PID 1032 wrote to memory of 1948	1032	dialer.exe	aida64.exe
PID 1032 wrote to memory of 2620	1032	dialer.exe	powershell.exe
PID 1032 wrote to memory of 2440	1032	dialer.exe	conhost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:612
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:696
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Drops file in System32 directory
  PID:768
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:840
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1064
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:992
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:296
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1124
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1132
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1184
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2716
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2744
- C:\ProgramData\AIDA64\aida64.exe
  C:\ProgramData\AIDA64\aida64.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:1948
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2668
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2672
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2548
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1668
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2036
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1644
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2208
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2060
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    PID:2720

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:496

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1092
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe
    C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:1668
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2536
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1680
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:344
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2648
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2692
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1032
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "AIDA64"
      4⤵
      Launches sc.exe
      PID:1468
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "AIDA64" binpath= "C:\ProgramData\AIDA64\aida64.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1628
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2760
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "AIDA64"
      4⤵
      Launches sc.exe
      PID:2952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2052
- - C:\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe
    C:\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 116
      4⤵
      Loads dropped DLL
      Program crash
      PID:2876

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1003671455-188623811019287292701487675901-1770786046286860807-324086160-993486807"
1⤵
PID:1568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "955069663-19633978231353454266201006544414097531614506109916564072671961314643"
1⤵
PID:2700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5108073871294968014-586231890-765069673-1010101038-4558220661235731458-1649284524"
1⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "98658426320143212511995725725-5839277341831890513-1134105052-591575962-2037698182"
1⤵
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AIDA64\aida64.exe

Filesize
209.1MB

MD5
6ce3eb5c677c40ec23b7be6ca58d06fe

SHA1
9124be8e783b8d5ddfa8b5ffd915f13fffe91f07

SHA256
ec14f16cda8a056e235e757346ec3ca184beb32351b9eb7f4604d7c6587fecf8

SHA512
1578c216356f84fcb41da994e187352e3e896740f48fe76aa7576f9a76e455969eecb5e60a72d488984461dd64c6811f9be6df5c90731d8e1be5c1d289109880

Download Submit
C:\ProgramData\AIDA64\aida64.exe

Filesize
207.6MB

MD5
5c0e0dbab3be02199ee0de560f204930

SHA1
f8c168636eb6f6e178bdeacb8ba766471804ed8d

SHA256
c2eacda2098b947f07d40d0142ab75de229444050ff55c711ae07642b8a4c5b1

SHA512
7df9d07afd6067bc30297294888dfbe3af3cd0272ffef34e3722fa78d1fc6d3f2ba7088f5a067f9d8640922fa2eb27b31cadcf7b28681cdaee5bf050ff33872a

Download Submit
C:\ProgramData\AIDA64\aida64.exe

Filesize
205.6MB

MD5
4ac0e2d51d3534560e8b38e530f77732

SHA1
722d6d541d6d2054670ff2d6cb41912fd00c0f4a

SHA256
c29c33003cf2b795f1882a2347e71accacb370516ff6c6cbe7c02de95706edb8

SHA512
51aca57f33187c11ca2f9260c8087d505ee3bac10c106f034c7633e95a40dbbfae62798ac6bdf0eeabd4c34fbc2778581c80aa524368b62a7a18b520983ecf84

Download Submit
C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe

Filesize
211.1MB

MD5
547c076569a867474561f7b02450280e

SHA1
f5ce2870ab42529bb7a65f683df5abc8417bacbf

SHA256
ba9f164752764a79d90af74086e2201be009729a5f42a7cbb8db4e1a2990978b

SHA512
77f5b90fdd70e161663d01e8c9589ab5703278380bb5820d1d4948af383d6ef67fc8fc696e2302b1a8e7a638efb23fdc39d87d684b55a9ee59d6281313d86f53

Download Submit
C:\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe

Filesize
184.0MB

MD5
ecbdd09a8fd8f01525f4233939ae68f8

SHA1
94a4f560ede9fcedaccc5092694339edcc49b2ca

SHA256
d7bd4d29107c96165160713c5bf6b750002845989825ef12526db1f61a03da68

SHA512
36dfdbe2df2590827e80276f0e975a1685ca56e04546f4189372d17a927123bd1ce42d4f4a763136da813daf390903eb4528a8d8a8e683ca33f471d182dac11b

Download Submit
C:\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
217.7MB

MD5
b82da37e2e0652e3e8cbeb165be76f16

SHA1
fd21d99e4b767ebbca437f2b99e8f86caea3a067

SHA256
bf702236e16a2f7f40c557755ab610da7043727a1c306b25a386ce79a928c9b5

SHA512
2085f90e7824544597c9750ad8f548299db1ba7d8b2a10c41025f797c9627f62ae70a1fbbe686000e645f077a47fd6cd8f8bf7a603e727c6c3847a42d21260af

Download Submit
C:\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
215.1MB

MD5
5010566967680cdd4ccdd6d305d88df8

SHA1
e5030c8b98044339fda3eb66d0478b7329f63bf3

SHA256
c2089418cb9c884bf1db9097de45a7bec4a11e6c3fc2d6facc10b10c7b31db19

SHA512
5de063dc456988680c6b92d8a4ef8eccdd1dc3c4c5bfa88ee97de4e3c113ea46811ba6d704eac241654ee8d1121b01a8e7682f885842021aa6c16960187040e9

Download Submit
\ProgramData\AIDA64\aida64.exe

Filesize
204.0MB

MD5
32ce6998dfa701e7d0777c25c4cc216d

SHA1
d5b85d3264a37aa7eb6dd9179a4601d27629bd01

SHA256
cc4291d9f336ba109f5ff2197a7be3ecc134d2b3d54b18b87a9e78868ae3acdf

SHA512
aed826e6ec82d49bc1e4a659a97c0d1fc700c93fd5080b0994f821ff9834d5061d053491f9a5529f91dceac7c2aa31d2d8e942918d3e5b7cc7a136ad1b132fa8

Download Submit
\ProgramData\AIDA64\aida64.exe

Filesize
209.8MB

MD5
d2c5a57437581f1eb581b549f585b64d

SHA1
ae1e5c513d86fa782c4664c1cb1fc8c8295bab45

SHA256
276f35c3f35e5a225583f81b8ed36ad688e872acd488f0b096864035d7b28079

SHA512
123200e67331410539bcac6ae5d68bed6831ec0296d72dd918ecc4a1ac2a718513d682e04af050495d1b1640a5322ab39911b8ec1b9fa55a8dd4abd4b911b6e3

Download Submit
\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe

Filesize
187.7MB

MD5
af3d86b2f5145c8b2e2a1a71fa2b8dce

SHA1
d8968ab9ae314372deb14d84efa827ec1e728071

SHA256
0d5230f0afa905d3a011f82e08a713f74e1c582b2bb8720cfe7222d4c423b905

SHA512
c8227e9e4d9e2315c11bb01dae197bf521c2571406dfbcd20784c93a2f0eee7b174c3e0e187957d5b0cfa37c4dab5f48cc96b1a34b86c98b6cbe95f8d45ef7a0

Download Submit
\Users\Admin\AppData\Roaming\RA5ftxMmABtT9PhOTUVi.exe

Filesize
187.5MB

MD5
bd30d588087c9b979b3cf474d8d4b7cf

SHA1
049036b47176c68e74d98abb0a765c2c5bdf6e6f

SHA256
7eba0c0225ffbd475173464c9a7521b08f50f304ea4255afb8d936d1bcd51de7

SHA512
e160ad5679516f49bbc91d5600e028e2da3c126e6963c698db24f4d836e54dfcc8aea1434e6ba7c90bcc889f477f13d6debf455d485dc2aac3abbb05f0fa203b

Download Submit
\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
215.2MB

MD5
856aae1745a372b797005459e055432e

SHA1
4b766f9204035d0015e471359476bce4c5154248

SHA256
31dd13c670224d901fde38f08ecd55f1280fd9ad4e63ed3c419a6fb8132e9a2e

SHA512
e48150e0972521ea8ed49ec05e697e1a0766207d16e0ee16b65d9cb78feeccf9c6b237a6d7a7ebfac11cee366049ce26ce541ca53827fb61d1949d61e8ae76ba

Download Submit
\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
215.7MB

MD5
28dca221c60cc8cc8c4e56313c2d488e

SHA1
ec0d11f4ce77762787d040efb15dc3264fd56ce0

SHA256
35397db581519dbd9afa9e6b95cfe157e175bce6b9dc2af70904a867e2eb4768

SHA512
7bf79e2132579e9fcdd93a006b791b1a7d44a71f76150c871d1b39c46f12c2eedbe81d78c1b6be160de14baffd65e8112679d430a410d4603f14fe1157bf99ad

Download Submit
\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
223.2MB

MD5
0b586a031646a2cff8095920aaaef120

SHA1
e08ca8d267a45cafe5cb5982794b25ebe38ba4a5

SHA256
315399a44df4da23135fb3c27c383762009ad9cc40f5c1a51ab3ff667897e674

SHA512
5b4a7c076d58851fbfd836eb63a7a1b409430312c6ae20815feaa5dc25b7d459da488a3dca30edebb34f25cc70d0f0a2d806c989d8c5eee45f5d1421bebd183b

Download Submit
\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
225.2MB

MD5
a71f99f17d8ac653f4d3f2648258a357

SHA1
33ad7c14228f56d337e1f3e2f2009507c73fcdac

SHA256
b9648b4e31b6940ec17239cd3f2659261db51556a72b5cde6f94487bba514b68

SHA512
b56e0377c29d0a0001c07dc777c7f9e36475b2b725fcac231e74520f8cd6b50fbfa1a1768477487c66cb501c5ff3a7189dae57fb6619a126bab3ccf2a31bf903

Download Submit
\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
217.6MB

MD5
854b94a20912bc6dc4fd9167cea7616b

SHA1
d6d825f4a1e4d1ef6c823280ce91fe68fc49016b

SHA256
c9bb6fc9bd641b97282e33e276055aa3cd4f06b301245709c3e1457d8c1e0080

SHA512
bc0f991d79e2e4d2852702c57b79949618957e7c86cf2128c662b0a1b122ab09428ccaf28fd4a3a41424bdfeae0b138a1755705c05b767489f4b79cf9fc09adc

Download Submit
\Users\Admin\AppData\Roaming\Y1TIHdrjxCJ6NsoGpldc.exe

Filesize
224.0MB

MD5
16e2cf1294f024931baea9029e447175

SHA1
a8bf28fc1aa9d3e951b3e0bddf9b233082fd47b2

SHA256
c0689f66f2b1585516fe9e91ebfc94ab4e234502645ecfa38da96191ab1385f7

SHA512
4809600099714f73b3bec7c6d3ed35c84fc8cb9692dc90f51c59c25c7857cc5087edfa39a3143029eaf1e74062d28afc671c62bf53a926b0b663afea76715e93

Download Submit
memory/436-74-0x0000000000C40000-0x0000000000C6B000-memory.dmp

Filesize
172KB

Download
memory/436-42-0x0000000000B70000-0x0000000000B94000-memory.dmp

Filesize
144KB

Download
memory/436-77-0x0000000037BC0000-0x0000000037BD0000-memory.dmp

Filesize
64KB

Download
memory/436-76-0x000007FEBDF60000-0x000007FEBDF70000-memory.dmp

Filesize
64KB

Download
memory/436-45-0x0000000000B70000-0x0000000000B94000-memory.dmp

Filesize
144KB

Download
memory/480-447-0x000000013F490000-0x0000000140727000-memory.dmp

Filesize
18.6MB

Download
memory/480-92-0x0000000000220000-0x000000000024B000-memory.dmp

Filesize
172KB

Download
memory/480-247-0x000000013F490000-0x0000000140727000-memory.dmp

Filesize
18.6MB

Download
memory/480-224-0x000000013F490000-0x0000000140727000-memory.dmp

Filesize
18.6MB

Download
memory/504-80-0x0000000000460000-0x000000000048B000-memory.dmp

Filesize
172KB

Download
memory/504-82-0x0000000037BC0000-0x0000000037BD0000-memory.dmp

Filesize
64KB

Download
memory/504-81-0x000007FEBDF60000-0x000007FEBDF70000-memory.dmp

Filesize
64KB

Download
memory/696-86-0x0000000037BC0000-0x0000000037BD0000-memory.dmp

Filesize
64KB

Download
memory/696-85-0x000007FEBDF60000-0x000007FEBDF70000-memory.dmp

Filesize
64KB

Download
memory/696-84-0x00000000003E0000-0x000000000040B000-memory.dmp

Filesize
172KB

Download
memory/1032-39-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1032-38-0x0000000077960000-0x0000000077A7F000-memory.dmp

Filesize
1.1MB

Download
memory/1032-37-0x0000000077B80000-0x0000000077D29000-memory.dmp

Filesize
1.7MB

Download
memory/1032-36-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1032-34-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1032-33-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1032-32-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1032-31-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2512-22-0x000000013FFD0000-0x0000000141267000-memory.dmp

Filesize
18.6MB

Download
memory/2512-24-0x000000013FFD0000-0x0000000141267000-memory.dmp

Filesize
18.6MB

Download
memory/2512-23-0x000000013FFD0000-0x0000000141267000-memory.dmp

Filesize
18.6MB

Download
memory/2512-242-0x000000013FFD0000-0x0000000141267000-memory.dmp

Filesize
18.6MB

Download
memory/2512-9-0x000000013FFD0000-0x0000000141267000-memory.dmp

Filesize
18.6MB

Download
memory/2644-8-0x0000000002F80000-0x0000000004217000-memory.dmp

Filesize
18.6MB

Download
memory/2644-7-0x0000000002F80000-0x0000000004217000-memory.dmp

Filesize
18.6MB

Download
memory/2664-29-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

Filesize
2.9MB

Download
memory/2664-30-0x0000000002850000-0x0000000002858000-memory.dmp

Filesize
32KB

Download