443fdb09e2168e3c9c339aa71043ac92ae734e4d90ed38900a47ae01cc496322 | Triage

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:52

Sharing

Report Analysis Logs

General

Target

Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Size

4.1MB
MD5

d4c93183cc3458115c7b17c76c56d6ac
SHA1

928a27bc94fa994043f31936938017462052333e
SHA256

b1c521c0935403bf3a7c9bcc15461c123d004bfe4ab0936688dd7323bb477d46
SHA512

332ac4a8d3d6fca168b10f98780e5f6c4d009c516214b255f1f229ea7aa92b4a7a86241eaefe9b9e9355b97cc13d457406fbb26188d00b50512c831c0017b8e9
SSDEEP

98304:1Cx5EK2RUXueGfBtjJOqv9oGH+w8Wap2ILugbc2Uh9hTYGjc2:HR/fB3Oc9b+6ec2UVL42

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exeSid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

pid	process
2040	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

Loads dropped DLL 2 IoCs

Processes:

Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

pid	process
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

Drops file in System32 directory 44 IoCs

Processes:

Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ws2_32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\GLU32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\Wldp.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\user32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\opengl32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\SHLWAPI.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\imm32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\msimg32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\explorerframe.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\windows.storage.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\KERNEL32.DLL	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\apphelp.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\version.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\profapi.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\PROPSYS.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\winmm.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\ntdll.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\oleaut32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\shcore.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\shfolder.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\TextShaping.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\KERNELBASE.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\kernel.appcore.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\bcryptPrimitives.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\psapi.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\ole32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\comdlg32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\wsock32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\uxtheme.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\MSCTF.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\GDI32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\hhctrl.ocx	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\clbcatq.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\sechost.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\imagehlp.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\combase.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\RPCRT4.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\win32u.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\gdi32full.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

Drops file in Windows directory 1 IoCs

Processes:

Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984\comctl32.dll	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

pid	process
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

description	pid	process
Token: SeDebugPrivilege	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Token: SeLoadDriverPrivilege	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Token: SeCreateGlobalPrivilege	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Token: 33	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Token: SeSecurityPrivilege	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Token: SeTakeOwnershipPrivilege	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Token: SeManageVolumePrivilege	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Token: SeBackupPrivilege	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Token: SeCreatePagefilePrivilege	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Token: SeShutdownPrivilege	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Token: SeRestorePrivilege	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Token: 33	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
Token: SeIncBasePriorityPrivilege	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

pid process

4600 Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exeSid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exeSid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.execmd.exe

description	pid	process	target process
PID 1604 wrote to memory of 2040	1604	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
PID 1604 wrote to memory of 2040	1604	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
PID 1604 wrote to memory of 2040	1604	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
PID 2040 wrote to memory of 4600	2040	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
PID 2040 wrote to memory of 4600	2040	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
PID 2040 wrote to memory of 4600	2040	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
PID 4600 wrote to memory of 332	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe	cmd.exe
PID 4600 wrote to memory of 332	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe	cmd.exe
PID 4600 wrote to memory of 332	4600	Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe	cmd.exe
PID 332 wrote to memory of 2072	332	cmd.exe	msedge.exe
PID 332 wrote to memory of 2072	332	cmd.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
"C:\Users\Admin\AppData\Local\Temp\Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CETE649.tmp\Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETE649.tmp\Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CETE649.tmp\extracted\Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe
    "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETE649.tmp\extracted\Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CETE649.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start http://mrantifun.net
      4⤵
      Suspicious use of WriteProcessMemory
      PID:332
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://mrantifun.net/
        5⤵
        
        PID:2072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3740,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=3664 /prefetch:1
1⤵
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4524,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=1340 /prefetch:1
1⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3692,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=5308 /prefetch:1
1⤵
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5336,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8
1⤵
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5448,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8
1⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5928,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=5888 /prefetch:1
1⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6092,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=5464 /prefetch:1
1⤵
PID:2948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6124,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4732 /prefetch:8
1⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5776,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:8
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CETE649.tmp\CET_Archive.dat

Filesize
3.7MB

MD5
1da9cb83770337250ef0476dc1d97342

SHA1
a06e35b14edb2a76f8a14821e3c2f41140d86ade

SHA256
28f3cae841d0c61a8a9cc2b196098b5f84b69fa92e20f046bf5556cdd8302ff8

SHA512
23390e81764a53d614219ce1d71fc4491ba3561df204b4c3c1b65710a7a6d7df79b5732994dfec9a8be15a54c7e5ba24f4c466536a1326752afc0f4771386948

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETE649.tmp\Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETE649.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
149KB

MD5
110755e488ccce526d060e3aeb4a2d0f

SHA1
2055e7ba4416fedba7dd5c6b75ac8dc53954cd63

SHA256
38c31b2b6aebfee48cacac3cc7006a2e8634aa55baab2dfd7849fa453b748216

SHA512
b17673884be797dce2541b0bbb603feed472e329f1f2d8823c4bf89331527bf2ebaf692a753e310bcffe683eb8d7f3e618ddf8b4c596869be83b8031a216a47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETE649.tmp\extracted\Sid Meiers Civilization Beyond Earth V1.1.0.1043 Trainer +9 MrAntiFun.exe

Filesize
7.3MB

MD5
36907aa4585e7b06a4c471d3bb9ed719

SHA1
6414c458ab2123f186938ecbb21cda359a15505d

SHA256
03b71aca53dd5562683694b754e01652336b40fb9c38efb14f5d09e891df90b6

SHA512
cfaf333cbbb0ddc63cd10237e436c1dead130e2ebc97590c96171d83a2b783a59e025e45809737b9c4f95b66a3a74b75b91fcf6fc1c09a7624177a029d902e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETE649.tmp\extracted\defines.lua

Filesize
5KB

MD5
d8f9b4a10a48ebd8936255f6215c8a43

SHA1
7d8ff0012fa9d9dcf189c6df963f1c627f2ccb76

SHA256
d4347332b232622283e7dd3781f64966bd1097d06cca7052b467cf99e62898f2

SHA512
67db5dc65fef66fe3a1920c5f406091d17eeae27266039af392a166d63686b8fc61b94684f2b97762995aefa42d2d15148213ecef64cc0df04de19320abba97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETE649.tmp\extracted\lua5.1-32.dll

Filesize
329KB

MD5
2730ff589ae86ef10d94952769f9404f

SHA1
8010834297a6aa488e6bf90eceaaf9e60bb60c6e

SHA256
faf0850051ba175347e40481da9e2cc3a122a09d428925042932be555db06e6b

SHA512
5fb35eb364603568b67ce0d19371016a382bc62500de807a12492ceacd5d2b765e0908e2e7e9798446b6c005c0e48c0da74c1a0f9d55c49a8ef4eb3c3d1307e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CETE649.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
9139604740814e53298a5e8428ba29d7

SHA1
c7bf8947e9276a311c4807ea4a57b504f95703c9

SHA256
150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f

SHA512
0b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d

Download Submit
memory/4600-20-0x0000000006860000-0x0000000006861000-memory.dmp

Filesize
4KB

Download
memory/4600-22-0x0000000006860000-0x00000000068A0000-memory.dmp

Filesize
256KB

Download
memory/4600-23-0x0000000006860000-0x00000000068A0000-memory.dmp

Filesize
256KB

Download