Analysis Overview
SHA256
349838094cda907d089098bfc3a0839a63959b36f40344e4023cec7218acf92e
Threat Level: Shows suspicious behavior
The file 02f7524fbcca9e5fb197f47eabc66bbe.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
Checks installed software on the system
Blocklisted process makes network request
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-04 01:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 01:00
Reported
2024-06-04 01:03
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe | N/A |
Reads user/profile data of web browsers
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI2EFD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI319F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI326D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f762b74.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI31DF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI322E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI354E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI2FA9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3018.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f762b74.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f762b75.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI31AF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI332A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI351E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f762b75.ipi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C | C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 | C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe
"C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 56D042A85CA163DCDF4B71DD20270003
C:\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe
"C:\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/
C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe
"C:\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"
C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe
C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe --send "/status.xml?clid=2382047&uuid=33612107-553F-4635-8D1B-3A86777D534a&vnt=Windows 7x64&file-no=6%0A15%0A25%0A45%0A57%0A59%0A111%0A125%0A129%0A"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | clck.yandex.ru | udp |
| RU | 87.250.251.14:80 | clck.yandex.ru | tcp |
| RU | 77.88.21.14:80 | clck.yandex.ru | tcp |
| US | 8.8.8.8:53 | soft.export.yandex.ru | udp |
| RU | 87.250.254.20:80 | soft.export.yandex.ru | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
| MD5 | 43937c99760d32c5bc1133505811d595 |
| SHA1 | 079ae507971b9c19dd6b4b4379defc3227edf978 |
| SHA256 | af7328aabb530a997c5e8dd39b1ba7c6d28ed756bafc7afde1ae894c28cfd806 |
| SHA512 | d6b19c9bfc431fba4dc981c09061a00856435736d21485a7d435b9ca132bb752b0cd272eb68f1a30172caf82b371001c626dec08d9a829566ab8a250f92d753f |
C:\Users\Admin\AppData\Local\Temp\Cab2760.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar2783.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar2882.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log
| MD5 | 91d22caef3a35aeef8fe188753d81045 |
| SHA1 | dfa7909588db1519e1ac12d2f67899a31600f5ee |
| SHA256 | 8888ef6480c90307d83fb73028dc8486813fc0180b550f9bf218bd4262004378 |
| SHA512 | 15c96ae72595b791bf9542ceaa94564c0e92fb4ff826e023182498178d2f427f554f2423d35dd508166c3d2189f85262c6597404b5db7e5b3825b385a481ac2b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2e32a0af9f17970cf28768882cac0bca |
| SHA1 | 81a9b6be61cf4b2bd4d46e764b29a0a2759e1337 |
| SHA256 | be48465969bb8d323a2f41a619a74955d6c1105cc83c6449ed29f9ad5fbdb595 |
| SHA512 | 9c81b25ae145b9b27cfe593875441b19703930261716c411d9cad84053cd4522e65fcdf63540093fadfef4aef40cf41fac1fcd8b55d3e2dc5e4a8515e6723db6 |
\Windows\Installer\MSI2EFD.tmp
| MD5 | 0c80a997d37d930e7317d6dac8bb7ae1 |
| SHA1 | 018f13dfa43e103801a69a20b1fab0d609ace8a5 |
| SHA256 | a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86 |
| SHA512 | fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5 |
C:\Windows\Installer\MSI2FA9.tmp
| MD5 | e6fd0e66cf3bfd3cc04a05647c3c7c54 |
| SHA1 | 6a1b7f1a45fb578de6492af7e2fede15c866739f |
| SHA256 | 669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2 |
| SHA512 | fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb |
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml
| MD5 | 281e659e73e029f83f4d70c3a4133593 |
| SHA1 | ed83fa8543310d058e038b78285396c534c743d0 |
| SHA256 | bb4f08a2684d5c9ea18b14f0febbaeef735aeee8c64c0bef827d8ea961930c25 |
| SHA512 | d0b414ba69460b2ed72a1a937bb3f599ee74816ddbb25e5d894530b42005e8f3faf662b237a26aef500f627685e95e4996d4ab5c64e39e4102c22e0f5b99682a |
\Users\Admin\AppData\Local\Temp\E2F48082-47D5-4D7C-9C79-75720BC85F3B\lite_installer.exe
| MD5 | aafdfaa7a989ddb216510fc9ae5b877f |
| SHA1 | 41cf94692968a7d511b6051b7fe2b15c784770cb |
| SHA256 | 688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc |
| SHA512 | 6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44 |
\Users\Admin\AppData\Local\Temp\ED027176-629E-4B78-AF30-A74FC691BBF8\seederexe.exe
| MD5 | 225ba20fa3edd13c9c72f600ff90e6cb |
| SHA1 | 5f1a9baa85c2afe29619e7cc848036d9174701e4 |
| SHA256 | 35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797 |
| SHA512 | 97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3 |
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml
| MD5 | 751ba1f9a431ddb7dd5ad2693a642423 |
| SHA1 | 7952264c1bd9d32a73fb17039662f147fe0cf09b |
| SHA256 | e9ff2ac66c6736f7e1c64aa828f8eb522f73d715a6870ed6a39f77fc858c81fc |
| SHA512 | 57cbc62a53b701dd7f86525389fa736f952aa7f7271137bcde86a59012347899e97c86e888d9a879a1e27fe113b860dcf4f9f2820b7e5a19d199fc13c446bbc1 |
C:\Users\Admin\AppData\Local\Temp\[email protected]
| MD5 | 63a2a353bc83c6dd2b1510139cf5c31c |
| SHA1 | 911b47bd9dfd3d65eaf1d8f41b812ba51c79381f |
| SHA256 | 38f8a8769a3072589074a2f9443138a5e25d46fe47012dd963dc4d271dcf54a0 |
| SHA512 | d13db45dd84205039648240e881ba520d63d800aff0db4d8bfe60fab445663531136fb528ceb94bbdcc9fb4e23c791975b5c33b5dcf131850d32e08ed9f6fb22 |
C:\Users\Admin\AppData\Roaming\Yandex\ui
| MD5 | ef1bcacfb940f4468f819dd0b44d298c |
| SHA1 | 6ca4ff20d747a107af37068ff0a302fe61658231 |
| SHA256 | 1131b135c2e059471bb5157b1ae9785d5b38eb23513e92f8d2aa26a447284414 |
| SHA512 | 6e8d731762508020de0cb782d8bee7c4b1a80a1ae5bac77aa44c0628ee9c1cea6dd9bc3f1299dc7bd2ebcaca89bf257469905496499981600ad9e0890479cc5a |
C:\Config.Msi\f762b76.rbs
| MD5 | f7d40dbec6cd7402ecb137000a4a868a |
| SHA1 | 2ce9c4be14f700ef3dad6e16df5d2a7b769823e6 |
| SHA256 | e94ac79cdb19a51c813840dd2576dcf8a0792f04fc416a9a7bae993f66a30872 |
| SHA512 | e4c00ea6c057e7859c1e462ca4d73698f2f6b7ba86fdcb27d28cc68dad5490fe5a6b49f316e039d0d21020358e205a9c20e38b595c59a113458cd09626dbe5c5 |
C:\Users\Admin\AppData\Local\Temp\OMNIJA~1.ZIP
| MD5 | cf385fabc0031978c8d675a4b5bc2894 |
| SHA1 | 20945726e5e71cb937fae380d42e65eaef1d8521 |
| SHA256 | a0ea546ddbb9d9e37b653e9b71992328b2b78a58d5581224d3d898f36bf88a81 |
| SHA512 | 7e55feb248b97edfad6a15499f5720551fe33391291a39b65ac912e41407811503f42b5156f355ff45a0f7d8ea0d5fb1b40a50e44dbc64318cd653f5fdc15b15 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nfhvy4wu.Admin\places.sqlite-20240604010039.037200.backup
| MD5 | 314cb7ffb31e3cc676847e03108378ba |
| SHA1 | 3667d2ade77624e79d9efa08a2f1d33104ac6343 |
| SHA256 | b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1 |
| SHA512 | dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5 |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240604010039.271200.backup
| MD5 | af006f1bcc57b11c3478be8babc036a8 |
| SHA1 | c3bb4fa8c905565ca6a1f218e39fe7494910891e |
| SHA256 | ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c |
| SHA512 | 3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240604010039.271200.backup
| MD5 | 3adec702d4472e3252ca8b58af62247c |
| SHA1 | 35d1d2f90b80dca80ad398f411c93fe8aef07435 |
| SHA256 | 2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335 |
| SHA512 | 7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0 |
C:\Users\Admin\AppData\Local\Temp\4E90AD90-2D65-42B7-99AD-31FEB709715D\sender.exe
| MD5 | f1a8f60c018647902e70cf3869e1563f |
| SHA1 | 3caf9c51dfd75206d944d4c536f5f5ff8e225ae9 |
| SHA256 | 36022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577 |
| SHA512 | c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 01:00
Reported
2024-06-04 01:03
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
134s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A2B63F4F-F902-4778-AB0D-CD6612F46470\lite_installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Enumerates connected drives
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI1ADC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1BC8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1C18.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1CA5.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1902.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI19FE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1A8D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1B3B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5816b0.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5816b0.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1990.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1827.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI1A3E.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E | C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd | C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe
"C:\Users\Admin\AppData\Local\Temp\02f7524fbcca9e5fb197f47eabc66bbe.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 13D396AAD6C5018467648A3BFC7E0133
C:\Users\Admin\AppData\Local\Temp\A2B63F4F-F902-4778-AB0D-CD6612F46470\lite_installer.exe
"C:\Users\Admin\AppData\Local\Temp\A2B63F4F-F902-4778-AB0D-CD6612F46470\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/
C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe
"C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe
C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe --send "/status.xml?clid=2382047&uuid=58e02dc9-3ebe-4afc-95ae-02113ed8679e&vnt=Windows 10x64&file-no=8%0A15%0A25%0A45%0A57%0A59%0A102%0A111%0A125%0A129%0A"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clck.yandex.ru | udp |
| RU | 77.88.21.14:80 | clck.yandex.ru | tcp |
| US | 8.8.8.8:53 | 14.21.88.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | soft.export.yandex.ru | udp |
| RU | 93.158.134.14:80 | clck.yandex.ru | tcp |
| RU | 87.250.254.20:80 | soft.export.yandex.ru | tcp |
| US | 8.8.8.8:53 | 14.134.158.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.254.250.87.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.80.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
| MD5 | 43937c99760d32c5bc1133505811d595 |
| SHA1 | 079ae507971b9c19dd6b4b4379defc3227edf978 |
| SHA256 | af7328aabb530a997c5e8dd39b1ba7c6d28ed756bafc7afde1ae894c28cfd806 |
| SHA512 | d6b19c9bfc431fba4dc981c09061a00856435736d21485a7d435b9ca132bb752b0cd272eb68f1a30172caf82b371001c626dec08d9a829566ab8a250f92d753f |
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log
| MD5 | 5087cf6d27cd1d262c9d7026d99570a4 |
| SHA1 | f5939eef20513cf63d86c6b9c0f77b7f2c37db5b |
| SHA256 | c2819e8b353a44047aba048d2ed6d004fc5fa7d107055c96e83038690a4c8597 |
| SHA512 | 4f650a6aadaf6d090bdff9e7d21a868365505dabc41de28afe18c651ebc9d5cb391d8f76b51416a4a42d50f5d28a3c0c46eae5c2c549ba3f6f676b3e18b40c3d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7
| MD5 | 26c0bbd19631c66b3462943385c2d590 |
| SHA1 | 294b3b59a34d9f12655f4c6582042ddf0a0c4ab5 |
| SHA256 | b5ad09be1935bcd6ea92903252458d36a437d558bd958298c3bb9f4b45e95d03 |
| SHA512 | 3fdcc2124c26da841925091869110b7a4610f2580bcd77c320bd8e96105d100c87d50b850669b524971b080d4eb3178b5ffa2bf851bc3e185059252c46b69b79 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_394487CAFBCFB8C5917AD7A10924C8A7
| MD5 | 923e6cc53e302c56adbcc7e64f538c49 |
| SHA1 | 82a77bc69abe3a198ae951c53987c215e8016091 |
| SHA256 | 5b28449d7d0288da7d026d87482404d0d75f0e84e01a51c8d3ba1143b45d680b |
| SHA512 | d8672572b332a4de2139c028d349529a6e5e8801d9d9316a089c0091dea6de55feef423d9f3770fb6c38938439f4dee2114500491ddba125ae5f00afb03031a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
| MD5 | 17c39322c6b0ea6ec6b2a3ccee05b3e0 |
| SHA1 | f9048f67f15595e6eb9b38ab3aa7ec373d350bc9 |
| SHA256 | d1b45b42156a70fe4dbfdf64a3aec54f064ef9daec17a92be7ad87ab457ab4f8 |
| SHA512 | a84253f51e5776daaf479598e99caa9084c887c939515a55581cb479c06abdac958cd8949f3a0ffb454b908d2befbdd0f3c283b27afc03a316551135110185a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
| MD5 | 5f8854a0897fb754b531571e19cc07fd |
| SHA1 | c6459441361335dbabd58ce8b774f2c621514ad8 |
| SHA256 | ac3d7128235e7aad8c9bb130ad69b546da3973721e8120fc2c7ff3011c364c58 |
| SHA512 | 5a09cba998b8784de3ad9b8118db84968d1428ee5a9157d19d48e2b6bf219dfe5b3fc95bc67d3f32be953ec0d7702c304a8908e04b2c28af4471edf1546464d7 |
C:\Windows\Installer\MSI1827.tmp
| MD5 | 0c80a997d37d930e7317d6dac8bb7ae1 |
| SHA1 | 018f13dfa43e103801a69a20b1fab0d609ace8a5 |
| SHA256 | a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86 |
| SHA512 | fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5 |
C:\Windows\Installer\MSI1902.tmp
| MD5 | e6fd0e66cf3bfd3cc04a05647c3c7c54 |
| SHA1 | 6a1b7f1a45fb578de6492af7e2fede15c866739f |
| SHA256 | 669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2 |
| SHA512 | fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb |
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml
| MD5 | 281e659e73e029f83f4d70c3a4133593 |
| SHA1 | ed83fa8543310d058e038b78285396c534c743d0 |
| SHA256 | bb4f08a2684d5c9ea18b14f0febbaeef735aeee8c64c0bef827d8ea961930c25 |
| SHA512 | d0b414ba69460b2ed72a1a937bb3f599ee74816ddbb25e5d894530b42005e8f3faf662b237a26aef500f627685e95e4996d4ab5c64e39e4102c22e0f5b99682a |
C:\Users\Admin\AppData\Local\Temp\A2B63F4F-F902-4778-AB0D-CD6612F46470\lite_installer.exe
| MD5 | aafdfaa7a989ddb216510fc9ae5b877f |
| SHA1 | 41cf94692968a7d511b6051b7fe2b15c784770cb |
| SHA256 | 688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc |
| SHA512 | 6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44 |
C:\Users\Admin\AppData\Local\Temp\E4075F79-2C80-4F47-8982-2E9D27B27AAA\seederexe.exe
| MD5 | 225ba20fa3edd13c9c72f600ff90e6cb |
| SHA1 | 5f1a9baa85c2afe29619e7cc848036d9174701e4 |
| SHA256 | 35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797 |
| SHA512 | 97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3 |
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml
| MD5 | 751ba1f9a431ddb7dd5ad2693a642423 |
| SHA1 | 7952264c1bd9d32a73fb17039662f147fe0cf09b |
| SHA256 | e9ff2ac66c6736f7e1c64aa828f8eb522f73d715a6870ed6a39f77fc858c81fc |
| SHA512 | 57cbc62a53b701dd7f86525389fa736f952aa7f7271137bcde86a59012347899e97c86e888d9a879a1e27fe113b860dcf4f9f2820b7e5a19d199fc13c446bbc1 |
C:\Config.Msi\e5816b1.rbs
| MD5 | a35c70c22e6dee45fd6dda010bdffa47 |
| SHA1 | 0584d1072758f4079da8711f14126f2565af1120 |
| SHA256 | 06832d5c941f85c638b497732ccf0b0948ddaf5d72c9ae96ed64c606e8bda224 |
| SHA512 | 2b6c3f33f5a959e4a0e35f6d6365cb8922881ef8f4cc80cf5104aa963ac2a0d6d715981e0092da86d0ac1faeb679e1494a43c045aa20b26a70a75a5ce72ea11f |
C:\Users\Admin\AppData\Local\Temp\omnija-20240004.zip
| MD5 | dc5128fcb8d7f6b849f1166532db2dc8 |
| SHA1 | 8427501d440d5edbbb2662294bc5650d2bc8aab5 |
| SHA256 | 36e682f419c2b5d8e7c285d36088b56d59df3869dbd181943280696d4ca391ca |
| SHA512 | bcf0d463ed4f01a313b8e6be745ad55b42108be84cc5850c411dec19aa7c6d996782da49fc208559f1188941bdd1082d954cfa316f08c0ad2efcf0662952e524 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\places.sqlite-20240604010041.025921.backup
| MD5 | 314cb7ffb31e3cc676847e03108378ba |
| SHA1 | 3667d2ade77624e79d9efa08a2f1d33104ac6343 |
| SHA256 | b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1 |
| SHA512 | dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5 |
C:\Users\Admin\AppData\Local\Temp\3E6EA874-E3ED-46BC-A258-15E86C40A829\sender.exe
| MD5 | f1a8f60c018647902e70cf3869e1563f |
| SHA1 | 3caf9c51dfd75206d944d4c536f5f5ff8e225ae9 |
| SHA256 | 36022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577 |
| SHA512 | c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240604010041.104056.backup
| MD5 | 3adec702d4472e3252ca8b58af62247c |
| SHA1 | 35d1d2f90b80dca80ad398f411c93fe8aef07435 |
| SHA256 | 2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335 |
| SHA512 | 7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0 |
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240604010041.104056.backup
| MD5 | af006f1bcc57b11c3478be8babc036a8 |
| SHA1 | c3bb4fa8c905565ca6a1f218e39fe7494910891e |
| SHA256 | ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c |
| SHA512 | 3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af |
C:\Users\Admin\AppData\Roaming\Yandex\ui
| MD5 | 737dc0fb23bd24be3bdfece43877d2d1 |
| SHA1 | 65d2c6fa8af7d6ddb14a97ef6ebd59e88f1d8fd1 |
| SHA256 | 507c01ac3f5e0bec05599eb0e1c89a00182fe6281340bab01788bcdb44d01f9d |
| SHA512 | e1910e39ba0b923513132fd133b04bf201a5b839f27533365d9d82393280bd286236d0d28aa04fd1e106094d528540c1728fcc0c610f6d081778245587187ffa |