banload | 3e79d4e30a37e43e13033008ca5bfe51b54e12d24c8dbba76da259d26789b9f1

Resubmissions

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

15.1MB
MD5

679e3f0e646a1a26b3264d08f398b228
SHA1

feedf0799a22cdfb393960a2b8edc06b35019664
SHA256

3e79d4e30a37e43e13033008ca5bfe51b54e12d24c8dbba76da259d26789b9f1
SHA512

46038281c1c73ba9a0265db68a4be35fee3fb640d95c04407424a9cd7bc97013ca5b40ae546f7e25dc77c9d047ee9d4fea98d54e1c7a44977f204623543af99f
SSDEEP

393216:A8+b3itt/k6pMm/aGib3gQuq6C2CT9U3TC6dRR8H0ZH3P:qS9CmqzTGunIH3P

Score

10^/10

banload lumma downloader dropper evasion persistence stealer trojan

Malware Config

Extracted

Family

lumma

https://fomremywellmadderw.shop/api

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ezcd.exeezcd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ezcd.exeezcd.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.tmpSetup.tmp

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Setup.tmp

Executes dropped EXE 5 IoCs

Processes:

Setup.tmpSetup.tmpUnRAR.exeezcd.exeezcd.exe

pid	Process
2076	Setup.tmp
2472	Setup.tmp
4632	UnRAR.exe
444	ezcd.exe
4340	ezcd.exe

Loads dropped DLL 9 IoCs

Processes:

Setup.tmpSetup.tmpezcd.exeezcd.exeFtur.au3

pid	Process
2076	Setup.tmp
2472	Setup.tmp
444	ezcd.exe
444	ezcd.exe
444	ezcd.exe
4340	ezcd.exe
4340	ezcd.exe
4340	ezcd.exe
2300	Ftur.au3

Registers COM server for autorun 1 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

ezcd.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\4.0.30319	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\4.0.30319\ImplementedInThisVersion	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Windows\\System32\\mscoree.dll"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\2.0.50727	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\2.0.50727\ImplementedInThisVersion	ezcd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ezcd.exe

description	pid	Process	procid_target
PID 4340 set thread context of 2076	4340	ezcd.exe	107

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 59 IoCs

Processes:

ezcd.exeezcd.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\grloaSt	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\grloaSt\ = "DvzKKjAEmZKjUujHam\\E\\^^"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\awROOKrPSb\ = "qippFtsfQxcpqUE~swmW~zV"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\ihgbS	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\mbsgquUph\ = "ABvErEm^]iI`VgPvtAQWzkHiipRSna"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ybvbnwqVa	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ihgbS\ = "\\fcYrBQmd`d~\|eBMP"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\grloaSt	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\mbsgquUph	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ihgbS	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\yvwe\ = "aW@Sq`JUDyt"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\tqpzvyvoy	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\ihgbS\ = "_DEdiFi\x7fGeg\x7fp[I\|]"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\ybvbnwqVa\ = "kZDsM{[rsN[_zT[\\~"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\yvwe\ = "QW@SqbmAgUh"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Server	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\tqpzvyvoy\ = "leUHeQgNFCCA^BAg~Q"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\lhqwe	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\NotInsertable	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Beigxcj	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Beigxcj\ = "GuJrdtyi~OGvBhsXtnLhLsZ[Q"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\yvwe	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\yvwe\ = "NbpDf_]QsOS"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\4.0.30319	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\lhqwe	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\mbsgquUph\ = "@BgNsQ[D~\x7f]\|~OJ\\pqvFfbM@QuxD^e"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\awROOKrPSb	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\tqpzvyvoy	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID\ = "ComPlusDebug.CorpubPublish.1"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Both"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\Beigxcj	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ybvbnwqVa\ = "Frs}S~eAJv`FyHi}{"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "Microsoft Common Language Runtime Debugger Publisher"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\Beigxcj\ = "jd`gNjDLA\\l\x7f\\{hFGJbflvi\x7fM"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\awROOKrPSb\ = "TyUrLi@wGECHEmKUtRohUB}"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\yvwe	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\lhqwe\ = "uq{y\x7fGYbHOV]d~{nK[bAK~WMRbciGkM["	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\awROOKrPSb	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\lhqwe\ = "uq{y\x7fGYbHOV]d~{nK[bAK~WMRbciGkMZ"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\grloaSt\ = "\|\|LOwdQK\|[rOqOAq[_Yn[\\@"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\4.0.30319\ImplementedInThisVersion	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ybvbnwqVa\ = "Frs}SNeAJv`Fyxi}{"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\mbsgquUph	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\ybvbnwqVa	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\lhqwe\ = "B]hrnygKC\\\x7fQgcWQAyEn]Ry{a^@TnewO"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\ybvbnwqVa\ = "kZDsMK[rsN[_zd[\\~"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Windows\\System32\\mscoree.dll"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Server\ = "mscordbi.dll"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\yvwe\ = "~bpDf]zEPcO"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\{8934AEBA-278E-13D1-B2E4-0060975B8649}\lhqwe\ = "B]hrnygKC\\\x7fQgcWQAyEn]Ry{a^@TnewN"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID\ = "ComPlusDebug.CorpubPublish"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\2.0.50727\ImplementedInThisVersion	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\tqpzvyvoy\ = "lkkE@J@vuT`wRD{YnA"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\2.0.50727	ezcd.exe

NTFS ADS 2 IoCs

Processes:

ezcd.exe

description	ioc	Process
File created	C:\ProgramData\TEMP:8934AEBA	ezcd.exe
File opened for modification	C:\ProgramData\TEMP:8934AEBA	ezcd.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

Setup.tmpezcd.exeezcd.exemore.com

pid	Process
2472	Setup.tmp
2472	Setup.tmp
444	ezcd.exe
4340	ezcd.exe
4340	ezcd.exe
4340	ezcd.exe
2076	more.com
2076	more.com
2076	more.com
2076	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ezcd.exemore.com

pid	Process
4340	ezcd.exe
2076	more.com

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Setup.tmp

pid	Process
2472	Setup.tmp

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Setup.exeSetup.tmpSetup.exeSetup.tmpezcd.exeezcd.exemore.com

description	pid	Process	procid_target
PID 2432 wrote to memory of 2076	2432	Setup.exe	93
PID 2432 wrote to memory of 2076	2432	Setup.exe	93
PID 2432 wrote to memory of 2076	2432	Setup.exe	93
PID 2076 wrote to memory of 2496	2076	Setup.tmp	94
PID 2076 wrote to memory of 2496	2076	Setup.tmp	94
PID 2076 wrote to memory of 2496	2076	Setup.tmp	94
PID 2496 wrote to memory of 2472	2496	Setup.exe	95
PID 2496 wrote to memory of 2472	2496	Setup.exe	95
PID 2496 wrote to memory of 2472	2496	Setup.exe	95
PID 2472 wrote to memory of 4632	2472	Setup.tmp	96
PID 2472 wrote to memory of 4632	2472	Setup.tmp	96
PID 2472 wrote to memory of 444	2472	Setup.tmp	102
PID 2472 wrote to memory of 444	2472	Setup.tmp	102
PID 444 wrote to memory of 4340	444	ezcd.exe	106
PID 444 wrote to memory of 4340	444	ezcd.exe	106
PID 4340 wrote to memory of 2076	4340	ezcd.exe	107
PID 4340 wrote to memory of 2076	4340	ezcd.exe	107
PID 4340 wrote to memory of 2076	4340	ezcd.exe	107
PID 4340 wrote to memory of 2076	4340	ezcd.exe	107
PID 2076 wrote to memory of 2300	2076	more.com	111
PID 2076 wrote to memory of 2300	2076	more.com	111
PID 2076 wrote to memory of 2300	2076	more.com	111
PID 2076 wrote to memory of 2300	2076	more.com	111
PID 2076 wrote to memory of 2300	2076	more.com	111

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Users\Admin\AppData\Local\Temp\is-N8ROJ.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-N8ROJ.tmp\Setup.tmp" /SL5="$60178,11439742,799232,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\is-JPHHC.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JPHHC.tmp\Setup.tmp" /SL5="$701EE,11439742,799232,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\UnRAR.exe
        
        "C:\Users\Admin\AppData\Local\\Managebg_QEE_v3\\CurrentVersion\\bin\\\UnRAR.exe" x -p2024 -o+ "C:\Users\Admin\AppData\Local\\Managebg_QEE_v3\\CurrentVersion\\bin\\\jhgfdsa.rar" "C:\Users\Admin\AppData\Local\\Managebg_QEE_v3\\CurrentVersion\\bin\\"
        5⤵
        Executes dropped EXE
        
        PID:4632
    - - C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe
        
        "C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:444
      - C:\Users\Admin\AppData\Roaming\cpprest141_2_8\ezcd.exe
        
        C:\Users\Admin\AppData\Roaming\cpprest141_2_8\ezcd.exe
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Modifies registry class
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\more.com
        
        C:\Windows\SysWOW64\more.com
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Ftur.au3
        
        C:\Users\Admin\AppData\Local\Temp\Ftur.au3
        8⤵
        Loads dropped DLL
        
        PID:2300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\01D69EEBF42E950EA.Lic

Filesize
146B

MD5
9a4347fd3f302ec90725489ea91be645

SHA1
a1668ce6d85f41768e3ddd99229d0dd54403f4b9

SHA256
cf11711570ea4721beaff84d006285650d3b68e761f5ea6b4fce6a6cf049655d

SHA512
7c311de4e0345ca2967ba193e751ddd80cfe3495614f294d06e71c9dcd272f01aaf29cb5a52d7b309d847ef1a5b85b573e35c4489d7d1515032a4ced0be8533f

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\UnRAR.exe

Filesize
494KB

MD5
98ccd44353f7bc5bad1bc6ba9ae0cd68

SHA1
76a4e5bf8d298800c886d29f85ee629e7726052d

SHA256
e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

SHA512
d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\VCRUNTIME140.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\acdbase.dll

Filesize
2.9MB

MD5
b1bdb6ded9dff296ceff241fb196457b

SHA1
5bdfb243477cf12c239bb277cd66ca0dfa5d043d

SHA256
a9e79f83f81567cef62d2026ce30e1d5da27352590a6ef1c662cd1a634f73352

SHA512
3ba56cca93ed41fd185d81b076146064e1f59d4b3109dd44ecbe26e28e669011562527b7a2bdea0d9fb2f00d03a03c80acc83b6d3430721f0ce57b7c31c36123

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
9f812bd3815909e559b15cb13489f294

SHA1
df751c956f59b4e3c82496d86895adc7cc1a1619

SHA256
ce6fcc2ddf21720c92bee04f5736a4787acffa970a1b0dbeea39ff5efec52c75

SHA512
0a360e8b81bf80cb6bdf240d627ddcf71b1a4ca42759de61b2d27fab521a8e6e3afa308cc69caf5a7c8b14d98d3d448f0d400ae1826cbe7d0f0ceafd14682064

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
1a72e5f24214eb723e03a22ff53f8a22

SHA1
578d1dbfb22e9ff3b10c095d6a06acaf15469709

SHA256
fda46141c236a11054d4d3756a36da4412c82dd7877daad86cb65bf53d81ca1a

SHA512
530e693daecc7c7080b21e39b856c538bb755516aafdb6839a23768f40bcfc38d71b19586e8c8e37bb1c2b7a7c31fcb8e24a2315a8dd90f50fec22f973d86cb4

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
9d136bbecf98a931e6371346059b5626

SHA1
2466e66bfd88dd66c1c693cbb95ea8a91b9558cd

SHA256
7617838af1b589f57e4fe9fee1e1412101878e6d3287cdc52a51cd03e3983717

SHA512
8c720c798d2a06f48b106a0a1ef38be9b4a2aebe2a657c8721278afa9fdbab9da2a672f47b7996ca1ce7517015d361d77963c686e0ae637a98c32fd75e5d0610

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
6b39d005deb6c5ef2c9dd9e013b32252

SHA1
79a0736454befd88ba8d6bd88794d07712e38a67

SHA256
b0e50572eb82a46ed499775e95bfde7cb25c498957432c18c20cf930f332efd0

SHA512
50bc1f669499589a480379d72166dae701914427d51223994d63a0363420ca6fdde07010803270a62451afea9e4ae55206d8a4c00ca4680e7a9120cd33f99a0f

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
97f24295c9bd6e1acae0c391e68a64cf

SHA1
75700dce304c45ec330a9405523f0f22e5dcbb18

SHA256
189d551fb3cba3dbb9b9c1797e127a52ac486d996f0ac7cba864fe35984a8d28

SHA512
cac75f623545c41b2597a25c14f2af7eb93e3e768b345d3b0e1928d8fd1f12bec39b18b8277f9550aa6a66d9cfe1bf6c3db93ae1eb2a6c07019d4f210b3e5998

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
d282a4fa046d05d40d138cc68c518914

SHA1
d5012090399f405ffe7d2fed09650e3544528322

SHA256
8b1471101145343da5f2c5981c515da4dfae783622ed71d40693fe59c3088d7a

SHA512
718926e728627f67ba60a391339b784accd861a15596f90d7f4e6292709ac3d170bcbca3cbf6267635136cb00b4f93da7dfd219fa0beee0cf8d95ce7090409e4

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
6d35a57a6d8d569f870b96e00e7f1f4d

SHA1
8407bdb3cd5ec15b2ce738b3dbd704aa289ce3e1

SHA256
f41511e477a164eb9451ca51fb3810437f3b15f21e6f5c6ce0956e84ec823723

SHA512
4317b86d32ca93e5f0d832819cf1ab8af68e853a19eb07dd1fa4d168a0b2a8eab309194884ed3a613b09fc6d511be872a053f76f00ea443499006cdd226fea8f

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
8ed70910380aa0b28317512d72762cc0

SHA1
0421518370f24f9559f96459d0798d98b81ea732

SHA256
f15af0db93d9385ff9d8efdc06aacd0729d0dfcb66e91ca0243bb160f2ed89d0

SHA512
b31ef07eaac310fdd3df3546246e7dc696595b8e92141e3db79a44ddc3358b12129e3829a53c76d0fef214e3f29dba77fa5d556211830a140ea34ff62258d9d7

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe

Filesize
8.5MB

MD5
98169506fec94c2b12ba9930ad704515

SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428

SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\gable.flv

Filesize
46KB

MD5
e1e1bf5a99a816a279d1309d61d80f2d

SHA1
427726ac33db371d40a687ef11b6071239bc70f6

SHA256
317cd902474c2dd27c9ad4af84d6b97b2831a996d9cd05ce2fb2518ffc38f923

SHA512
a6a2807324218eb28039bf3f946f3fadcdf5507b1d85c126a55b94c07c048a43db26183692e3e385680c299b01f4666f2ab17fc366f946fd6097e3d71e46088d

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\jhgfdsa.rar

Filesize
9.7MB

MD5
d4cf9207c2e3ba875410515927a9c3b2

SHA1
1564182a98cbf350c3d0e6ecfdcd622226c6217f

SHA256
ec329b9da2c72d3dd84d0b8f41b2ba8c2e95208aa614c6f10ca2ede6e6d2b52b

SHA512
b7b7e96d3c0ce2286b3ebcb978b976aaf31674c204f8c868daa9019b61e67cee4b4c0da90aa1ed8463474c9a156880cc422719ae7a78617ee5d7cda0be4a5034

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\libmmd.dll

Filesize
4.0MB

MD5
42943c6acaf8d5ca953911b2bb99fc14

SHA1
ea719eafd2857b43b20228827f5596f1137ac3d5

SHA256
427ef018d494bf6cb8531ab3bbcb501ed4c8c7c6479097b33ab4d15750eccc4c

SHA512
85e71abc6db8a2e4eaad70d35ca613a918046715c8447b4c975021791f160aa3d1c4cb19969f81dd7b9f98f13dec41619c44e3c5948ae593af9c3d0cfec346fc

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\shroff.rtf

Filesize
1.3MB

MD5
976de7d9e2ddca3c71bc51dc64e8ea6f

SHA1
2a76dc465078e110b20287730b64176ce844ab9f

SHA256
47a827e4291894470af7ad714fcafda799ad69715100e28cbc5570801c8dbdb8

SHA512
804a41d05e0ebad7803a039d94a2b79a0b22340faaf6ec6aa773e67f34cf6fe5439aa8621761e30e65631ee083feea36a2f482b4614e5173e5669a756a419763

Download Submit
C:\Users\Admin\AppData\Local\Temp\39e617c3

Filesize
1.8MB

MD5
69a6c47deddb37c123f81d453e062ac7

SHA1
0931fb9eeeeeaf4f4b51e789474898a2695e1454

SHA256
3e53611c1e051e9f1e88c31f2dc58c2cb95303046c4fc317d59047ecb60c5a12

SHA512
e4418e79d036800d3294ad7b2b452971c93d22a9393ddf7f97cf1faaa5dda8515efd50c2e0fa01b2f5d0bb45bdf92b1cc1003d7f5fd81fa8de7a70c0d9355fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ftur.au3

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GVNRQ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N8ROJ.tmp\Setup.tmp

Filesize
3.0MB

MD5
62c2965912072266823bafdec2273528

SHA1
a737d8b8d31a440137894c0852c71976d64fb6fc

SHA256
d26099f9c70cd8a482e372523b96cdd5e01ff373725d786c9b9dd9749d3a03ab

SHA512
2dd306f9e3d78a6531b1bdd28ecc5be118bd45b3fad6197d404ab3dbadae60902fedf5df3cd8db2e07e63e5d80e672d6693b6e74c5df01a25d962ec912631c46

Download Submit
memory/444-86-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/444-84-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/444-67-0x0000000003FA0000-0x0000000004188000-memory.dmp

Filesize
1.9MB

Download
memory/444-88-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/444-97-0x00007FF82D570000-0x00007FF82D6E2000-memory.dmp

Filesize
1.4MB

Download
memory/444-85-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/444-83-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/444-81-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/444-79-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2076-155-0x00007FF84DBB0000-0x00007FF84DDA5000-memory.dmp

Filesize
2.0MB

Download
memory/2076-157-0x0000000074F70000-0x00000000750EB000-memory.dmp

Filesize
1.5MB

Download
memory/2076-17-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2076-6-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2300-166-0x0000000000C00000-0x0000000000C59000-memory.dmp

Filesize
356KB

Download
memory/2300-163-0x0000000000C00000-0x0000000000C59000-memory.dmp

Filesize
356KB

Download
memory/2300-164-0x00007FF84DBB0000-0x00007FF84DDA5000-memory.dmp

Filesize
2.0MB

Download
memory/2432-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2432-20-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2432-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2472-72-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2496-75-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2496-13-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/4340-140-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-139-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-142-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-151-0x00007FF82D570000-0x00007FF82D6E2000-memory.dmp

Filesize
1.4MB

Download
memory/4340-152-0x00007FF82D570000-0x00007FF82D6E2000-memory.dmp

Filesize
1.4MB

Download
memory/4340-137-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-138-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-135-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-133-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/4340-122-0x0000000003F70000-0x0000000004158000-memory.dmp

Filesize
1.9MB

Download