60362d9e99dade84ac6bdb02aedbad8c4adb5d2303b2eb6bc97708ae77074e33

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2629/FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Size

4.0MB
MD5

d408e8a8056bdcf9e1d569cd211f6efc
SHA1

99fd4ff079ed73573848492504cb5712f2067040
SHA256

587e14af969e26467c73d7b4e74bb02e39e4750127a56601cdbf9060d3728b9a
SHA512

d6100d61f788e2d94560c6ca7931d4bf919c20ed6de1ea4140cbfe1d444004fa64f71cbcd502b44398d157f0120f578ce653834ea04555d4c549cb07f68bcd21
SSDEEP

98304:+vEFsNsvGS7+3PCbPROeIZ0Ap0mYZBsv8NGfhIB7oWlmfWQ6RTbG5/AEcoUfS:O4sWvGBPCbPUTavNGfhIZbm+m5jct

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2236	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe

Loads dropped DLL 4 IoCs

pid	Process
2072	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2236	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\syswow64\GDI32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\OLEAUT32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\GLU32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\uxtheme.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\msimg32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\shfolder.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\sechost.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\RPCRT4.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\imagehlp.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\wsock32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\CLBCatQ.DLL	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\profapi.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\kernel32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\LPK.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\DEVOBJ.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\propsys.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\winmm.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\advapi32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\SHELL32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\hhctrl.ocx	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\ole32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\MSCTF.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\DCIMAN32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\dwmapi.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\CRYPTBASE.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\comdlg32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\version.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\NSI.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\DUI70.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\psapi.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\USP10.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\DDRAW.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\explorerframe.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\DUser.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\USER32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\SHLWAPI.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\imm32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\SETUPAPI.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\CFGMGR32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\KERNELBASE.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\msvcrt.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\opengl32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\ws2_32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\SysWOW64\ntdll.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
File opened for modification	C:\Windows\syswow64\SspiCli.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000008a053c6a8c5e8f84a307c9a6ed33825424f2700f4fa0dc79ce6b8fbce6aa11f6000000000e80000000020000200000007dc7b310cff90e5363d9ddd894595f633084036a10489e227c36ea8873dfebb3900000002986227e525a97c688d078aa839c169e36d694f638486b6492eb417050044bd47b5a990606e2797c79050cd945ae3cece57294ddc8355937919fd1f290e38348fcdaf9c4a24ee4d181ab7a6c12856798c227c5bf67257f1f74a82de48153cc73123f158b70f993c4e0c40a50dd8836ad588238fe6ab1a6ec0449311a6eb65884cdbfa32da9c283ed58a4222caf6a6737400000008739980fccb4e85e1109fba997b953962519dcd2e47dd33fce2e17350c04b5287c145a1990a756ab66e546e17d08147182b84e24dd84bb48071856d21df63fcb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A4A31D11-295C-11EF-AE43-7A4B76010719} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424428225"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000002cec115c113aca31a58c7a68a32132901944d27c7ba206cbdd226bd8b284c5ac000000000e80000000020000200000003aaaad13516c56c6dfea2010aba928d6dccfa8b6160166a4e13b22643d701f0220000000b9aa3a5cd721d1aa169479246bdbcc3c51c0cdae122d7e72fec840082ee251004000000046f61a3a4a9d188b98dfd7d6407fbfedaa93800dc02d749c2fcbce4e8863e429909b478177e4e52687cdef2d001f30893a07f5fcfa857503ad680e1d0971f77e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90e0388a69bdda01	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Token: SeLoadDriverPrivilege	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Token: SeCreateGlobalPrivilege	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Token: 33	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Token: SeSecurityPrivilege	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Token: SeTakeOwnershipPrivilege	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Token: SeManageVolumePrivilege	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Token: SeBackupPrivilege	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Token: SeCreatePagefilePrivilege	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Token: SeShutdownPrivilege	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Token: SeRestorePrivilege	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Token: 33	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
Token: SeIncBasePriorityPrivilege	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
2640	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2640	iexplore.exe
2640	iexplore.exe
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE
2512	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2236	2072	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe	28
PID 2072 wrote to memory of 2236	2072	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe	28
PID 2072 wrote to memory of 2236	2072	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe	28
PID 2072 wrote to memory of 2236	2072	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe	28
PID 2236 wrote to memory of 2560	2236	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe	29
PID 2236 wrote to memory of 2560	2236	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe	29
PID 2236 wrote to memory of 2560	2236	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe	29
PID 2236 wrote to memory of 2560	2236	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe	29
PID 2560 wrote to memory of 2616	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe	30
PID 2560 wrote to memory of 2616	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe	30
PID 2560 wrote to memory of 2616	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe	30
PID 2560 wrote to memory of 2616	2560	FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe	30
PID 2616 wrote to memory of 2640	2616	cmd.exe	32
PID 2616 wrote to memory of 2640	2616	cmd.exe	32
PID 2616 wrote to memory of 2640	2616	cmd.exe	32
PID 2616 wrote to memory of 2640	2616	cmd.exe	32
PID 2640 wrote to memory of 2512	2640	iexplore.exe	33
PID 2640 wrote to memory of 2512	2640	iexplore.exe	33
PID 2640 wrote to memory of 2512	2640	iexplore.exe	33
PID 2640 wrote to memory of 2512	2640	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\2629\FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
"C:\Users\Admin\AppData\Local\Temp\2629\FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1A16.tmp\FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
  "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1A16.tmp\FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\2629\"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1A16.tmp\extracted\FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe
    "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1A16.tmp\extracted\FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe" "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1A16.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\2629\"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start http://mrantifun.net
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://mrantifun.net/
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2640
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1A16.tmp\CET_Archive.dat

Filesize
3.8MB

MD5
18c8cd69b4864a5a1cfbd2a821ec497b

SHA1
6e922bda9a311c9abef40af9623da948ad490572

SHA256
e0c0e073a7db8150b29046e414d6424ddbe834d130bcf56ff6a82e4f4b86e81f

SHA512
b0dfb1b2114baf6eb079c7075b28086f4397557f4d7bf1b71e869b00a9e0f27c8ae0d0be8d05c17eed8bbe6681fee3f7574def618290844d9f4f79f77bbc745a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1A16.tmp\FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe

Filesize
196KB

MD5
808de473370ef6b5d98ab752f245a3ca

SHA1
800bd4ad10c17471829693fac3cee4502b14f029

SHA256
65cbed2e8db313b8966638e40eb27f94156c294eb060b28a02c130d146518c39

SHA512
fafaff03ad502523b3627e59e1026b8af4217a80215782a90667bc4f4c330871d8c3d890f2601b68ec9a42c0171d12b9e5b87067c95dcad1132b0a8979c56a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1A16.tmp\extracted\CET_TRAINER.CETRAINER

Filesize
221KB

MD5
bdfae0c7601c5fe3b1fefbb2c485c02d

SHA1
ee532f617c1d29cc2dc0ce26f6e1f7077d54b61c

SHA256
5b2508a471842b8e88dcaf0844889565075b3eaad7b8646eb07a3b8eec43011c

SHA512
9e4877dd3bff34c894f0843f1f491c295c2710617b0557ddaf8d6863d512c3af6fbf43035d3658dc248b82295ce2c59d2d365937004e5837a4e144aa7006609d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1A16.tmp\extracted\defines.lua

Filesize
5KB

MD5
d8f9b4a10a48ebd8936255f6215c8a43

SHA1
7d8ff0012fa9d9dcf189c6df963f1c627f2ccb76

SHA256
d4347332b232622283e7dd3781f64966bd1097d06cca7052b467cf99e62898f2

SHA512
67db5dc65fef66fe3a1920c5f406091d17eeae27266039af392a166d63686b8fc61b94684f2b97762995aefa42d2d15148213ecef64cc0df04de19320abba97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1A16.tmp\extracted\lua5.1-32.dll

Filesize
329KB

MD5
2730ff589ae86ef10d94952769f9404f

SHA1
8010834297a6aa488e6bf90eceaaf9e60bb60c6e

SHA256
faf0850051ba175347e40481da9e2cc3a122a09d428925042932be555db06e6b

SHA512
5fb35eb364603568b67ce0d19371016a382bc62500de807a12492ceacd5d2b765e0908e2e7e9798446b6c005c0e48c0da74c1a0f9d55c49a8ef4eb3c3d1307e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET1A16.tmp\extracted\win32\dbghelp.dll

Filesize
1.2MB

MD5
9139604740814e53298a5e8428ba29d7

SHA1
c7bf8947e9276a311c4807ea4a57b504f95703c9

SHA256
150782fca5e188762a41603e2d5c7aad6b6419926bcadf350ebf84328e50948f

SHA512
0b99259e9c0ee566d55cc53c4a7eabf025ed95973edc80ded594023a33f8273cd5d3f3053993f771f9db8a9d234e988cba73845c19ddc6e629e15a243c54cd5d

Download Submit
\Users\Admin\AppData\Local\Temp\cetrainers\CET1A16.tmp\extracted\FarCry 3 V1.05 DX11 Trainer +10 MrAntiFun.exe

Filesize
7.4MB

MD5
7be0f90c526a7dcbe40c2b6d5db884cc

SHA1
afaf6106f912f9ca8703fe8be2114c1d47121fdb

SHA256
c53cd508cdf0c218876e6ff23ffa496d51bd7a231e5a64f86ca3af46b0402fbb

SHA512
698011935a3e5a83dd69689c48b0414e85625d4b1e502517854d435e3af81e84aca1112232a0943c123e7a81d0d141781ce30612f64ec90ffc7d93c75d6f93e9

Download Submit
memory/2560-25-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/2560-23-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/2560-27-0x0000000003A30000-0x0000000003A70000-memory.dmp

Filesize
256KB

Download
memory/2560-48-0x0000000003A30000-0x0000000003A70000-memory.dmp

Filesize
256KB

Download