banload | 3e79d4e30a37e43e13033008ca5bfe51b54e12d24c8dbba76da259d26789b9f1

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

15.1MB
MD5

679e3f0e646a1a26b3264d08f398b228
SHA1

feedf0799a22cdfb393960a2b8edc06b35019664
SHA256

3e79d4e30a37e43e13033008ca5bfe51b54e12d24c8dbba76da259d26789b9f1
SHA512

46038281c1c73ba9a0265db68a4be35fee3fb640d95c04407424a9cd7bc97013ca5b40ae546f7e25dc77c9d047ee9d4fea98d54e1c7a44977f204623543af99f
SSDEEP

393216:A8+b3itt/k6pMm/aGib3gQuq6C2CT9U3TC6dRR8H0ZH3P:qS9CmqzTGunIH3P

Score

10^/10

banload downloader dropper evasion persistence trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ezcd.exeezcd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ezcd.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ezcd.exeezcd.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ezcd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ezcd.exe

Executes dropped EXE 5 IoCs

Processes:

Setup.tmpSetup.tmpUnRAR.exeezcd.exeezcd.exe

pid	Process
1264	Setup.tmp
2432	Setup.tmp
2720	UnRAR.exe
2612	ezcd.exe
768	ezcd.exe

Loads dropped DLL 37 IoCs

Processes:

Setup.exeSetup.tmpSetup.exeSetup.tmpezcd.exeezcd.exemore.comFtur.au3WerFault.exe

pid	Process
2208	Setup.exe
1264	Setup.tmp
2836	Setup.exe
2432	Setup.tmp
2432	Setup.tmp
2688
2432	Setup.tmp
2612	ezcd.exe
2612	ezcd.exe
2612	ezcd.exe
2612	ezcd.exe
2612	ezcd.exe
2612	ezcd.exe
2612	ezcd.exe
2612	ezcd.exe
2612	ezcd.exe
2612	ezcd.exe
2612	ezcd.exe
2612	ezcd.exe
768	ezcd.exe
768	ezcd.exe
768	ezcd.exe
768	ezcd.exe
768	ezcd.exe
768	ezcd.exe
768	ezcd.exe
768	ezcd.exe
768	ezcd.exe
768	ezcd.exe
768	ezcd.exe
2256	more.com
1476	Ftur.au3
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe
1900	WerFault.exe

Registers COM server for autorun 1 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

ezcd.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\RuntimeVersion = "v2.0.50727"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	ezcd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ezcd.exe

description	pid	Process	procid_target
PID 768 set thread context of 2256	768	ezcd.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1900	1476	WerFault.exe	37

Modifies registry class 46 IoCs

Processes:

ezcd.exeezcd.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\xuydKuMfqgq	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\xuydKuMfqgq\ = "`VgPvtAQWzkHiipRSnaDv^KIz"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\dcZC	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\nOjumvtv	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\zTvo	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\nOjumvtv\ = "newNNbpDf]uMutc"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\QwojjmeLjm\ = "yxFNJbflHxd]YZDsMK[rsN[_zd[\\~"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\grgueov	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\QwojjmeLjm	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\zTvo\ = "leUHeQgNFCCA^BAg~QdBgNsX[D~\x7f]"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\grgueov	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\QwojjmeLjm	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\nOjumvtv\ = "newO~bpDf_RYVX\x7f"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\dcZC\ = "ippFtsfQxcpqUE~swmW~zVuq{y\x7fGYbHO"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\nOjumvtv\ = "GkM[QW@Sq`E]anX"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\nOjumvtv	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\zTvo	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\WivexYvquDmi	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\xuydKuMfqgq\ = "\|~OJ\\pqvFfbM@QuxD^e\|\|hOut"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\grgueov\ = "QB\|[VOs_Ax[_}nYL@cd`CNhTLH\\l[\\"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\WivexYvquDmi	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\eQYuh	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\zTvo\ = "lkkE@J@vuT`wRD{YnAeBvErLm^]iI"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\grgueov\ = "ALmZojWejAamxE^N^NuJVdviiwOGRB"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\QwojjmeLjm\ = "jcX}nLhLMK@Atrs}SNeAJv`Fyxi}{"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\xuydKuMfqgq	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\QwojjmeLjm\ = "yxFNJbflHxd]YZDsM{[rsN[_zT[\\~"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\QwojjmeLjm\ = "jcX}nLhLMK@Atrs}S~eAJv`FyHi}{"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\RuntimeVersion = "v2.0.50727"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\WivexYvquDmi\ = "_DEdiFi\x7fGeg\x7fp[I\|]T"	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\dcZC\ = "yUrLi@wGECHEmKUtRohUB}B]hrnygKC\\"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\WivexYvquDmi\ = "\\fcYrBQmd`d~\|eBMPq"	ezcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\eQYuh	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\eQYuh\ = "V]d~{nK[bAK~WMRbci"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}	ezcd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\eQYuh\ = "\x7fQgcWQAyEn]Ry{a^@T"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass"	ezcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\nOjumvtv\ = "GkMZaW@SqbbIBBD"	ezcd.exe
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000_CLASSES\{8934AEBA-278E-13D1-B2E4-0060975B8649}\dcZC	ezcd.exe

NTFS ADS 2 IoCs

Processes:

ezcd.exe

description	ioc	Process
File created	C:\ProgramData\TEMP:8934AEBA	ezcd.exe
File opened for modification	C:\ProgramData\TEMP:8934AEBA	ezcd.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Setup.tmpezcd.exeezcd.exemore.com

pid	Process
2432	Setup.tmp
2432	Setup.tmp
2612	ezcd.exe
768	ezcd.exe
768	ezcd.exe
2256	more.com
2256	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ezcd.exemore.com

pid	Process
768	ezcd.exe
2256	more.com

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Setup.tmp

pid	Process
2432	Setup.tmp

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

Setup.exeSetup.tmpSetup.exeSetup.tmpezcd.exeezcd.exemore.comFtur.au3

description	pid	Process	procid_target
PID 2208 wrote to memory of 1264	2208	Setup.exe	28
PID 2208 wrote to memory of 1264	2208	Setup.exe	28
PID 2208 wrote to memory of 1264	2208	Setup.exe	28
PID 2208 wrote to memory of 1264	2208	Setup.exe	28
PID 2208 wrote to memory of 1264	2208	Setup.exe	28
PID 2208 wrote to memory of 1264	2208	Setup.exe	28
PID 2208 wrote to memory of 1264	2208	Setup.exe	28
PID 1264 wrote to memory of 2836	1264	Setup.tmp	29
PID 1264 wrote to memory of 2836	1264	Setup.tmp	29
PID 1264 wrote to memory of 2836	1264	Setup.tmp	29
PID 1264 wrote to memory of 2836	1264	Setup.tmp	29
PID 1264 wrote to memory of 2836	1264	Setup.tmp	29
PID 1264 wrote to memory of 2836	1264	Setup.tmp	29
PID 1264 wrote to memory of 2836	1264	Setup.tmp	29
PID 2836 wrote to memory of 2432	2836	Setup.exe	30
PID 2836 wrote to memory of 2432	2836	Setup.exe	30
PID 2836 wrote to memory of 2432	2836	Setup.exe	30
PID 2836 wrote to memory of 2432	2836	Setup.exe	30
PID 2836 wrote to memory of 2432	2836	Setup.exe	30
PID 2836 wrote to memory of 2432	2836	Setup.exe	30
PID 2836 wrote to memory of 2432	2836	Setup.exe	30
PID 2432 wrote to memory of 2720	2432	Setup.tmp	31
PID 2432 wrote to memory of 2720	2432	Setup.tmp	31
PID 2432 wrote to memory of 2720	2432	Setup.tmp	31
PID 2432 wrote to memory of 2720	2432	Setup.tmp	31
PID 2432 wrote to memory of 2612	2432	Setup.tmp	33
PID 2432 wrote to memory of 2612	2432	Setup.tmp	33
PID 2432 wrote to memory of 2612	2432	Setup.tmp	33
PID 2432 wrote to memory of 2612	2432	Setup.tmp	33
PID 2612 wrote to memory of 768	2612	ezcd.exe	34
PID 2612 wrote to memory of 768	2612	ezcd.exe	34
PID 2612 wrote to memory of 768	2612	ezcd.exe	34
PID 768 wrote to memory of 2256	768	ezcd.exe	35
PID 768 wrote to memory of 2256	768	ezcd.exe	35
PID 768 wrote to memory of 2256	768	ezcd.exe	35
PID 768 wrote to memory of 2256	768	ezcd.exe	35
PID 768 wrote to memory of 2256	768	ezcd.exe	35
PID 2256 wrote to memory of 1476	2256	more.com	37
PID 2256 wrote to memory of 1476	2256	more.com	37
PID 2256 wrote to memory of 1476	2256	more.com	37
PID 2256 wrote to memory of 1476	2256	more.com	37
PID 2256 wrote to memory of 1476	2256	more.com	37
PID 2256 wrote to memory of 1476	2256	more.com	37
PID 1476 wrote to memory of 1900	1476	Ftur.au3	38
PID 1476 wrote to memory of 1900	1476	Ftur.au3	38
PID 1476 wrote to memory of 1900	1476	Ftur.au3	38
PID 1476 wrote to memory of 1900	1476	Ftur.au3	38
PID 2256 wrote to memory of 1476	2256	more.com	37

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\is-465O0.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-465O0.tmp\Setup.tmp" /SL5="$400F4,11439742,799232,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\is-0RQFL.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-0RQFL.tmp\Setup.tmp" /SL5="$500F4,11439742,799232,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\UnRAR.exe
        
        "C:\Users\Admin\AppData\Local\\Managebg_QEE_v3\\CurrentVersion\\bin\\\UnRAR.exe" x -p2024 -o+ "C:\Users\Admin\AppData\Local\\Managebg_QEE_v3\\CurrentVersion\\bin\\\jhgfdsa.rar" "C:\Users\Admin\AppData\Local\\Managebg_QEE_v3\\CurrentVersion\\bin\\"
        5⤵
        Executes dropped EXE
        
        PID:2720
    - - C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe
        
        "C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Users\Admin\AppData\Roaming\cpprest141_2_8\ezcd.exe
        
        C:\Users\Admin\AppData\Roaming\cpprest141_2_8\ezcd.exe
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Modifies registry class
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\more.com
        
        C:\Windows\SysWOW64\more.com
        7⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Ftur.au3
        
        C:\Users\Admin\AppData\Local\Temp\Ftur.au3
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 120
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Licenses\01D69EEBF42E950EA.Lic

Filesize
146B

MD5
747d597720a9c230576ed5e350c28616

SHA1
0934c9a6f229f8a8673cba3477933dcfc57b5731

SHA256
9b6e1a093ae92cbc4839955661730133118f96bd118cf71401b6a3ad59894f08

SHA512
150ea417526e26832c8dc42333f2eb437145c424c8be81dc12162036f174f28cce392859b4c769c8f48bd9f9c207313bdbec3568cf56ae18e35f61576f0607a6

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\VCRUNTIME140.dll

Filesize
116KB

MD5
699dd61122d91e80abdfcc396ce0ec10

SHA1
7b23a6562e78e1d4be2a16fc7044bdcea724855e

SHA256
f843cd00d9aff9a902dd7c98d6137639a10bd84904d81a085c28a3b29f8223c1

SHA512
2517e52f7f03580afd8f928c767d264033a191e831a78eed454ea35c9514c0f0df127f49a306088d766908af7880f713f5009c31ce6b0b1e4d0b67e49447bfff

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
9f812bd3815909e559b15cb13489f294

SHA1
df751c956f59b4e3c82496d86895adc7cc1a1619

SHA256
ce6fcc2ddf21720c92bee04f5736a4787acffa970a1b0dbeea39ff5efec52c75

SHA512
0a360e8b81bf80cb6bdf240d627ddcf71b1a4ca42759de61b2d27fab521a8e6e3afa308cc69caf5a7c8b14d98d3d448f0d400ae1826cbe7d0f0ceafd14682064

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
1a72e5f24214eb723e03a22ff53f8a22

SHA1
578d1dbfb22e9ff3b10c095d6a06acaf15469709

SHA256
fda46141c236a11054d4d3756a36da4412c82dd7877daad86cb65bf53d81ca1a

SHA512
530e693daecc7c7080b21e39b856c538bb755516aafdb6839a23768f40bcfc38d71b19586e8c8e37bb1c2b7a7c31fcb8e24a2315a8dd90f50fec22f973d86cb4

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-heap-l1-1-0.dll

Filesize
21KB

MD5
9d136bbecf98a931e6371346059b5626

SHA1
2466e66bfd88dd66c1c693cbb95ea8a91b9558cd

SHA256
7617838af1b589f57e4fe9fee1e1412101878e6d3287cdc52a51cd03e3983717

SHA512
8c720c798d2a06f48b106a0a1ef38be9b4a2aebe2a657c8721278afa9fdbab9da2a672f47b7996ca1ce7517015d361d77963c686e0ae637a98c32fd75e5d0610

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
6d35a57a6d8d569f870b96e00e7f1f4d

SHA1
8407bdb3cd5ec15b2ce738b3dbd704aa289ce3e1

SHA256
f41511e477a164eb9451ca51fb3810437f3b15f21e6f5c6ce0956e84ec823723

SHA512
4317b86d32ca93e5f0d832819cf1ab8af68e853a19eb07dd1fa4d168a0b2a8eab309194884ed3a613b09fc6d511be872a053f76f00ea443499006cdd226fea8f

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\ezcd.exe

Filesize
8.5MB

MD5
98169506fec94c2b12ba9930ad704515

SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428

SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\gable.flv

Filesize
46KB

MD5
e1e1bf5a99a816a279d1309d61d80f2d

SHA1
427726ac33db371d40a687ef11b6071239bc70f6

SHA256
317cd902474c2dd27c9ad4af84d6b97b2831a996d9cd05ce2fb2518ffc38f923

SHA512
a6a2807324218eb28039bf3f946f3fadcdf5507b1d85c126a55b94c07c048a43db26183692e3e385680c299b01f4666f2ab17fc366f946fd6097e3d71e46088d

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\jhgfdsa.rar

Filesize
9.7MB

MD5
d4cf9207c2e3ba875410515927a9c3b2

SHA1
1564182a98cbf350c3d0e6ecfdcd622226c6217f

SHA256
ec329b9da2c72d3dd84d0b8f41b2ba8c2e95208aa614c6f10ca2ede6e6d2b52b

SHA512
b7b7e96d3c0ce2286b3ebcb978b976aaf31674c204f8c868daa9019b61e67cee4b4c0da90aa1ed8463474c9a156880cc422719ae7a78617ee5d7cda0be4a5034

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\libmmd.dll

Filesize
4.0MB

MD5
42943c6acaf8d5ca953911b2bb99fc14

SHA1
ea719eafd2857b43b20228827f5596f1137ac3d5

SHA256
427ef018d494bf6cb8531ab3bbcb501ed4c8c7c6479097b33ab4d15750eccc4c

SHA512
85e71abc6db8a2e4eaad70d35ca613a918046715c8447b4c975021791f160aa3d1c4cb19969f81dd7b9f98f13dec41619c44e3c5948ae593af9c3d0cfec346fc

Download Submit
C:\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\shroff.rtf

Filesize
1.3MB

MD5
976de7d9e2ddca3c71bc51dc64e8ea6f

SHA1
2a76dc465078e110b20287730b64176ce844ab9f

SHA256
47a827e4291894470af7ad714fcafda799ad69715100e28cbc5570801c8dbdb8

SHA512
804a41d05e0ebad7803a039d94a2b79a0b22340faaf6ec6aa773e67f34cf6fe5439aa8621761e30e65631ee083feea36a2f482b4614e5173e5669a756a419763

Download Submit
\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\UnRAR.exe

Filesize
494KB

MD5
98ccd44353f7bc5bad1bc6ba9ae0cd68

SHA1
76a4e5bf8d298800c886d29f85ee629e7726052d

SHA256
e51021f6cb20efbd2169f2a2da10ce1abca58b4f5f30fbf4bae931e4ecaac99b

SHA512
d6e8146a1055a59cba5e2aaf47f6cb184acdbe28e42ec3daebf1961a91cec5904554d9d433ebf943dd3639c239ef11560fa49f00e1cff02e11cd8d3506c4125f

Download Submit
\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\acdbase.dll

Filesize
2.9MB

MD5
b1bdb6ded9dff296ceff241fb196457b

SHA1
5bdfb243477cf12c239bb277cd66ca0dfa5d043d

SHA256
a9e79f83f81567cef62d2026ce30e1d5da27352590a6ef1c662cd1a634f73352

SHA512
3ba56cca93ed41fd185d81b076146064e1f59d4b3109dd44ecbe26e28e669011562527b7a2bdea0d9fb2f00d03a03c80acc83b6d3430721f0ce57b7c31c36123

Download Submit
\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
25KB

MD5
6b39d005deb6c5ef2c9dd9e013b32252

SHA1
79a0736454befd88ba8d6bd88794d07712e38a67

SHA256
b0e50572eb82a46ed499775e95bfde7cb25c498957432c18c20cf930f332efd0

SHA512
50bc1f669499589a480379d72166dae701914427d51223994d63a0363420ca6fdde07010803270a62451afea9e4ae55206d8a4c00ca4680e7a9120cd33f99a0f

Download Submit
\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
97f24295c9bd6e1acae0c391e68a64cf

SHA1
75700dce304c45ec330a9405523f0f22e5dcbb18

SHA256
189d551fb3cba3dbb9b9c1797e127a52ac486d996f0ac7cba864fe35984a8d28

SHA512
cac75f623545c41b2597a25c14f2af7eb93e3e768b345d3b0e1928d8fd1f12bec39b18b8277f9550aa6a66d9cfe1bf6c3db93ae1eb2a6c07019d4f210b3e5998

Download Submit
\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
d282a4fa046d05d40d138cc68c518914

SHA1
d5012090399f405ffe7d2fed09650e3544528322

SHA256
8b1471101145343da5f2c5981c515da4dfae783622ed71d40693fe59c3088d7a

SHA512
718926e728627f67ba60a391339b784accd861a15596f90d7f4e6292709ac3d170bcbca3cbf6267635136cb00b4f93da7dfd219fa0beee0cf8d95ce7090409e4

Download Submit
\Users\Admin\AppData\Local\Managebg_QEE_v3\CurrentVersion\bin\api-ms-win-crt-utility-l1-1-0.dll

Filesize
21KB

MD5
8ed70910380aa0b28317512d72762cc0

SHA1
0421518370f24f9559f96459d0798d98b81ea732

SHA256
f15af0db93d9385ff9d8efdc06aacd0729d0dfcb66e91ca0243bb160f2ed89d0

SHA512
b31ef07eaac310fdd3df3546246e7dc696595b8e92141e3db79a44ddc3358b12129e3829a53c76d0fef214e3f29dba77fa5d556211830a140ea34ff62258d9d7

Download Submit
\Users\Admin\AppData\Local\Temp\is-465O0.tmp\Setup.tmp

Filesize
3.0MB

MD5
62c2965912072266823bafdec2273528

SHA1
a737d8b8d31a440137894c0852c71976d64fb6fc

SHA256
d26099f9c70cd8a482e372523b96cdd5e01ff373725d786c9b9dd9749d3a03ab

SHA512
2dd306f9e3d78a6531b1bdd28ecc5be118bd45b3fad6197d404ab3dbadae60902fedf5df3cd8db2e07e63e5d80e672d6693b6e74c5df01a25d962ec912631c46

Download Submit
\Users\Admin\AppData\Local\Temp\is-7KQI4.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/768-156-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/768-153-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/768-136-0x0000000003CD0000-0x0000000003EB8000-memory.dmp

Filesize
1.9MB

Download
memory/768-149-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/768-147-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/768-151-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/768-154-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/768-181-0x000007FEF5E40000-0x000007FEF5F98000-memory.dmp

Filesize
1.3MB

Download
memory/768-180-0x000007FEF5E40000-0x000007FEF5F98000-memory.dmp

Filesize
1.3MB

Download
memory/768-152-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/1264-18-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1264-10-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/1476-189-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1476-190-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1476-191-0x0000000000080000-0x00000000000D9000-memory.dmp

Filesize
356KB

Download
memory/1476-192-0x0000000000080000-0x00000000000D9000-memory.dmp

Filesize
356KB

Download
memory/1476-194-0x0000000000080000-0x00000000000D9000-memory.dmp

Filesize
356KB

Download
memory/2208-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2208-0-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2208-20-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2256-185-0x0000000074E60000-0x0000000074FD4000-memory.dmp

Filesize
1.5MB

Download
memory/2256-183-0x00000000774E0000-0x0000000077689000-memory.dmp

Filesize
1.7MB

Download
memory/2432-78-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2612-84-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2612-73-0x0000000003D20000-0x0000000003F08000-memory.dmp

Filesize
1.9MB

Download
memory/2612-90-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2612-118-0x000007FEF5E10000-0x000007FEF5F68000-memory.dmp

Filesize
1.3MB

Download
memory/2612-88-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2612-91-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2612-86-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2612-93-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2612-89-0x0000000000400000-0x0000000001CF7000-memory.dmp

Filesize
25.0MB

Download
memory/2836-80-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2836-15-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download