vidar | 5f89eb141d955c2e678cbb3b36b110f93f807ff7ef2b125fb99092fd6f0f668c

General

Target

fl_patch_installer_20_7_2_1863.exe
Size

110.3MB
MD5

48906a21b1072092f48549c944333a93
SHA1

b26e17bb3306ebe5f959d416480286f729aac923
SHA256

5f89eb141d955c2e678cbb3b36b110f93f807ff7ef2b125fb99092fd6f0f668c
SHA512

9c0895909d6712301b89f2be0ec31744d3693bfd07a26e99468b7ffdf5d7cb0bce224084752080248eb900387bcb8bfc9e288680a55be1181d2c85e35bc2e369
SSDEEP

3145728:n/Kby+Xl9wy53Ly5QgBhs1uGrvqDJw3QaSv/:/eX1uyKLB/8cBH

Score

10^/10

vidar 948 stealer

Malware Config

Extracted

Family

vidar

Version

40.4

Botnet

948

C2

https://romkaxarit.tumblr.com/

Attributes

profile_id
948

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\uninstaller.exe	family_vidar

Executes dropped EXE 3 IoCs

Processes:

fl_patch.exeuninstaller.exefl_patch.tmp

pid process

2628 fl_patch.exe
2664 uninstaller.exe
2796 fl_patch.tmp

pid	process
2628	fl_patch.exe
2664	uninstaller.exe
2796	fl_patch.tmp

Loads dropped DLL 10 IoCs

Processes:

cmd.exeuninstaller.exefl_patch.exeWerFault.exe

pid	process
2728	cmd.exe
2728	cmd.exe
2664	uninstaller.exe
2664	uninstaller.exe
2664	uninstaller.exe
2628	fl_patch.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe
1104	WerFault.exe

Drops file in Program Files directory 64 IoCs

Processes:

fl_patch.tmp

description	ioc	process
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Vocodex\Vocodex.dll	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtone\is-C205J.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity DrumSynth Live\is-F9DCL.tmp	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine_x64.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp XT\Wasp XT_x64.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity Video Player\Fruity Video Player.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp\Wasp_x64.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Edison\Edison.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtime\Newtime.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtone\Newtone_x64.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Transistor Bass\Transistor Bass_x64.dll	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\is-21JMR.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp XT\is-6JSUV.tmp	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Edison\Edison_x64.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\SimSynth\SimSynth.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Ogun\Ogun_x64.dll	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity Video Player\is-5HT43.tmp	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity DrumSynth Live\Fruity DrumSynth Live_x64.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Slicex\Slicex_x64.dll	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\is-895ET.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Edison\is-RTICG.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Maximus\is-RJ1D5.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtime\is-KA2RJ.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity Video Player\is-H3CEU.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Harmless\is-T7VS5.tmp	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Sytrus\Sytrus.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtone\Newtone.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Harmor\Harmor_x64.dll	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\SimSynth\is-UEASN.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp\is-1H9E3.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity DrumSynth Live\is-6DJIB.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Harmor\is-583TO.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Slicex\is-OMCI3.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Transistor Bass\is-GI7GC.tmp	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Slicex\Slicex.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp\Wasp.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Transient Processor\Transient Processor.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity Soundfont Player\Fruity Soundfont Player.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Gross Beat\Gross Beat.dll	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\is-Q0B05.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtone\is-7BMET.tmp	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Ogun\Ogun.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity DX10\Fruity DX10_x64.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Maximus\Maximus.dll	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\is-A9FQ1.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Slicex\is-9M311.tmp	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Transient Processor\Transient Processor_x64.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity Soundfont Player\Fruity SoundFont Player_x64.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\SimSynth\SimSynth_x64.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Transistor Bass\Transistor Bass.dll	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Edison\is-KP9NT.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Transient Processor\is-LM0HP.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Vocodex\is-9A8IG.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Vocodex\Synthesizer\is-4ISSU.tmp	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtime\Newtime_x64.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity Video Player\Fruity Video Player_x64.dll	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Vocodex\Vocodex_x64.dll	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp XT\is-O6A5O.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Fruity DX10\is-5R0SG.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Transistor Bass\is-3M42G.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp\is-M9ERR.tmp	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Ogun\is-UCDU3.tmp	fl_patch.tmp
File opened for modification	C:\Program Files\Image-Line\FL Studio 20\FLEngine.dll	fl_patch.tmp
File created	C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Effects\Newtime\is-RVC61.tmp	fl_patch.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1104 2664 WerFault.exe uninstaller.exe

pid	pid_target	process	target process
1104	2664	WerFault.exe	uninstaller.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

uninstaller.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	uninstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	uninstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	uninstaller.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fl_patch.tmp

pid process

2796 fl_patch.tmp
2796 fl_patch.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

fl_patch.tmp

pid process

2796 fl_patch.tmp

pid	process
2796	fl_patch.tmp
2796	fl_patch.tmp

pid	process
2796	fl_patch.tmp

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

fl_patch_installer_20_7_2_1863.execmd.exefl_patch.exeuninstaller.exe

description	pid	process	target process
PID 360 wrote to memory of 2728	360	fl_patch_installer_20_7_2_1863.exe	cmd.exe
PID 360 wrote to memory of 2728	360	fl_patch_installer_20_7_2_1863.exe	cmd.exe
PID 360 wrote to memory of 2728	360	fl_patch_installer_20_7_2_1863.exe	cmd.exe
PID 360 wrote to memory of 2728	360	fl_patch_installer_20_7_2_1863.exe	cmd.exe
PID 2728 wrote to memory of 2628	2728	cmd.exe	fl_patch.exe
PID 2728 wrote to memory of 2628	2728	cmd.exe	fl_patch.exe
PID 2728 wrote to memory of 2628	2728	cmd.exe	fl_patch.exe
PID 2728 wrote to memory of 2628	2728	cmd.exe	fl_patch.exe
PID 2728 wrote to memory of 2628	2728	cmd.exe	fl_patch.exe
PID 2728 wrote to memory of 2628	2728	cmd.exe	fl_patch.exe
PID 2728 wrote to memory of 2628	2728	cmd.exe	fl_patch.exe
PID 2728 wrote to memory of 2664	2728	cmd.exe	uninstaller.exe
PID 2728 wrote to memory of 2664	2728	cmd.exe	uninstaller.exe
PID 2728 wrote to memory of 2664	2728	cmd.exe	uninstaller.exe
PID 2728 wrote to memory of 2664	2728	cmd.exe	uninstaller.exe
PID 2728 wrote to memory of 2664	2728	cmd.exe	uninstaller.exe
PID 2728 wrote to memory of 2664	2728	cmd.exe	uninstaller.exe
PID 2728 wrote to memory of 2664	2728	cmd.exe	uninstaller.exe
PID 2628 wrote to memory of 2796	2628	fl_patch.exe	fl_patch.tmp
PID 2628 wrote to memory of 2796	2628	fl_patch.exe	fl_patch.tmp
PID 2628 wrote to memory of 2796	2628	fl_patch.exe	fl_patch.tmp
PID 2628 wrote to memory of 2796	2628	fl_patch.exe	fl_patch.tmp
PID 2628 wrote to memory of 2796	2628	fl_patch.exe	fl_patch.tmp
PID 2628 wrote to memory of 2796	2628	fl_patch.exe	fl_patch.tmp
PID 2628 wrote to memory of 2796	2628	fl_patch.exe	fl_patch.tmp
PID 2664 wrote to memory of 1104	2664	uninstaller.exe	WerFault.exe
PID 2664 wrote to memory of 1104	2664	uninstaller.exe	WerFault.exe
PID 2664 wrote to memory of 1104	2664	uninstaller.exe	WerFault.exe
PID 2664 wrote to memory of 1104	2664	uninstaller.exe	WerFault.exe
PID 2664 wrote to memory of 1104	2664	uninstaller.exe	WerFault.exe
PID 2664 wrote to memory of 1104	2664	uninstaller.exe	WerFault.exe
PID 2664 wrote to memory of 1104	2664	uninstaller.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_7_2_1863.exe
"C:\Users\Admin\AppData\Local\Temp\fl_patch_installer_20_7_2_1863.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\start.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\fl_patch.exe
fl_patch.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp" /SL5="$401AA,116119095,125440,C:\Users\Admin\AppData\Local\Temp\fl_patch.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2796

C:\Users\Admin\AppData\Local\Temp\uninstaller.exe
uninstaller.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 952
4⤵
- Loads dropped DLL
- Program crash
PID:1104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Image-Line\FL Studio 20\Plugins\Fruity\Generators\Wasp XT\is-O6A5O.tmp
Filesize
3.4MB

MD5
7b5f389263a80605a4770c80d8ae5af3

SHA1
7a226991aec4e0ff2761c92340d934ae7e91856d

SHA256
d7aa3d5081c199e35a9eb320e2b132bba9e4a7e48b535660833b85ffc662fef3

SHA512
6370800120f52f1106a672c868b4a97175a5435a54c737b7b81a410cceb3c698277aec9eb8e051dd25c71762e0fce513c6499d5d683a06a71fb621c5161b0c33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F7E.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.bat
Filesize
52B

MD5
31d9a703e474b8308b47fcc645b6639f

SHA1
e4b0b1df8b05dd2ab9c319c7cd901ffc5ce5ccea

SHA256
95bbf6860fb9ccca9d9b41df75294f86f9bd6fbfee3ebe42306875145d62b357

SHA512
cee2921e71e364d5f9eee10c643f250e6c872996b7781f58058d6b19e0c9c67425a7f73df82efbfd56c57ee3760e1dd1264eea03038ce7213c5a4bb92caa756b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uninstaller.exe
Filesize
838KB

MD5
96732cbc61bf97fbebebead194f07184

SHA1
12c1a5e772df670a110bd1ec0eed21b319f19286

SHA256
54b401a0fc715c1548cf451d93f3da3413af7609af37eee20c6f007f8b52a1f3

SHA512
55026ef2afdd8875f9fbc86bbfec95fc9e48bd4fc68d9c7966b72a1cbf48c447c88814344e607ab4f25d65458a5a96c77108b11be6465e2c822e9f8712989f63

Download Submit
\Users\Admin\AppData\Local\Temp\is-IQ4VG.tmp\fl_patch.tmp
Filesize
1.1MB

MD5
006c402fd22016b5a5a1c2180ca5ccc9

SHA1
dc8dae24ef11181d145c8d9f6f245f3b67a3e1d0

SHA256
5b246db2dfc1a5d000b0662e2a58e1cb9f89fdc87945597ec1e1f2f245fd7898

SHA512
caea20f48421f7918c9ead0316decba60460c74ff878666e0a48ae1e5b2eb41a37b03c1a59bc3aa416990e49cae155e19894461c28c225f4f9b42e184db289b1

Download Submit
memory/2628-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-104-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2628-195-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2796-105-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2796-193-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads