raccoon | 4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1

Analysis

max time kernel
126s
max time network
132s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe
Size

8.1MB
MD5

ac8a5010569727ed6f4d02cbb4dc7879
SHA1

6a7ed927eb14e661d01b707bf9454a28f962b3dc
SHA256

4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1
SHA512

8b14647d6d3d82fec3a83c680b1371dae5ead249e5b7b068bbd713cd157c85f58afc51eaa08c6fd82a70e3858a7d472e11ddd688223d5fa8cc54109750a07d8b
SSDEEP

196608:BGRahMaJLQTXCZ6z02V2eipAVpEXGpJYChuRGApVh:EtaJUeYzZV2eipApTER3bh

Score

10^/10

raccoon spyware stealer upx

Malware Config

Signatures

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1512-284-0x0000000000400000-0x000000000053E000-memory.dmp	family_raccoon_v1
behavioral1/memory/1512-306-0x0000000000400000-0x000000000053E000-memory.dmp	family_raccoon_v1

Executes dropped EXE 11 IoCs

Processes:

4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exeMSI25B9.tmpMSI362E.tmpLiberate.exeMSI3861.tmppr.exeMSI3AC2.tmpMSI46D4.tmpk.execsrss.execsrss.exe

pid	process
1716	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe
2484	MSI25B9.tmp
2016	MSI362E.tmp
1512	Liberate.exe
2384	MSI3861.tmp
2912	pr.exe
1752	MSI3AC2.tmp
2708	MSI46D4.tmp
2820	k.exe
1472	csrss.exe
3040	csrss.exe

Loads dropped DLL 20 IoCs

Processes:

4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exeMSIEXEC.EXEMSI362E.tmpMSI3861.tmpMSI46D4.tmp

pid	process
1704	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe
2044	MSIEXEC.EXE
2044	MSIEXEC.EXE
2044	MSIEXEC.EXE
2016	MSI362E.tmp
2016	MSI362E.tmp
2016	MSI362E.tmp
2016	MSI362E.tmp
2044	MSIEXEC.EXE
2384	MSI3861.tmp
2384	MSI3861.tmp
2384	MSI3861.tmp
2384	MSI3861.tmp
2044	MSIEXEC.EXE
2044	MSIEXEC.EXE
2044	MSIEXEC.EXE
2708	MSI46D4.tmp
2708	MSI46D4.tmp
2708	MSI46D4.tmp
2708	MSI46D4.tmp

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Liberate.exe	upx
behavioral1/memory/1512-180-0x0000000000400000-0x000000000053E000-memory.dmp	upx
behavioral1/memory/1512-275-0x0000000000400000-0x000000000053E000-memory.dmp	upx
behavioral1/memory/1512-276-0x0000000000400000-0x000000000053E000-memory.dmp	upx
behavioral1/memory/1512-278-0x0000000000400000-0x000000000053E000-memory.dmp	upx
behavioral1/memory/1512-280-0x0000000000400000-0x000000000053E000-memory.dmp	upx
behavioral1/memory/1512-281-0x0000000000400000-0x000000000053E000-memory.dmp	upx

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

MSIEXEC.EXELiberate.exe

description	ioc	process
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\D:	Liberate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

4 iplogger.org
5 iplogger.org
17 iplogger.org
44 drive.google.com
45 drive.google.com

flow	ioc
4	iplogger.org
5	iplogger.org
17	iplogger.org
44	drive.google.com
45	drive.google.com

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\pr.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\k.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

dllhost.exe

pid process

1836 dllhost.exe
1836 dllhost.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

pr.exek.exe

description pid process target process

PID 2912 set thread context of 1836 2912 pr.exe dllhost.exe
PID 2820 set thread context of 2852 2820 k.exe dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1836	dllhost.exe
1836	dllhost.exe

description	pid	process	target process
PID 2912 set thread context of 1836	2912	pr.exe	dllhost.exe
PID 2820 set thread context of 2852	2820	k.exe	dllhost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dllhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	dllhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	dllhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dllhost.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Liberate.exeMSI25B9.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Liberate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	MSI25B9.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	MSI25B9.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	MSI25B9.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	MSI25B9.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	MSI25B9.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	MSI25B9.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Liberate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Liberate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Liberate.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2776 schtasks.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

dllhost.exeMSIEXEC.EXE

pid process

2852 dllhost.exe
2044 MSIEXEC.EXE

pid	process
2776	schtasks.exe

pid	process
2852	dllhost.exe
2044	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

MSIEXEC.EXEmsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2044	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2044	MSIEXEC.EXE
Token: SeRestorePrivilege	1696	msiexec.exe
Token: SeTakeOwnershipPrivilege	1696	msiexec.exe
Token: SeSecurityPrivilege	1696	msiexec.exe
Token: SeCreateTokenPrivilege	2044	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2044	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2044	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2044	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2044	MSIEXEC.EXE
Token: SeTcbPrivilege	2044	MSIEXEC.EXE
Token: SeSecurityPrivilege	2044	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2044	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2044	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2044	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2044	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2044	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2044	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2044	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2044	MSIEXEC.EXE
Token: SeBackupPrivilege	2044	MSIEXEC.EXE
Token: SeRestorePrivilege	2044	MSIEXEC.EXE
Token: SeShutdownPrivilege	2044	MSIEXEC.EXE
Token: SeDebugPrivilege	2044	MSIEXEC.EXE
Token: SeAuditPrivilege	2044	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2044	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2044	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2044	MSIEXEC.EXE
Token: SeUndockPrivilege	2044	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2044	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2044	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2044	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2044	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2044	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

MSIEXEC.EXEpr.exek.exe

pid process

2044 MSIEXEC.EXE
2912 pr.exe
2912 pr.exe
2912 pr.exe
2820 k.exe
2820 k.exe
2820 k.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

pr.exek.exe

pid process

2912 pr.exe
2912 pr.exe
2912 pr.exe
2820 k.exe
2820 k.exe
2820 k.exe

pid	process
2044	MSIEXEC.EXE
2912	pr.exe
2912	pr.exe
2912	pr.exe
2820	k.exe
2820	k.exe
2820	k.exe

pid	process
2912	pr.exe
2912	pr.exe
2912	pr.exe
2820	k.exe
2820	k.exe
2820	k.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exeMSIEXEC.EXEMSI362E.tmpMSI3861.tmppr.exeMSI46D4.tmpk.exedllhost.exetaskeng.exe

description	pid	process	target process
PID 1704 wrote to memory of 1716	1704	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe
PID 1704 wrote to memory of 1716	1704	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe
PID 1704 wrote to memory of 1716	1704	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe
PID 1704 wrote to memory of 1716	1704	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe
PID 1704 wrote to memory of 1716	1704	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe
PID 1704 wrote to memory of 1716	1704	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe
PID 1704 wrote to memory of 1716	1704	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe
PID 1716 wrote to memory of 2044	1716	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	MSIEXEC.EXE
PID 1716 wrote to memory of 2044	1716	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	MSIEXEC.EXE
PID 1716 wrote to memory of 2044	1716	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	MSIEXEC.EXE
PID 1716 wrote to memory of 2044	1716	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	MSIEXEC.EXE
PID 1716 wrote to memory of 2044	1716	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	MSIEXEC.EXE
PID 1716 wrote to memory of 2044	1716	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	MSIEXEC.EXE
PID 1716 wrote to memory of 2044	1716	4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe	MSIEXEC.EXE
PID 2044 wrote to memory of 2484	2044	MSIEXEC.EXE	MSI25B9.tmp
PID 2044 wrote to memory of 2484	2044	MSIEXEC.EXE	MSI25B9.tmp
PID 2044 wrote to memory of 2484	2044	MSIEXEC.EXE	MSI25B9.tmp
PID 2044 wrote to memory of 2484	2044	MSIEXEC.EXE	MSI25B9.tmp
PID 2044 wrote to memory of 2016	2044	MSIEXEC.EXE	MSI362E.tmp
PID 2044 wrote to memory of 2016	2044	MSIEXEC.EXE	MSI362E.tmp
PID 2044 wrote to memory of 2016	2044	MSIEXEC.EXE	MSI362E.tmp
PID 2044 wrote to memory of 2016	2044	MSIEXEC.EXE	MSI362E.tmp
PID 2016 wrote to memory of 1512	2016	MSI362E.tmp	Liberate.exe
PID 2016 wrote to memory of 1512	2016	MSI362E.tmp	Liberate.exe
PID 2016 wrote to memory of 1512	2016	MSI362E.tmp	Liberate.exe
PID 2016 wrote to memory of 1512	2016	MSI362E.tmp	Liberate.exe
PID 2044 wrote to memory of 2384	2044	MSIEXEC.EXE	MSI3861.tmp
PID 2044 wrote to memory of 2384	2044	MSIEXEC.EXE	MSI3861.tmp
PID 2044 wrote to memory of 2384	2044	MSIEXEC.EXE	MSI3861.tmp
PID 2044 wrote to memory of 2384	2044	MSIEXEC.EXE	MSI3861.tmp
PID 2384 wrote to memory of 2912	2384	MSI3861.tmp	pr.exe
PID 2384 wrote to memory of 2912	2384	MSI3861.tmp	pr.exe
PID 2384 wrote to memory of 2912	2384	MSI3861.tmp	pr.exe
PID 2384 wrote to memory of 2912	2384	MSI3861.tmp	pr.exe
PID 2044 wrote to memory of 1752	2044	MSIEXEC.EXE	MSI3AC2.tmp
PID 2044 wrote to memory of 1752	2044	MSIEXEC.EXE	MSI3AC2.tmp
PID 2044 wrote to memory of 1752	2044	MSIEXEC.EXE	MSI3AC2.tmp
PID 2044 wrote to memory of 1752	2044	MSIEXEC.EXE	MSI3AC2.tmp
PID 2912 wrote to memory of 1836	2912	pr.exe	dllhost.exe
PID 2912 wrote to memory of 1836	2912	pr.exe	dllhost.exe
PID 2912 wrote to memory of 1836	2912	pr.exe	dllhost.exe
PID 2912 wrote to memory of 1836	2912	pr.exe	dllhost.exe
PID 2912 wrote to memory of 1836	2912	pr.exe	dllhost.exe
PID 2912 wrote to memory of 1836	2912	pr.exe	dllhost.exe
PID 2044 wrote to memory of 2708	2044	MSIEXEC.EXE	MSI46D4.tmp
PID 2044 wrote to memory of 2708	2044	MSIEXEC.EXE	MSI46D4.tmp
PID 2044 wrote to memory of 2708	2044	MSIEXEC.EXE	MSI46D4.tmp
PID 2044 wrote to memory of 2708	2044	MSIEXEC.EXE	MSI46D4.tmp
PID 2708 wrote to memory of 2820	2708	MSI46D4.tmp	k.exe
PID 2708 wrote to memory of 2820	2708	MSI46D4.tmp	k.exe
PID 2708 wrote to memory of 2820	2708	MSI46D4.tmp	k.exe
PID 2708 wrote to memory of 2820	2708	MSI46D4.tmp	k.exe
PID 2820 wrote to memory of 2852	2820	k.exe	dllhost.exe
PID 2820 wrote to memory of 2852	2820	k.exe	dllhost.exe
PID 2820 wrote to memory of 2852	2820	k.exe	dllhost.exe
PID 2820 wrote to memory of 2852	2820	k.exe	dllhost.exe
PID 2820 wrote to memory of 2852	2820	k.exe	dllhost.exe
PID 2820 wrote to memory of 2852	2820	k.exe	dllhost.exe
PID 2852 wrote to memory of 2776	2852	dllhost.exe	schtasks.exe
PID 2852 wrote to memory of 2776	2852	dllhost.exe	schtasks.exe
PID 2852 wrote to memory of 2776	2852	dllhost.exe	schtasks.exe
PID 2852 wrote to memory of 2776	2852	dllhost.exe	schtasks.exe
PID 1556 wrote to memory of 1472	1556	taskeng.exe	csrss.exe
PID 1556 wrote to memory of 1472	1556	taskeng.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe
"C:\Users\Admin\AppData\Local\Temp\4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\{D2174172-A901-40FD-93BD-5ACC9F79958B}\4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe
  C:\Users\Admin\AppData\Local\Temp\{D2174172-A901-40FD-93BD-5ACC9F79958B}\4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe /q"C:\Users\Admin\AppData\Local\Temp\4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{D2174172-A901-40FD-93BD-5ACC9F79958B}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{563AE6FA-277B-44A5-9B6F-AF247F4FEDFA}\Clean Disk.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe"
    3⤵
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\MSI25B9.tmp
      "C:\Users\Admin\AppData\Local\Temp\MSI25B9.tmp"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\MSI362E.tmp
      "C:\Users\Admin\AppData\Local\Temp\MSI362E.tmp" -p123 -s1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\Liberate.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Liberate.exe"
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Modifies system certificate store
        
        PID:1512
  - - C:\Users\Admin\AppData\Local\Temp\MSI3861.tmp
      "C:\Users\Admin\AppData\Local\Temp\MSI3861.tmp" -p123 -s1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\pr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pr.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\SysWOW64\dllhost.exe"
        6⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Enumerates system info in registry
        
        PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\MSI3AC2.tmp
      "C:\Users\Admin\AppData\Local\Temp\MSI3AC2.tmp"
      4⤵
      Executes dropped EXE
      PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\MSI46D4.tmp
      "C:\Users\Admin\AppData\Local\Temp\MSI46D4.tmp" -p123 -s1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\k.exe
        
        "C:\Users\Admin\AppData\Local\Temp\k.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\SysWOW64\dllhost.exe"
        6⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc minute /tn "Microsoft LocalManager [2528326573]" /f /tr "C:\ProgramData\{28618585-2861-2861-286185855936}\csrss.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\taskeng.exe
taskeng.exe {F425C964-AF10-4071-A7AC-CA2D4E47E35A} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1556
- C:\ProgramData\{28618585-2861-2861-286185855936}\csrss.exe
  C:\ProgramData\{28618585-2861-2861-286185855936}\csrss.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\ProgramData\{28618585-2861-2861-286185855936}\csrss.exe
  C:\ProgramData\{28618585-2861-2861-286185855936}\csrss.exe
  2⤵
  - Executes dropped EXE
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{28618585-2861-2861-286185855936}\csrss.exe

Filesize
7KB

MD5
a63dc5c2ea944e6657203e0c8edeaf61

SHA1
ace762c51db1908c858c898d7e0f9b36f788d2d9

SHA256
f7ad4b09afb301ce46df695b22114331a57d52e6d4163ff74787bf68ccf44c78

SHA512
29c23d7edb935ed16e54a31ac5ced7d2d029ddc120a40ce8887571d6a2e12d71d8aacf75cf5ccc0ac9b813fb30b2bcf212dd34b2898a0febbf0d01027a877356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6d370c7c183ab7e632e47d4a5362d48

SHA1
0fe686e476c018b470af28260126ab4a2c74336f

SHA256
e7d36ca1a279d1316d384ab1084584ce9f5739e37a6565e1649ef8314efdb37c

SHA512
7c9a2ece43eb92d2394c958fabe4bfc04ef2dfc1d5d17f7f75de8350312eabffd50b4136071e2dfae2c1769141117c536d42b753ff749640bfa31066e673aed7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85dd3b40fdb67717d490760b30d15419

SHA1
90a65b769f10ccc12dd3c307a39a4b993fcb9356

SHA256
520f3f330f34609f15d858ec39b46372d332992348a26b5431395543cd733897

SHA512
1f19e4b5d8c680ea9d569b3da64f9023b3cea87c511c6713a37c56bd9a8ef6dfa13bed5b2795136317a9237dc1933ef9f3edffa790dd5b4cce9ae535ab1eaa0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b997b4a834b17c1ffdc8596c0823de63

SHA1
f3c2d6d9147708d15bd4c0f20647cf45f73b2c58

SHA256
82962b69f1921de2c03dc19165e3a4647b99abe83b8435e164eaa2bd27506e53

SHA512
be38ac574c462114d79d339e152bf2891254fe6f6c0629e95cc83513bbf39d180f12727b99bad5c2887915dd7763bf41255b9badf227705b64133adb99be1911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
91cf4b2ca9f11e876275f49867a9fd6e

SHA1
8c1fa3ff96318d44ccdc3118a60054125079fcea

SHA256
a098735ee7ebb460323db7bb6a6c6d043bf54f15d521990cfda8e4e0ff632aef

SHA512
f0326cbf14da2b94aefab7394acfe0303329fd6e2c5eaf2fec78fe246d0ee8f0bc982c387029e2487d307e649f1e0941dbd387e2e87153f8a02b572b8b140da3

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{563AE6FA-277B-44A5-9B6F-AF247F4FEDFA}\Clean Disk.msi

Filesize
8.3MB

MD5
9c2309c593fad53ec720fedce3fb5c8e

SHA1
3ad0e41943d3cf9ccef04b1762b6f7c2bb2ad904

SHA256
2431a89eef494a81f90a49eb7527af3936abd482d12a4ac7b4c51ae5aa33b277

SHA512
aafe5cb6c828b5d908152e32eb3ff5c11d7dc14c4fae8adfec4f7f6a1dba3a66be1d4403758bed9366df83da33dc2eceea6b802017c18c575f47c26819925368

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI25B9.tmp

Filesize
3KB

MD5
139e7199a5c31ba3fae8e7a94e135bb4

SHA1
7809aeb1a7cfe7492822aa80737fda974d4edec8

SHA256
92ca2d934ba80bbc1ef5466dc6e90e8e0804889927cec62058fd24a765202c1c

SHA512
040f19dea675f4e799359dd3743477e23a42108899307a0116cba762c5026c4c1cfb4704d9b825606c7d8e7daae3ac812dde60fc199bebc873cd7228e90f3846

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar34EB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D2174172-A901-40FD-93BD-5ACC9F79958B}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D2174172-A901-40FD-93BD-5ACC9F79958B}\_ISMSIDEL.INI

Filesize
828B

MD5
87718ef3a659aad06bac3803b47b5460

SHA1
f85a98574fa62f338767d717a3f366b6884f5373

SHA256
afe7db903b0143407bcaa952e05cbb02f3258c82bb1cfac51a2852628ff5dadd

SHA512
1e82b88fa60de6a5096e596caec55f38342878f56420aaa2a2e13821dfa365c098ebb91f44ca97a6d7939dff5d04ba59be2f31455a697f59c019affbdc76d229

Download Submit
C:\Users\Admin\AppData\Local\Temp\~E16.tmp

Filesize
5KB

MD5
64e8655efa105f9108d52951a55e9131

SHA1
faf90f80d6878746675e16a006be0831fe2e0177

SHA256
29829bcf5233d5b12bff852a2828b47045a9e33c35533966fa2b6673c25f5c2e

SHA512
ac0322c37ce1d45cba0978f51b68da34ed7966d6d6a3dda6f900a97a127407d675dc46d84a1f7f98ef21e5fed21e0ff20f1641c2fc5a0c9c7cb7f4defdc61b4e

Download Submit
\Users\Admin\AppData\Local\Temp\Liberate.exe

Filesize
1.0MB

MD5
0d7423d9dff6fc646258db3d76299d4b

SHA1
1ee2d2590896ff7f116574e68039ead6ecafed17

SHA256
c0127722274b1b821443ee5d6a8f59e7d01e75eb32c41b8a74a11e950d6bbf80

SHA512
0879a41834683637108c3084d82e09d3d5734b27926343ddbeafd2f004458259405922b749980cf80c543b67031784eceb9711e3e9add2c6879e57122023edea

Download Submit
\Users\Admin\AppData\Local\Temp\MSI362E.tmp

Filesize
1.3MB

MD5
65e67a0211457c36338c27f72d762ae7

SHA1
2cbeb1d7e1ad7f60f9fb00aa4ebc3dbf6420f9dd

SHA256
46f14ec5e746a0fd09b608b2cb4e3d9210cda157b52ddc0d11dad2c79c9e4a0a

SHA512
057f5586a5b88baa0f0165fd8831af39a682f0d646c80386a0d60d0e0306d33ddfda30e51f8dad789cb5a8f926d8a1bcc7ac28ef3332518b295b36af88f564f6

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3861.tmp

Filesize
1.1MB

MD5
ca56bd7ba051293c3d2babe1003cc651

SHA1
5f3dae90ba6e164b72f62932b68d0ae0e1f704dd

SHA256
8b594f54fa32110651fd1c6400e2ac9fbbd7c0e044b32541f108e7f7807abed4

SHA512
1302abe62f2d7a66d08e902f3421d70c1250e2668fe857e3ee9667b6ce1e156273483c735f453b84c52612ee4b3e6323c2fd329dd1c9abfede1d1dda035264b0

Download Submit
\Users\Admin\AppData\Local\Temp\MSI3AC2.tmp

Filesize
3KB

MD5
0634017ef4a1379813b2cd3eeca507d1

SHA1
389b0af56a4838a70464d1ef7354e937896bae2a

SHA256
2878125aaa2e55b29add1c9a6c40be233d9cfe64db9ace9ef240650acfa492c1

SHA512
a8d4ee7d880769e04b553549b217b28f177632dee557aa25f39fe24b8d49ff8417619c6f9ddd7c7af7b4a53a32687e86dd5211272dbd08e4e6d62f8abf4bb063

Download Submit
\Users\Admin\AppData\Local\Temp\MSI46D4.tmp

Filesize
840KB

MD5
3f90fcdd9d8fa0ae2bd61d63c120b3b4

SHA1
94844ed3edfbd5a46abb484e828a702a46693c79

SHA256
b3dbec31b0ca9b49c81e86534b922464ad82322258cf47045e668f1ff5c6403a

SHA512
53c274beefcdfb331f668b64d60d9d71f5eab982368ad17cc8dda2dba2084dace7e177bfca5c586e539fc973fd6d04ad15ac72d83c36effc3cbab5df0e0e2e10

Download Submit
\Users\Admin\AppData\Local\Temp\k.exe

Filesize
1.0MB

MD5
cba4446c336e398cef837616b4185d7f

SHA1
fe3282b3957c43d07cef73387472a8c93208b7de

SHA256
71e3ec12db6d20afe28fecd1cf5214eb1e8da892719a5423b24688dff457c81c

SHA512
1a3f6d4988fb440e83a04e182c96d9888a9223509a70c8981d3355bf2bab01ad8128a2a5c2882195591e5f1e124f00a926189671acc2ac0d765752e59a7b0132

Download Submit
\Users\Admin\AppData\Local\Temp\pr.exe

Filesize
1.6MB

MD5
8c935578b2abbbc7171b4d4170975726

SHA1
232fd0abd6a58547231fc1208cdd4c5fb8b094b8

SHA256
d8f1221aa0e684c9dee0a0798319bf13c9f52bcc1be7ce73d51a71844835a3e6

SHA512
7fbb35f0a6d1a86146616489fb6c65808d19611971b346b0f1204ebcbff99435513af480752d0fcf201b7fbc389a3399108d61c07c80f14a1afe2eac041bdbc0

Download Submit
\Users\Admin\AppData\Local\Temp\{D2174172-A901-40FD-93BD-5ACC9F79958B}\4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1.exe

Filesize
8.1MB

MD5
ac8a5010569727ed6f4d02cbb4dc7879

SHA1
6a7ed927eb14e661d01b707bf9454a28f962b3dc

SHA256
4af369f90014bcd5fb502f18d0dc27c530acb89170d12f76e15f5d2dd6d957b1

SHA512
8b14647d6d3d82fec3a83c680b1371dae5ead249e5b7b068bbd713cd157c85f58afc51eaa08c6fd82a70e3858a7d472e11ddd688223d5fa8cc54109750a07d8b

Download Submit
memory/1512-180-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1512-281-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1512-284-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1512-275-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1512-306-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1512-280-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1512-278-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1512-276-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1836-213-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1836-279-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1836-221-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1836-220-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1836-211-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1836-218-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2016-170-0x0000000003CF0000-0x0000000003E2E000-memory.dmp

Filesize
1.2MB

Download
memory/2852-267-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2852-272-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2852-264-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download