Overview
overview
10Static
static
10[DemonArch...f3.exe
windows7-x64
10[DemonArch...5e.exe
windows7-x64
10[DemonArch...a8.exe
windows7-x64
10[DemonArch...55.exe
windows7-x64
[DemonArch...9c.exe
windows7-x64
8[DemonArch...ac.exe
windows7-x64
10[DemonArch...0f.exe
windows7-x64
10[DemonArch...94.exe
windows7-x64
10[DemonArch...7e.exe
windows7-x64
8[DemonArch...5a.exe
windows7-x64
1[DemonArch...c4.exe
windows7-x64
[DemonArch...f3.exe
windows7-x64
10[DemonArch...8f.exe
windows7-x64
10[DemonArch...85.exe
windows7-x64
10[DemonArch...92.exe
windows7-x64
9[DemonArch...5b.exe
windows7-x64
10[DemonArch...59.exe
windows7-x64
7[DemonArch...0f.exe
windows7-x64
10[DemonArch...61.exe
windows7-x64
10[DemonArch...16.exe
windows7-x64
10[DemonArch...23.exe
windows7-x64
[DemonArch...6d.exe
windows7-x64
10[DemonArch...af.exe
windows7-x64
10[DemonArch...5c.exe
windows7-x64
10[DemonArch...52.exe
windows7-x64
10[DemonArch...af.exe
windows7-x64
10[DemonArch...fa.exe
windows7-x64
10[DemonArch...f1.exe
windows7-x64
7[DemonArch...7b.exe
windows7-x64
10[DemonArch...02.exe
windows7-x64
10[DemonArch...80.exe
windows7-x64
[DemonArch...c8.exe
windows7-x64
8Analysis
-
max time kernel
300s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 17:22
Behavioral task
behavioral1
Sample
[DemonArchives]01be7be288126004a6b6013cfa9630f3.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
[DemonArchives]02352cbf001e9c8176a5b7d381ef9b5e.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral3
Sample
[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
[DemonArchives]04a8e202d70a574213680cdb7c82fb55.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral5
Sample
[DemonArchives]05e82b287218043df6c8560cd0e2719c.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral6
Sample
[DemonArchives]07fe5f7c673e5faa200611f9cb716aac.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral7
Sample
[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral8
Sample
[DemonArchives]09f326448c37d99a61bb064e68ac6b94.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral9
Sample
[DemonArchives]0a47e2885329b83d82525cb438e57f7e.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral10
Sample
[DemonArchives]0d061414e840b27ea6109e573bd2165a.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral11
Sample
[DemonArchives]1192a915b81f1f7878472391f42cb6c4.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
[DemonArchives]14049d0a3afad0faa21ab1fff2e417f3.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral13
Sample
[DemonArchives]149dd5469233f52aa4287362ce85b88f.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral14
Sample
[DemonArchives]1df7772347bfd34ecb1685a1ba69c285.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral15
Sample
[DemonArchives]1e0dc068677f96c9da7f43cf4d4acd92.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
[DemonArchives]1ee7f65b0c08c4ff7e1047c14851575b.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral17
Sample
[DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral18
Sample
[DemonArchives]227f3ff19943a0e8c1b26a563246280f.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral19
Sample
[DemonArchives]2353c3f467be78e36e934caf5f3c3b61.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral20
Sample
[DemonArchives]26add802e0e75416385317658b116216.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral21
Sample
[DemonArchives]2bf9e607accd325cfb734cd594b00723.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
[DemonArchives]3825817f6028f26ff0b5cd748559286d.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral23
Sample
[DemonArchives]3e70eabf850c2134ac1acd815a2a90af.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral24
Sample
[DemonArchives]41637d74a16e50cafe6cb72974a1cf5c.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral25
Sample
[DemonArchives]42971155e95ad8ace7b6fc53d70fb952.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral26
Sample
[DemonArchives]47522f57257b441811cf5f87c9118faf.exe
Resource
win7-20240611-en
windows7-x64
Behavioral task
behavioral27
Sample
[DemonArchives]4782545d269557614be88caef0383cfa.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral28
Sample
[DemonArchives]4bed82d2182d95951a4dd3b090868cf1.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral29
Sample
[DemonArchives]4c1ca9436c971190f7082f5c108a007b.exe
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral30
Sample
[DemonArchives]4fd60e9aed5ab9ed5326da37806b2502.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral31
Sample
[DemonArchives]550ad0e50316dfca7c0bfd14f9060880.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral32
Sample
[DemonArchives]55a0c8c7e6c8b2be4ebd164d43e746c8.exe
Resource
win7-20240221-en
windows7-x64
General
-
Target
[DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe
-
Size
2.6MB
-
MD5
1fa9dbcc19fb2ae5cd344f559e95b759
-
SHA1
f13b4f9508a41bfb44e8df8cf1e5ad43b2df36cf
-
SHA256
4ddb27297b45d0195877d13b68bbd36471be74f72e93fcddd7f92c9fba9e94c2
-
SHA512
0fd4ce9f507cf431fc579c33c88a1779f2b2df7bb78781ac0282a9fab7313972af3f8991b69f753d232143a2cda81ff8aec3ba533c7e59b8a856b2c3b2079595
-
SSDEEP
24576:5nWYXDaHMv6CorjqnyPQGzh0JONZejOuC+e4mOzrvxiI3ENyesg/jHLxQVIxX6L/:tl1vqjdPQRw/D4mizA0dizLrB51v6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe -
Loads dropped DLL 1 IoCs
pid Process 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral17/files/0x000d00000001342e-1.dat autoit_exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\WINDOWS\Media\ActiveX.ocx [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe File created C:\WINDOWS\Media\Desktop.ini:dbase.mdb [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe File opened for modification C:\WINDOWS\Media\Desktop.ini:dbase.mdb [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe File opened for modification C:\WINDOWS\Media\Desktop.ini:dbase.ldb [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\64ma.com 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\64ma.com\Total = "1640" 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "1640" 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\live.64ma.com 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\live.64ma.com\ = "1640" 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DOMStorage\64ma.com\NumberOfSubdomains = "1" 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe -
NTFS ADS 3 IoCs
description ioc Process File created C:\WINDOWS\Media\Desktop.ini:dbase.mdb [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe File opened for modification C:\WINDOWS\Media\Desktop.ini:dbase.mdb [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe File opened for modification C:\WINDOWS\Media\Desktop.ini:dbase.ldb [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe 2776 64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2776 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe 28 PID 1620 wrote to memory of 2776 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe 28 PID 1620 wrote to memory of 2776 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe 28 PID 1620 wrote to memory of 2776 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe 28 PID 1620 wrote to memory of 1188 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe 30 PID 1620 wrote to memory of 1188 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe 30 PID 1620 wrote to memory of 1188 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe 30 PID 1620 wrote to memory of 1188 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe 30 PID 1620 wrote to memory of 1188 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe 30 PID 1620 wrote to memory of 1188 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe 30 PID 1620 wrote to memory of 1188 1620 [DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\[DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]1fa9dbcc19fb2ae5cd344f559e95b759.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe"C:\Program Files\64Âë¸ßÇåÍøÂçµçÊÓv2.4.2.exe"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 C:\WINDOWS\Media\ActiveX.ocx /s2⤵PID:1188
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD56539bdfd0f773f8798f1d92eba880bf0
SHA167bc99119172bda9687360e62eddfd9e6ec59b4b
SHA256bd6cfd0d71c5f034524a29184831673b4c59a3b6d828563c4e272d87f16a1406
SHA5127cadb53777a0776ea25e4c79e672f2ce8b81f51a6fb0568f1cf52561d3d0053f68ec59c22c43a07d1dcc517be190507020e7d317f9e8c184e79952cb46c54a59
-
Filesize
12B
MD540aeeb227886f6088259a3a9435758b1
SHA1757d1b0b48992af5177cbafcef7848a96d417b6e
SHA256a5d49c3f69653852e03dd85228e5988fb0db525c8e702a4a694f45d02b51e444
SHA51201d1966f991b195097f4cc877c54da821baafd3c1794cfc2bbd68bf32fa7f46ed7dff4386fa5c663eccb37158de76a99ec32df933ee643279c45231eb61aa461
-
Filesize
642KB
MD5d871f2c4088b8b4044a06352378e5f47
SHA11ac52a4fa15aaee20307c475ff0ef95351418074
SHA256bfc4f31183a35555e19d2095a743129b20949acbcb5ea43a5fbfaa0b7e624bfa
SHA512294a0cc0d8f89b077821ed97891dc693bdb6dd3f7b4436840f78e5663ece817cf6400d782f31ae33b8fdbbffa9c1691e2411fc9240d2100c2c1e2a4be71b2d68