privateloader | 87486970ad819fc0c311607afdc0c823f6a687e31057136a29004ad87bbce0b6

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24-07-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

5.5MB
MD5

4277d47d6916af0a7d3a1c1583112df7
SHA1

e8cdd4ceb3476ef0e69387ad3f759bc2a7da36a6
SHA256

ed95fe802a065e28b952131fb08b43d6bde7c1aa54f88ac927ea4176e005fae1
SHA512

5c97f427cd3ef8916bfebdfecdb8eeeb4e31a556950b8fde7c6e0d97381efdaf7dad7593114d1bf65dc2738fb4b34ed2eddf1373cea304821bd19dbaef571d43
SSDEEP

49152:NIaTHKNhze5p5D/oEhXbVuE6lUIdsQKTeXIqPgYxtX8IdiSsnffMlCJso:NI8HKy57cApoUMsQKT9qFD5iSsn

Score

10^/10

privateloader risepro stealc sila credential_access discovery evasion execution loader persistence spyware stealer themida trojan

Malware Config

Extracted

Family

stealc

Botnet

sila

http://85.28.47.31

Attributes

url_path
/5499d72b3a3e55be.php

Extracted

Family

risepro

194.110.13.70

77.105.133.27

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Mu6oRwRJ1spSsX5uwY0eSXUO.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Mu6oRwRJ1spSsX5uwY0eSXUO.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Mu6oRwRJ1spSsX5uwY0eSXUO.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Mu6oRwRJ1spSsX5uwY0eSXUO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Mu6oRwRJ1spSsX5uwY0eSXUO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Mu6oRwRJ1spSsX5uwY0eSXUO.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	setup.exe

Drops startup file 1 IoCs

Processes:

Mu6oRwRJ1spSsX5uwY0eSXUO.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk	Mu6oRwRJ1spSsX5uwY0eSXUO.exe

Executes dropped EXE 9 IoCs

Processes:

uOk6y5xtl3T4KnCq_Dd86Xpp.exeGebDGOsaGSm7to2SzufJrlV8.exeO89rbVdMGKPLvK3cMaEeZPMc.exeMu6oRwRJ1spSsX5uwY0eSXUO.exeis-NVK62.tmpmp3cdripperbeta32_64.exemp3cdripperbeta32_64.exeeqtpkqwqodik.exe

pid	process
2280	uOk6y5xtl3T4KnCq_Dd86Xpp.exe
2632	GebDGOsaGSm7to2SzufJrlV8.exe
1488	O89rbVdMGKPLvK3cMaEeZPMc.exe
2332	Mu6oRwRJ1spSsX5uwY0eSXUO.exe
1724	is-NVK62.tmp
832	mp3cdripperbeta32_64.exe
2468	mp3cdripperbeta32_64.exe
476
1524	eqtpkqwqodik.exe

Loads dropped DLL 17 IoCs

Processes:

setup.exeGebDGOsaGSm7to2SzufJrlV8.exeis-NVK62.tmpMu6oRwRJ1spSsX5uwY0eSXUO.exemp3cdripperbeta32_64.exemp3cdripperbeta32_64.exe

pid	process
1780	setup.exe
1780	setup.exe
2632	GebDGOsaGSm7to2SzufJrlV8.exe
2632	GebDGOsaGSm7to2SzufJrlV8.exe
2632	GebDGOsaGSm7to2SzufJrlV8.exe
2632	GebDGOsaGSm7to2SzufJrlV8.exe
1724	is-NVK62.tmp
1724	is-NVK62.tmp
1724	is-NVK62.tmp
2332	Mu6oRwRJ1spSsX5uwY0eSXUO.exe
1724	is-NVK62.tmp
832	mp3cdripperbeta32_64.exe
832	mp3cdripperbeta32_64.exe
1724	is-NVK62.tmp
2468	mp3cdripperbeta32_64.exe
2468	mp3cdripperbeta32_64.exe
476

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\piratemamm\Mu6oRwRJ1spSsX5uwY0eSXUO.exe	themida
behavioral1/memory/2332-397-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2332-416-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2332-415-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2332-413-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2332-414-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2332-418-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2332-417-0x0000000000D80000-0x000000000170F000-memory.dmp	themida
behavioral1/memory/2332-501-0x0000000000D80000-0x000000000170F000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Mu6oRwRJ1spSsX5uwY0eSXUO.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe"	Mu6oRwRJ1spSsX5uwY0eSXUO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Mu6oRwRJ1spSsX5uwY0eSXUO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Mu6oRwRJ1spSsX5uwY0eSXUO.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

60 iplogger.org
61 iplogger.org
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.myip.com
10 ipinfo.io
11 ipinfo.io
4 api.myip.com
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

984 powercfg.exe
468 powercfg.exe
2680 powercfg.exe
1744 powercfg.exe
1096 powercfg.exe
2500 powercfg.exe
584 powercfg.exe
3052 powercfg.exe

flow	ioc
60	iplogger.org
61	iplogger.org

flow	ioc
5	api.myip.com
10	ipinfo.io
11	ipinfo.io
4	api.myip.com

pid	process
984	powercfg.exe
468	powercfg.exe
2680	powercfg.exe
1744	powercfg.exe
1096	powercfg.exe
2500	powercfg.exe
584	powercfg.exe
3052	powercfg.exe

Drops file in System32 directory 4 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Mu6oRwRJ1spSsX5uwY0eSXUO.exe

pid process

2332 Mu6oRwRJ1spSsX5uwY0eSXUO.exe

pid	process
2332	Mu6oRwRJ1spSsX5uwY0eSXUO.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

eqtpkqwqodik.exe

description	pid	process	target process
PID 1524 set thread context of 2716	1524	eqtpkqwqodik.exe	conhost.exe
PID 1524 set thread context of 2844	1524	eqtpkqwqodik.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2292 sc.exe
1844 sc.exe
2344 sc.exe
1852 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2292	sc.exe
1844	sc.exe
2344	sc.exe
1852	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mp3cdripperbeta32_64.exemp3cdripperbeta32_64.exeGebDGOsaGSm7to2SzufJrlV8.exeMu6oRwRJ1spSsX5uwY0eSXUO.exeis-NVK62.tmpschtasks.exeO89rbVdMGKPLvK3cMaEeZPMc.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mp3cdripperbeta32_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mp3cdripperbeta32_64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GebDGOsaGSm7to2SzufJrlV8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mu6oRwRJ1spSsX5uwY0eSXUO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-NVK62.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	O89rbVdMGKPLvK3cMaEeZPMc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	setup.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2324 schtasks.exe
2384 schtasks.exe

pid	process
2324	schtasks.exe
2384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup.exetaskmgr.exeMu6oRwRJ1spSsX5uwY0eSXUO.exeuOk6y5xtl3T4KnCq_Dd86Xpp.exe

pid	process
1780	setup.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2332	Mu6oRwRJ1spSsX5uwY0eSXUO.exe
2280	uOk6y5xtl3T4KnCq_Dd86Xpp.exe
2280	uOk6y5xtl3T4KnCq_Dd86Xpp.exe
2280	uOk6y5xtl3T4KnCq_Dd86Xpp.exe
2280	uOk6y5xtl3T4KnCq_Dd86Xpp.exe
2280	uOk6y5xtl3T4KnCq_Dd86Xpp.exe
2280	uOk6y5xtl3T4KnCq_Dd86Xpp.exe
2280	uOk6y5xtl3T4KnCq_Dd86Xpp.exe
2280	uOk6y5xtl3T4KnCq_Dd86Xpp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2620 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

taskmgr.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2620	taskmgr.exe
Token: SeShutdownPrivilege	584	powercfg.exe
Token: SeShutdownPrivilege	984	powercfg.exe
Token: SeShutdownPrivilege	3052	powercfg.exe
Token: SeShutdownPrivilege	468	powercfg.exe
Token: SeShutdownPrivilege	1744	powercfg.exe
Token: SeShutdownPrivilege	2500	powercfg.exe
Token: SeShutdownPrivilege	1096	powercfg.exe
Token: SeShutdownPrivilege	2680	powercfg.exe
Token: SeLockMemoryPrivilege	2844	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe
2620	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exeGebDGOsaGSm7to2SzufJrlV8.exeMu6oRwRJ1spSsX5uwY0eSXUO.exeis-NVK62.tmpeqtpkqwqodik.exe

description	pid	process	target process
PID 1780 wrote to memory of 2280	1780	setup.exe	uOk6y5xtl3T4KnCq_Dd86Xpp.exe
PID 1780 wrote to memory of 2280	1780	setup.exe	uOk6y5xtl3T4KnCq_Dd86Xpp.exe
PID 1780 wrote to memory of 2280	1780	setup.exe	uOk6y5xtl3T4KnCq_Dd86Xpp.exe
PID 1780 wrote to memory of 2632	1780	setup.exe	GebDGOsaGSm7to2SzufJrlV8.exe
PID 1780 wrote to memory of 2632	1780	setup.exe	GebDGOsaGSm7to2SzufJrlV8.exe
PID 1780 wrote to memory of 2632	1780	setup.exe	GebDGOsaGSm7to2SzufJrlV8.exe
PID 1780 wrote to memory of 2632	1780	setup.exe	GebDGOsaGSm7to2SzufJrlV8.exe
PID 1780 wrote to memory of 2632	1780	setup.exe	GebDGOsaGSm7to2SzufJrlV8.exe
PID 1780 wrote to memory of 2632	1780	setup.exe	GebDGOsaGSm7to2SzufJrlV8.exe
PID 1780 wrote to memory of 2632	1780	setup.exe	GebDGOsaGSm7to2SzufJrlV8.exe
PID 1780 wrote to memory of 2332	1780	setup.exe	Mu6oRwRJ1spSsX5uwY0eSXUO.exe
PID 1780 wrote to memory of 2332	1780	setup.exe	Mu6oRwRJ1spSsX5uwY0eSXUO.exe
PID 1780 wrote to memory of 2332	1780	setup.exe	Mu6oRwRJ1spSsX5uwY0eSXUO.exe
PID 1780 wrote to memory of 2332	1780	setup.exe	Mu6oRwRJ1spSsX5uwY0eSXUO.exe
PID 1780 wrote to memory of 1488	1780	setup.exe	O89rbVdMGKPLvK3cMaEeZPMc.exe
PID 1780 wrote to memory of 1488	1780	setup.exe	O89rbVdMGKPLvK3cMaEeZPMc.exe
PID 1780 wrote to memory of 1488	1780	setup.exe	O89rbVdMGKPLvK3cMaEeZPMc.exe
PID 1780 wrote to memory of 1488	1780	setup.exe	O89rbVdMGKPLvK3cMaEeZPMc.exe
PID 2632 wrote to memory of 1724	2632	GebDGOsaGSm7to2SzufJrlV8.exe	is-NVK62.tmp
PID 2632 wrote to memory of 1724	2632	GebDGOsaGSm7to2SzufJrlV8.exe	is-NVK62.tmp
PID 2632 wrote to memory of 1724	2632	GebDGOsaGSm7to2SzufJrlV8.exe	is-NVK62.tmp
PID 2632 wrote to memory of 1724	2632	GebDGOsaGSm7to2SzufJrlV8.exe	is-NVK62.tmp
PID 2632 wrote to memory of 1724	2632	GebDGOsaGSm7to2SzufJrlV8.exe	is-NVK62.tmp
PID 2632 wrote to memory of 1724	2632	GebDGOsaGSm7to2SzufJrlV8.exe	is-NVK62.tmp
PID 2632 wrote to memory of 1724	2632	GebDGOsaGSm7to2SzufJrlV8.exe	is-NVK62.tmp
PID 2332 wrote to memory of 2384	2332	Mu6oRwRJ1spSsX5uwY0eSXUO.exe	schtasks.exe
PID 2332 wrote to memory of 2384	2332	Mu6oRwRJ1spSsX5uwY0eSXUO.exe	schtasks.exe
PID 2332 wrote to memory of 2384	2332	Mu6oRwRJ1spSsX5uwY0eSXUO.exe	schtasks.exe
PID 2332 wrote to memory of 2384	2332	Mu6oRwRJ1spSsX5uwY0eSXUO.exe	schtasks.exe
PID 2332 wrote to memory of 2324	2332	Mu6oRwRJ1spSsX5uwY0eSXUO.exe	schtasks.exe
PID 2332 wrote to memory of 2324	2332	Mu6oRwRJ1spSsX5uwY0eSXUO.exe	schtasks.exe
PID 2332 wrote to memory of 2324	2332	Mu6oRwRJ1spSsX5uwY0eSXUO.exe	schtasks.exe
PID 2332 wrote to memory of 2324	2332	Mu6oRwRJ1spSsX5uwY0eSXUO.exe	schtasks.exe
PID 1724 wrote to memory of 832	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 832	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 832	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 832	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 832	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 832	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 832	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 2468	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 2468	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 2468	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 2468	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 2468	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 2468	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1724 wrote to memory of 2468	1724	is-NVK62.tmp	mp3cdripperbeta32_64.exe
PID 1524 wrote to memory of 2716	1524	eqtpkqwqodik.exe	conhost.exe
PID 1524 wrote to memory of 2716	1524	eqtpkqwqodik.exe	conhost.exe
PID 1524 wrote to memory of 2716	1524	eqtpkqwqodik.exe	conhost.exe
PID 1524 wrote to memory of 2716	1524	eqtpkqwqodik.exe	conhost.exe
PID 1524 wrote to memory of 2716	1524	eqtpkqwqodik.exe	conhost.exe
PID 1524 wrote to memory of 2716	1524	eqtpkqwqodik.exe	conhost.exe
PID 1524 wrote to memory of 2716	1524	eqtpkqwqodik.exe	conhost.exe
PID 1524 wrote to memory of 2716	1524	eqtpkqwqodik.exe	conhost.exe
PID 1524 wrote to memory of 2716	1524	eqtpkqwqodik.exe	conhost.exe
PID 1524 wrote to memory of 2844	1524	eqtpkqwqodik.exe	svchost.exe
PID 1524 wrote to memory of 2844	1524	eqtpkqwqodik.exe	svchost.exe
PID 1524 wrote to memory of 2844	1524	eqtpkqwqodik.exe	svchost.exe
PID 1524 wrote to memory of 2844	1524	eqtpkqwqodik.exe	svchost.exe
PID 1524 wrote to memory of 2844	1524	eqtpkqwqodik.exe	svchost.exe
PID 1524 wrote to memory of 2844	1524	eqtpkqwqodik.exe	svchost.exe
PID 1524 wrote to memory of 2844	1524	eqtpkqwqodik.exe	svchost.exe
PID 1524 wrote to memory of 2844	1524	eqtpkqwqodik.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\Documents\piratemamm\uOk6y5xtl3T4KnCq_Dd86Xpp.exe
C:\Users\Admin\Documents\piratemamm\uOk6y5xtl3T4KnCq_Dd86Xpp.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2280

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "CIFUBVHI"
3⤵
- Launches sc.exe
PID:2292

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "CIFUBVHI" binpath= "C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe" start= "auto"
3⤵
- Launches sc.exe
PID:1844

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:1852

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "CIFUBVHI"
3⤵
- Launches sc.exe
PID:2344

C:\Users\Admin\Documents\piratemamm\GebDGOsaGSm7to2SzufJrlV8.exe
C:\Users\Admin\Documents\piratemamm\GebDGOsaGSm7to2SzufJrlV8.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Local\Temp\is-UH5A2.tmp\is-NVK62.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UH5A2.tmp\is-NVK62.tmp" /SL4 $800F2 "C:\Users\Admin\Documents\piratemamm\GebDGOsaGSm7to2SzufJrlV8.exe" 6765812 52224
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe
"C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe" -i
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:832

C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe
"C:\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe" -s
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2468

C:\Users\Admin\Documents\piratemamm\Mu6oRwRJ1spSsX5uwY0eSXUO.exe
C:\Users\Admin\Documents\piratemamm\Mu6oRwRJ1spSsX5uwY0eSXUO.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Users\Admin\Documents\piratemamm\O89rbVdMGKPLvK3cMaEeZPMc.exe
C:\Users\Admin\Documents\piratemamm\O89rbVdMGKPLvK3cMaEeZPMc.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1488

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620

C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
C:\ProgramData\lmguvcpihozg\eqtpkqwqodik.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2716

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fd8801a37e17e3f7eaff135f98ccb184

SHA1
89369feb64bfbd3b5d4de323b2c5d48da390d777

SHA256
b0259be34c632e7610e84b8a575a5b7573f3537e2f98191af2acb0552561376d

SHA512
49f33a0ec30f3babc4f9cbf6a48d9ba6ae79a41dc7b5597fbb40469f8ac46e8bf56e5158d3fbfa194622f667a49b07bc1af3bb86e016c36818bf8fe1fdbed29c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c0615bb19144ecca9a7f98dd957aeb2d

SHA1
b2681f1f66392114696bd705b9643e9f2f7df2bc

SHA256
4aaf240d7af53ea7c0fe6467f85028df9e9e46ea32fa6a1d83764b6554aecd7d

SHA512
6f8f4c9d29ac00379319195beaa9306341cb43b84ef0ddb874c187d806a06ea864a01d51f37484b9d9c7314fa83261a2bca00bf8a33cd9883de706b8b885472b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
845792dc9a41b7e7cd85a46942b452c8

SHA1
a70dc018845b92504e45f352cf58dbfa005000ff

SHA256
8da77219c5f4a4bb04968bf6afba2f1f4322add8434bf9f2db50deaee3e25839

SHA512
06eeadbbf1b062a5180859bc05988337a4da2b913bef1560479ac9986b33e2b5b080dcc58ccea86446a5e838768bedbd11afd53bd2c809483bff2cce5cb2d42f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8a1e08694005c46c1a2b558438278b8a

SHA1
9e016c1dd13273bf3e32041ee87f88ca6060bbd1

SHA256
70421564e0e9f2a0c11fc4023cacd27d81a450d1a206e87a4be2db33012b3f45

SHA512
c50be1fe3d030784d103e83a7b5020bf44df0dc1df803f20f8332df5019ab86376719d02e93d9c2f6c3016dd1cf787b50a515dd64cbcb343b6ac7dc3264fe525

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
95bde4fce039d79dcda11530575d6b35

SHA1
9943bf6ae57f3a5139795f8d4765e54c95cf5645

SHA256
37e6da402bef7fca6027dbb2c9a2a81a637f3160f0e04241aee87b89177a0af2

SHA512
48b91012c8e106643979f30adea02e397ac8298f22c3ae6d169c8f7e357d601af03c27a43f72fc2ae3690e1a09d34d009c3aa876d31af635cf0857ef43a9a81f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
889e72c9fae3ee34eb4f11cc10a76b0c

SHA1
12fd79616ce1b81d7d5ab1e25c2f62447d81a687

SHA256
f051f2ed391bd18b760137cb7d2636fa56a0d650ab2de5c9d2001850e3357fdd

SHA512
62de6f50125595ddb2d2b55d4391eca114e9a1e23a75419f6662e1210c23a092e94fdd5eec76c24ff78f30553e617bfb3b7e91a9da0e20de814dd9cba9558178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6ad11aa06212e19cbc6336be820ebac6

SHA1
1a48816191ef9f4b363376a3ff7c461140bb135d

SHA256
9708ce6726af9f81bc9e8c3dba782b3ea77ec95879ebf11808515a40e47e0810

SHA512
e7733ba544ed0493e4f87cd5043a2e7dbdca48e899d146331b3ac6d9a1eb4fc50089d33d5051eef313aa09fa7c25c413bdcc68e421d01b8bf36eaaebf3de328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE542.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE5E1.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Documents\piratemamm\GebDGOsaGSm7to2SzufJrlV8.exe
Filesize
6.7MB

MD5
39c9e80e32b15c9010648e422e412ea1

SHA1
7053c8f8e505cbb18b4fa4cbc2e732b4f01f5362

SHA256
cef8b12b6541259d5fc2001e648b8fe33d58a001745a2bbe4cc9068bb961de2e

SHA512
430fb5def8e95c34f5b2a01ced0d07f9d10c3709795158e670a19b48e18701f8d9a5e5ea5a75d07661670f0ea7ec0ec5401fc0d502c005c5e1f2121b7e200499

Download Submit
C:\Users\Admin\Documents\piratemamm\Mu6oRwRJ1spSsX5uwY0eSXUO.exe
Filesize
3.7MB

MD5
2ab891d9c6b24c5462e32a0bab3d1fec

SHA1
4dbb387d2fce2b47ff3699468590466505ba7554

SHA256
6ffd157eb781504eadd72996c2cdbd4881034ffb7f7d2bc4b96d4daa61fb4d86

SHA512
0317a30e9e70d0ac8416f14a91119504fc40e9a72ee34d358741ebf820367abb3b18e2c64987f6d86d3c4a8952621aebeca83fa027d66edb456c749e56d42d89

Download Submit
C:\Users\Admin\Documents\piratemamm\O89rbVdMGKPLvK3cMaEeZPMc.exe
Filesize
287KB

MD5
f04052fb093c0ffe4484abbdac0d1cf1

SHA1
58dbf4a9ddd955e03032efc4c9cb97e13f67aa7c

SHA256
dae56bc934663460f6cece9445ff4c10183f33054c67be434b5af40245ddce59

SHA512
b8a5c5f0cd5e023df8f2af5c31a893acd218da1971e90e3daa76933b3c27f0f4e8af4a5848d33da75bf6bcec8de97aa86c099bc2e91dac71cf54265c8203f420

Download Submit
C:\Users\Admin\Documents\piratemamm\uOk6y5xtl3T4KnCq_Dd86Xpp.exe
Filesize
10.1MB

MD5
3b24971c5fef776db7df10a769f0857a

SHA1
ab314ddf208ef3e8d06f2f5e96f0f481075de0f4

SHA256
0d990bedac4696a67ad46dbc686750086f72f4795ed8a6121782ba3b0dc736b5

SHA512
f70dccd6fd95516eac21b0cc30c70fb5f17c3c8f1f3b28fe3bdaec6053c2de53daf68caf422dea8861e4ab84f3dd7be36965c6998c1380dbf2a05a2a74b36b28

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\Users\Admin\AppData\Local\MP3 CD Ripper Beta\mp3cdripperbeta32_64.exe
Filesize
3.1MB

MD5
969b33e0941fcd6a0e503c358f0ba03e

SHA1
28c81cc5df08c18b0f0e469510be8a9c9e3f402f

SHA256
44a960a466af20797daf0c7732a04d0195bea638242430d52cc387deda87b6f3

SHA512
ea007d6fcf7d2dd4b3d566195ba2c6450a623b78587a56c7494f32911ebcdb634d25293dfd47ef8eae698525b67c137392cce41a1d8faaea74c4b65a99009b88

Download Submit
\Users\Admin\AppData\Local\Temp\is-UH5A2.tmp\is-NVK62.tmp
Filesize
642KB

MD5
6580f6f26daf83c5e4d3e3b28e2f70f6

SHA1
5bc35126a341e038b96923db25c3f5424a631c5e

SHA256
e241bd09fc67344895f45de4fb9f147d618a8a5bcec360c83882675e75ebd672

SHA512
8f042bbbaec8f0a7cb31cfa44ed0e3d72100e3f3473f442e06ffc7f90322da4cb54979ba51365033cba927b801225d339e64b3b31c3b57483b76bd006908dd36

Download Submit
\Users\Admin\AppData\Local\Temp\is-VEIAE.tmp\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-VEIAE.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/832-483-0x0000000000C90000-0x0000000000FAA000-memory.dmp

Filesize
3.1MB

Download
memory/832-490-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/832-482-0x0000000000C90000-0x0000000000FAA000-memory.dmp

Filesize
3.1MB

Download
memory/832-481-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/832-487-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/1488-437-0x0000000000400000-0x000000000245F000-memory.dmp

Filesize
32.4MB

Download
memory/1724-480-0x0000000004180000-0x000000000449A000-memory.dmp

Filesize
3.1MB

Download
memory/1724-549-0x0000000004180000-0x000000000449A000-memory.dmp

Filesize
3.1MB

Download
memory/1724-495-0x0000000004180000-0x000000000449A000-memory.dmp

Filesize
3.1MB

Download
memory/1724-502-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/1724-547-0x0000000004180000-0x000000000449A000-memory.dmp

Filesize
3.1MB

Download
memory/1780-8-0x0000000077C70000-0x0000000077C72000-memory.dmp

Filesize
8KB

Download
memory/1780-5-0x0000000077C60000-0x0000000077C62000-memory.dmp

Filesize
8KB

Download
memory/1780-359-0x000000013F8C6000-0x000000013FA20000-memory.dmp

Filesize
1.4MB

Download
memory/1780-13-0x0000000077C80000-0x0000000077C82000-memory.dmp

Filesize
8KB

Download
memory/1780-11-0x0000000077C80000-0x0000000077C82000-memory.dmp

Filesize
8KB

Download
memory/1780-15-0x0000000077C80000-0x0000000077C82000-memory.dmp

Filesize
8KB

Download
memory/1780-20-0x0000000077C90000-0x0000000077C92000-memory.dmp

Filesize
8KB

Download
memory/1780-6-0x0000000077C70000-0x0000000077C72000-memory.dmp

Filesize
8KB

Download
memory/1780-16-0x0000000077C90000-0x0000000077C92000-memory.dmp

Filesize
8KB

Download
memory/1780-25-0x000007FEFD9A0000-0x000007FEFD9A2000-memory.dmp

Filesize
8KB

Download
memory/1780-18-0x0000000077C90000-0x0000000077C92000-memory.dmp

Filesize
8KB

Download
memory/1780-10-0x0000000077C70000-0x0000000077C72000-memory.dmp

Filesize
8KB

Download
memory/1780-1-0x0000000077C60000-0x0000000077C62000-memory.dmp

Filesize
8KB

Download
memory/1780-3-0x0000000077C60000-0x0000000077C62000-memory.dmp

Filesize
8KB

Download
memory/1780-23-0x000007FEFD9A0000-0x000007FEFD9A2000-memory.dmp

Filesize
8KB

Download
memory/1780-28-0x000007FEFD9B0000-0x000007FEFD9B2000-memory.dmp

Filesize
8KB

Download
memory/1780-30-0x000007FEFD9B0000-0x000007FEFD9B2000-memory.dmp

Filesize
8KB

Download
memory/1780-31-0x000000013F760000-0x000000013FCE0000-memory.dmp

Filesize
5.5MB

Download
memory/1780-419-0x000000013F8C6000-0x000000013FA20000-memory.dmp

Filesize
1.4MB

Download
memory/1780-0-0x000000013F8C6000-0x000000013FA20000-memory.dmp

Filesize
1.4MB

Download
memory/2280-484-0x0000000140000000-0x0000000141919000-memory.dmp

Filesize
25.1MB

Download
memory/2280-442-0x0000000077C60000-0x0000000077C62000-memory.dmp

Filesize
8KB

Download
memory/2280-440-0x0000000077C60000-0x0000000077C62000-memory.dmp

Filesize
8KB

Download
memory/2280-438-0x0000000077C60000-0x0000000077C62000-memory.dmp

Filesize
8KB

Download
memory/2332-418-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2332-501-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2332-417-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2332-414-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2332-413-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2332-415-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2332-416-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2332-397-0x0000000000D80000-0x000000000170F000-memory.dmp

Filesize
9.6MB

Download
memory/2332-546-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2332-430-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2468-503-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2468-498-0x0000000000D50000-0x000000000106A000-memory.dmp

Filesize
3.1MB

Download
memory/2468-496-0x0000000000D50000-0x000000000106A000-memory.dmp

Filesize
3.1MB

Download
memory/2468-497-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2468-552-0x0000000000D50000-0x000000000106A000-memory.dmp

Filesize
3.1MB

Download
memory/2468-555-0x0000000000400000-0x000000000071A000-memory.dmp

Filesize
3.1MB

Download
memory/2620-362-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2620-363-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2620-361-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2620-360-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2632-500-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2632-393-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download