Malware Analysis Report

2024-09-23 04:54

Sample ID 220524-wvkseacfd3
Target f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b
SHA256 f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b
Tags
themida evasion spyware stealer trojan qulab discovery upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b

Threat Level: Known bad

The file f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b was found to be: Known bad.

Malicious Activity Summary

themida evasion spyware stealer trojan qulab discovery upx

Qulab Stealer & Clipper

ACProtect 1.3x - 1.4x DLL software

Identifies VirtualBox via ACPI registry values (likely anti-VM)

UPX packed file

Executes dropped EXE

Sets file to hidden

Checks BIOS information in registry

Themida packer

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Checks installed software on the system

Looks up external IP address via web service

AutoIT Executable

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Views/modifies file attributes

Suspicious use of WriteProcessMemory

NTFS ADS

Suspicious behavior: RenamesItself

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-05-24 18:14

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-24 18:14

Reported

2022-05-24 18:49

Platform

win7-20220414-en

Max time kernel

152s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 748 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 748 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 748 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 1780 wrote to memory of 520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 1780 wrote to memory of 520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 1780 wrote to memory of 520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 1780 wrote to memory of 520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 1780 wrote to memory of 1336 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 1780 wrote to memory of 1336 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 1780 wrote to memory of 1336 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 1780 wrote to memory of 1336 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe

"C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {6761C8ED-73C1-44F6-8BF5-833E7DA8F870} S-1-5-21-790309383-526510583-3802439154-1000:TVHJCWMH\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/748-54-0x0000000076811000-0x0000000076813000-memory.dmp

memory/748-55-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/748-56-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/748-57-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/748-58-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/748-59-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/748-60-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/748-61-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/748-62-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/748-63-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/748-64-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/2000-65-0x0000000000000000-mapping.dmp

memory/2000-67-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/2000-68-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/2000-69-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/2000-70-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/2000-71-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/2000-72-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/2000-73-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/2000-74-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/2000-75-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/2000-76-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/520-77-0x0000000000000000-mapping.dmp

memory/520-79-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/520-80-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/520-81-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/520-82-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/520-83-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/520-84-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/520-85-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/520-86-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/520-87-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/520-88-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/1336-89-0x0000000000000000-mapping.dmp

memory/1336-91-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/1336-92-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/1336-93-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/1336-94-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/1336-95-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/1336-96-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/1336-97-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/1336-98-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/1336-99-0x0000000000B90000-0x0000000001747000-memory.dmp

memory/1336-100-0x0000000000B90000-0x0000000001747000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-24 18:14

Reported

2022-05-24 18:49

Platform

win10v2004-20220414-en

Max time kernel

160s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe"

Signatures

Qulab Stealer & Clipper

stealer qulab

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe N/A

Sets file to hidden

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A
File opened for modification C:\Windows\SysWOW64\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A

Enumerates physical storage devices

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:\localhost\ C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\winmgmts:\localhost\ C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 1336 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 1336 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe
PID 3560 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe
PID 3560 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe
PID 3560 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe
PID 3560 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe C:\Windows\SysWOW64\attrib.exe
PID 3560 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe

"C:\Users\Admin\AppData\Local\Temp\f29903033ff296dbb07a3a869bd7c3b2f135e12ed1be227691040dfe5272677b.exe"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe a -y -mx9 -ssw "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\[] .7z" "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\*"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2"

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2"

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3560 -ip 3560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 3068

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 8.238.21.126:80 tcp
NL 52.178.17.2:443 tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
FR 2.16.119.157:443 tcp
FR 2.16.119.157:443 tcp
US 8.8.8.8:53 ipapi.co udp
US 104.26.8.44:443 ipapi.co tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/1336-130-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/1336-131-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/1336-132-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/1336-133-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/1336-134-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/1336-135-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/1336-136-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/1336-137-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/1336-138-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/1336-139-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3560-140-0x0000000000000000-mapping.dmp

memory/3560-141-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3560-142-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3560-143-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3560-144-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3560-145-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3560-146-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3560-147-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3560-148-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3560-149-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3560-150-0x0000000000430000-0x0000000000FE7000-memory.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.sqlite3.module.dll

MD5 8c127ce55bfbb55eb9a843c693c9f240
SHA1 75c462c935a7ff2c90030c684440d61d48bb1858
SHA256 4f93f3543139febb91e0c95dc9351008e9147a484732ee5962c7df64f6868028
SHA512 d3578bd7ef01f9e25983c24eb9bb33f25c37d650cc79b823c3ec19f196d4a00deb506c1e1f774f15e5664d5263b02570fec11b322022b90a0ff1b10943188a02

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

memory/4228-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\dinput.module.exe

MD5 946285055913d457fda78a4484266e96
SHA1 668661955bf3c20b9dc8cdaa7ec6e8dbbbd63285
SHA256 23ca34a7d22fdb7d36014928c089c982cdfb903e9143aea60d38f228c9594beb
SHA512 30a490b774d5736215b340d3a192825dc1dfbb7c8d9974c8ab2a09eff2429ed7cf99969ec6d651c8056549798da092ffa600681288dbd7c6f60515acd3630d95

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ResetDebug.txt

MD5 4f6319774557c50fd6aa83abe882ce34
SHA1 f9c278ea28dd03a3bc5761923aa81f89cc3fb4d7
SHA256 11f16de6d3964195d1485d8ce7d777d1a70c5c9d8a113cafc9d6d6012d1d55d2
SHA512 da97f409dba6f4424e65f5187d2483b7c94b941c7f04cddc96892ed431232c31353f2d54ccb2e15b7ae7b98c27bf7dfdc1a36c727d2fc3652173b1e562004c37

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\InstallAssert.xlsx

MD5 0406d79ff8c54eede2b3b42d09a4a3f5
SHA1 779a55a7d49eaf56337fa3073874ebebb579c42d
SHA256 12c4c322d70693d2de15b01ce7779790c719f56f7c9ec8e839dcf9bd3148016c
SHA512 370b5e8254d6bb20fd8ee5ec0c2fa89f3f2390a3a8768967fa26b459affc98251d6e0a62fd86271fdaf0a714d50c9daec1849a0c0e77d063031e9eb82c8a9855

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\InstallCompress.xlsx

MD5 a5427f3e30dec224a0a93adab4705013
SHA1 35e3600e5abbd8ced3f8dec5a66e32d876f53a7f
SHA256 d86e59d1c77ea8ededeb88a733bd492cfdcb743bbf737c8a29215cf68b44a0da
SHA512 cd8aa76d86bcfceb35848faa666651bf069a879f4f8ad89aa8882d757871a0a2bfd8c0949cc0c9e7ac79038c11c8bf5792cb4921a470adf0931a070255d80386

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\MeasureUninstall.doc

MD5 f400e8c69d45f774c645e4bb56c13fa5
SHA1 806345cc9d918218a3aac4d2a41236b252b0d1f7
SHA256 6e7d4232d535b9bb0e53826c789f9d5f876d1d1d0e7997e28698032fd2a852e5
SHA512 2e75e2d73fb0864792568f01e9254498915b4b444a997215acf71176b89ba3e86f2f4454e5ffacc58ae11bd417a2815419ae9134c58efcf634fc3382136089c7

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Screen.jpg

MD5 56916b2d1fdbfb42d632c00256f643de
SHA1 7cabf4d655c9b4c21c4872942a648cc05afac23a
SHA256 c1031781044abdd62090f8802ff8c83ff5c58c8229fa347fbf7a8e89dcffc207
SHA512 5beea674c8f8d1bd38c1c2d65fa61b175a6872d38cf43e1115b303d78cc56f03e0a2232266b13baee47ea68beb6e929dfaa0ff937043726813eaa41cf95dc0a9

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Information.txt

MD5 3cbfedec82b79de859c8f251179ff0c9
SHA1 24690d3889ba7b5f2b4ffa6c7cd7b0a75b4f57e0
SHA256 344ed7ceca03728b98a71dab10ad1d1ee53905a7d2889c779804ae578505ce45
SHA512 9ad933b1a20fb7d85963044882ae549699aca1d94b2d0bcb98697e9729ef4f8ce4066de557a228504dc774390f1292cac3f9dbaaf3308354647e524e1f3c219e

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\SuspendTrace.xlsx

MD5 5ad626643ea639d17cc0d41c521c53bf
SHA1 7845c9619b5a26793e76f95c83c56793ce683b00
SHA256 a055af2fab7a130428705a38fa9fda147663ad31ae675662de07521e53f17ae3
SHA512 5e1523b6a3c87f5c6131dc75027872696e0d1fffae96b890b4d9322cad05525014ad6ceec268cf104b66321e4afd18012827a4be0f8ccd537cd8b9a80d8b08b6

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-f12-f12appframe2\1\Desktop TXT Files\ts\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

memory/3668-168-0x0000000000000000-mapping.dmp

memory/4892-169-0x0000000000000000-mapping.dmp

memory/3252-170-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3252-171-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3252-172-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3252-173-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3252-174-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3252-175-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3252-176-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3252-177-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3252-178-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/3252-179-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/4220-180-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/4220-181-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/4220-182-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/4220-183-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/4220-184-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/4220-185-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/4220-186-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/4220-187-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/4220-188-0x0000000000430000-0x0000000000FE7000-memory.dmp

memory/4220-189-0x0000000000430000-0x0000000000FE7000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 1fbea7bfc773d8692802b9d72e0aa997
SHA1 475cd83c08d14bfc2fb2d5ac9bf3762474d1eed1
SHA256 0a6c67541384ab7cdaa50fd7ad85c0d4c70f8d41a95a9200e622416c0701a3e8
SHA512 3b5ca4830685747d9733262ab484288c21cab85d2458d278acf937643c48f02d5af76a19ec1c9bda6721d3c605f53f7430c02c39b38e5486fabebd4431b08dd1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 c9ac0cf1a938343a1778e63ab795f0f4
SHA1 d0a4444a3cee891e41e9223fe547d3ebd806b855
SHA256 effa1a5d41575db5a9f978e7f256a047134a0bd72d66223b5f04d017d5005406
SHA512 1924dea086090a3897a8b48cff2d903256a68573e471dcd4ccce603f53c68fdf82d96a0c87e5e65f2a1078fbb15464f4c3b61946bf21394328575625c862d650