Malware Analysis Report

2025-05-05 22:24

Sample ID 231014-dfkjzsef64
Target 871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479
SHA256 871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479
Tags
agilenet upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479

Threat Level: Shows suspicious behavior

The file 871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479 was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet upx

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

UPX packed file

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-10-14 02:57

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-14 02:57

Reported

2023-10-14 16:30

Platform

win7-20230831-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand\CLSID C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand\CLSID\ = "{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\ = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\Class = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand\ = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand\ = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\ProgId\ = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\Class = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\Class = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\Assembly = "Get, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\ProgId C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\Implemented Categories C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\Class = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D} C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\ = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\Assembly = "Get, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/SeQID.dll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/SeQID.dll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\Assembly = "Get, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\ProgId\ = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand\CLSID\ = "{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\Assembly = "Get, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe

"C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\SeQID.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\SeQID.dll /codebase

Network

N/A

Files

memory/2032-0-0x0000000000400000-0x0000000000DA4000-memory.dmp

memory/2032-1-0x0000000000400000-0x0000000000DA4000-memory.dmp

memory/2032-2-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-5-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-6-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-8-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-7-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-11-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-17-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-25-0x0000000000400000-0x0000000000DA4000-memory.dmp

memory/2032-24-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-29-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-33-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-31-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-37-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-39-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-46-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-35-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-50-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-52-0x0000000010000000-0x000000001003E000-memory.dmp

memory/2032-55-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1632-57-0x00000000001C0000-0x00000000001D2000-memory.dmp

memory/2532-63-0x0000000000950000-0x0000000000958000-memory.dmp

\Users\Admin\AppData\Local\Temp\SeQID.dll

MD5 7f928bbfeadc9c8ab63097ab424aa60b
SHA1 99375d12aba274a404f3925f4b243114d972ff5b
SHA256 aa950d3dd2e1b13affa176bf55f0fee05e9903547ddace19bb75d36cca923b57
SHA512 47319daeaffdca9163823a6bf90ae0a1ead12a3d2e474337bbd674dd58c417e9d3e26431a622858205d247684eb8c01185c30630e22bfe4ee6e38623e2c60f1e

\Users\Admin\AppData\Local\Temp\SeQID.dll

MD5 7f928bbfeadc9c8ab63097ab424aa60b
SHA1 99375d12aba274a404f3925f4b243114d972ff5b
SHA256 aa950d3dd2e1b13affa176bf55f0fee05e9903547ddace19bb75d36cca923b57
SHA512 47319daeaffdca9163823a6bf90ae0a1ead12a3d2e474337bbd674dd58c417e9d3e26431a622858205d247684eb8c01185c30630e22bfe4ee6e38623e2c60f1e

\Users\Admin\AppData\Local\Temp\SeQID.dll

MD5 7f928bbfeadc9c8ab63097ab424aa60b
SHA1 99375d12aba274a404f3925f4b243114d972ff5b
SHA256 aa950d3dd2e1b13affa176bf55f0fee05e9903547ddace19bb75d36cca923b57
SHA512 47319daeaffdca9163823a6bf90ae0a1ead12a3d2e474337bbd674dd58c417e9d3e26431a622858205d247684eb8c01185c30630e22bfe4ee6e38623e2c60f1e

\Users\Admin\AppData\Local\Temp\SeQID.dll

MD5 7f928bbfeadc9c8ab63097ab424aa60b
SHA1 99375d12aba274a404f3925f4b243114d972ff5b
SHA256 aa950d3dd2e1b13affa176bf55f0fee05e9903547ddace19bb75d36cca923b57
SHA512 47319daeaffdca9163823a6bf90ae0a1ead12a3d2e474337bbd674dd58c417e9d3e26431a622858205d247684eb8c01185c30630e22bfe4ee6e38623e2c60f1e

C:\Users\Admin\AppData\Local\Temp\SeQID.dll

MD5 7f928bbfeadc9c8ab63097ab424aa60b
SHA1 99375d12aba274a404f3925f4b243114d972ff5b
SHA256 aa950d3dd2e1b13affa176bf55f0fee05e9903547ddace19bb75d36cca923b57
SHA512 47319daeaffdca9163823a6bf90ae0a1ead12a3d2e474337bbd674dd58c417e9d3e26431a622858205d247684eb8c01185c30630e22bfe4ee6e38623e2c60f1e

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-14 02:57

Reported

2023-10-14 16:30

Platform

win10v2004-20230915-en

Max time kernel

156s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe"

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D} C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\ProgId C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\ = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\ = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}\0 = ".NET Category" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\Assembly = "Get, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\Implemented Categories C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}\0 = ".NET Category" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand\ = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D} C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\Class = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\ProgId\ = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand\CLSID\ = "{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand\CLSID\ = "{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\Class = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\Class = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\ProgId\ = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand\ = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\ThreadingModel = "Both" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\Class = "Get.Rand" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\Assembly = "Get, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\Assembly = "Get, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/SeQID.dll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Get.Rand\CLSID C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\Assembly = "Get, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\RuntimeVersion = "v4.0.30319" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DEF633B8-9402-3FA9-B4E3-FB1DE789DA6D}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/SeQID.dll" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe

"C:\Users\Admin\AppData\Local\Temp\871524840bcfc675aba1ad2ff612241349b2da8a9d39add9a05e63709f8fa479.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\SeQID.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\SeQID.dll /codebase

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4616-0-0x0000000000400000-0x0000000000DA4000-memory.dmp

memory/4616-1-0x0000000000400000-0x0000000000DA4000-memory.dmp

memory/4616-2-0x0000000000400000-0x0000000000DA4000-memory.dmp

memory/4616-3-0x0000000000400000-0x0000000000DA4000-memory.dmp

memory/4616-4-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-7-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-8-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-9-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-10-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-13-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-15-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-20-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-18-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-22-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-25-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-27-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-30-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-29-0x0000000000400000-0x0000000000DA4000-memory.dmp

memory/4616-32-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-34-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-36-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-38-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-40-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-42-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-44-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-46-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-50-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-48-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-52-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-54-0x0000000010000000-0x000000001003E000-memory.dmp

memory/4616-55-0x0000000010000000-0x000000001003E000-memory.dmp

memory/1784-58-0x0000000073950000-0x0000000074100000-memory.dmp

memory/1428-59-0x0000000073950000-0x0000000074100000-memory.dmp

memory/1428-61-0x00000000006F0000-0x0000000000702000-memory.dmp

memory/1784-60-0x00000000009E0000-0x00000000009F2000-memory.dmp

memory/1784-62-0x0000000073950000-0x0000000074100000-memory.dmp

memory/1428-63-0x0000000073950000-0x0000000074100000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SeQID.dll

MD5 7f928bbfeadc9c8ab63097ab424aa60b
SHA1 99375d12aba274a404f3925f4b243114d972ff5b
SHA256 aa950d3dd2e1b13affa176bf55f0fee05e9903547ddace19bb75d36cca923b57
SHA512 47319daeaffdca9163823a6bf90ae0a1ead12a3d2e474337bbd674dd58c417e9d3e26431a622858205d247684eb8c01185c30630e22bfe4ee6e38623e2c60f1e

C:\Users\Admin\AppData\Local\Temp\SeQID.dll

MD5 7f928bbfeadc9c8ab63097ab424aa60b
SHA1 99375d12aba274a404f3925f4b243114d972ff5b
SHA256 aa950d3dd2e1b13affa176bf55f0fee05e9903547ddace19bb75d36cca923b57
SHA512 47319daeaffdca9163823a6bf90ae0a1ead12a3d2e474337bbd674dd58c417e9d3e26431a622858205d247684eb8c01185c30630e22bfe4ee6e38623e2c60f1e

C:\Users\Admin\AppData\Local\Temp\SeQID.dll

MD5 7f928bbfeadc9c8ab63097ab424aa60b
SHA1 99375d12aba274a404f3925f4b243114d972ff5b
SHA256 aa950d3dd2e1b13affa176bf55f0fee05e9903547ddace19bb75d36cca923b57
SHA512 47319daeaffdca9163823a6bf90ae0a1ead12a3d2e474337bbd674dd58c417e9d3e26431a622858205d247684eb8c01185c30630e22bfe4ee6e38623e2c60f1e

memory/1428-67-0x0000000005190000-0x0000000005198000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SeQID.dll

MD5 7f928bbfeadc9c8ab63097ab424aa60b
SHA1 99375d12aba274a404f3925f4b243114d972ff5b
SHA256 aa950d3dd2e1b13affa176bf55f0fee05e9903547ddace19bb75d36cca923b57
SHA512 47319daeaffdca9163823a6bf90ae0a1ead12a3d2e474337bbd674dd58c417e9d3e26431a622858205d247684eb8c01185c30630e22bfe4ee6e38623e2c60f1e

C:\Users\Admin\AppData\Local\Temp\SeQID.dll

MD5 7f928bbfeadc9c8ab63097ab424aa60b
SHA1 99375d12aba274a404f3925f4b243114d972ff5b
SHA256 aa950d3dd2e1b13affa176bf55f0fee05e9903547ddace19bb75d36cca923b57
SHA512 47319daeaffdca9163823a6bf90ae0a1ead12a3d2e474337bbd674dd58c417e9d3e26431a622858205d247684eb8c01185c30630e22bfe4ee6e38623e2c60f1e

memory/1784-71-0x0000000073950000-0x0000000074100000-memory.dmp

memory/1428-72-0x0000000073950000-0x0000000074100000-memory.dmp