Analysis Overview
SHA256
12dbec48583dd54a0c61d52636c27174cae85070ce51d531baebf4d1b1682bbd
Threat Level: Known bad
The file keygen nl brute for all versions.exe was found to be: Known bad.
Malicious Activity Summary
SectopRAT
SectopRAT payload
RedLine
RedLine payload
Executes dropped EXE
Uses the VBS compiler for execution
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-22 05:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-22 05:18
Reported
2024-04-22 05:19
Platform
win7-20231129-en
Max time kernel
46s
Max time network
47s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen nl brute for all versions.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen nl brute for all versions.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2288 set thread context of 1656 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\keygen nl brute for all versions.exe
"C:\Users\Admin\AppData\Local\Temp\keygen nl brute for all versions.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe
"C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | devinai.art | udp |
| US | 104.21.82.84:443 | devinai.art | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp |
Files
\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 1eb2806e81537a2b014027bce424271a |
| SHA1 | ec47fbdc9639c66f69b94686e5aacc8a9faf5971 |
| SHA256 | 4dd3f793826c15cdd55a1c8d87dd7f915e4b01dcc875d61ac06bf4f67bc96aef |
| SHA512 | 188bedacb7ab274ad986d03c28144e32704e8d94241a706d572fb917cd144b273a3f227b7a69998752de6c8130e59a6f14e140f59966ef12ac45c5877f986d90 |
C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe
| MD5 | 62b039b2af7bf5f6abf35ef903024300 |
| SHA1 | 4ae220e451482e839619c2e927752468e0eda8d5 |
| SHA256 | 83d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5 |
| SHA512 | 8abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e |
memory/2288-15-0x0000000000B80000-0x0000000000B88000-memory.dmp
memory/1936-14-0x0000000003300000-0x0000000004A3C000-memory.dmp
memory/2288-16-0x0000000073BA0000-0x000000007428E000-memory.dmp
memory/2348-23-0x00000000770D0000-0x00000000770D1000-memory.dmp
memory/2348-26-0x0000000000400000-0x0000000001B3C000-memory.dmp
memory/2348-34-0x00000000770D0000-0x00000000770D1000-memory.dmp
memory/2348-32-0x00000000770D0000-0x00000000770D1000-memory.dmp
memory/2348-37-0x0000000076F5F000-0x0000000076F60000-memory.dmp
memory/2348-36-0x0000000001B40000-0x0000000001C52000-memory.dmp
memory/2348-38-0x0000000076F60000-0x0000000076F61000-memory.dmp
memory/2348-30-0x0000000076F5F000-0x0000000076F60000-memory.dmp
memory/2348-29-0x00000000770D0000-0x00000000770D1000-memory.dmp
memory/2288-28-0x0000000004750000-0x0000000004790000-memory.dmp
memory/2348-40-0x00000000770D0000-0x00000000770D1000-memory.dmp
memory/2348-25-0x00000000770D0000-0x00000000770D1000-memory.dmp
memory/2348-21-0x00000000770D0000-0x00000000770D1000-memory.dmp
memory/2348-19-0x00000000770D0000-0x00000000770D1000-memory.dmp
memory/2348-17-0x00000000770D0000-0x00000000770D1000-memory.dmp
memory/2348-45-0x0000000000250000-0x0000000000326000-memory.dmp
memory/2348-44-0x0000000001B40000-0x0000000001C52000-memory.dmp
memory/2348-50-0x0000000000250000-0x0000000000326000-memory.dmp
memory/2288-65-0x00000000005D0000-0x00000000005E2000-memory.dmp
memory/2288-66-0x0000000000630000-0x0000000000638000-memory.dmp
memory/1656-67-0x000000003C380000-0x000000003C3A5000-memory.dmp
memory/1656-68-0x000000003C380000-0x000000003C3A5000-memory.dmp
memory/1656-69-0x000000003C380000-0x000000003C3A5000-memory.dmp
memory/1656-70-0x000000003C380000-0x000000003C3A5000-memory.dmp
memory/1656-72-0x000000003C380000-0x000000003C3A5000-memory.dmp
memory/1656-71-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1656-82-0x000000003C380000-0x000000003C3A5000-memory.dmp
memory/1656-79-0x000000003C380000-0x000000003C3A5000-memory.dmp
memory/1656-75-0x000000003C380000-0x000000003C3A5000-memory.dmp
memory/2288-74-0x0000000073BA0000-0x000000007428E000-memory.dmp
memory/1656-83-0x000000003C380000-0x000000003C39E000-memory.dmp
memory/1656-84-0x0000000073BA0000-0x000000007428E000-memory.dmp
memory/1656-85-0x0000000004C40000-0x0000000004C80000-memory.dmp
memory/1656-86-0x0000000073BA0000-0x000000007428E000-memory.dmp
memory/1656-87-0x0000000004C40000-0x0000000004C80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-22 05:18
Reported
2024-04-22 05:19
Platform
win10-20240404-en
Max time kernel
47s
Max time network
49s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2604 set thread context of 3468 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\keygen nl brute for all versions.exe
"C:\Users\Admin\AppData\Local\Temp\keygen nl brute for all versions.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe
"C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | devinai.art | udp |
| US | 172.67.155.109:443 | devinai.art | tcp |
| US | 8.8.8.8:53 | 109.155.67.172.in-addr.arpa | udp |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 1eb2806e81537a2b014027bce424271a |
| SHA1 | ec47fbdc9639c66f69b94686e5aacc8a9faf5971 |
| SHA256 | 4dd3f793826c15cdd55a1c8d87dd7f915e4b01dcc875d61ac06bf4f67bc96aef |
| SHA512 | 188bedacb7ab274ad986d03c28144e32704e8d94241a706d572fb917cd144b273a3f227b7a69998752de6c8130e59a6f14e140f59966ef12ac45c5877f986d90 |
C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe
| MD5 | 62b039b2af7bf5f6abf35ef903024300 |
| SHA1 | 4ae220e451482e839619c2e927752468e0eda8d5 |
| SHA256 | 83d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5 |
| SHA512 | 8abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e |
memory/3348-10-0x0000000000400000-0x0000000001B3C000-memory.dmp
memory/2604-11-0x0000000000350000-0x0000000000358000-memory.dmp
memory/2604-12-0x0000000073360000-0x0000000073A4E000-memory.dmp
memory/2604-13-0x0000000004C50000-0x0000000004C60000-memory.dmp
memory/3348-15-0x0000000077250000-0x0000000077251000-memory.dmp
memory/3348-14-0x0000000003AF0000-0x0000000003C02000-memory.dmp
memory/3348-20-0x0000000003AF0000-0x0000000003C02000-memory.dmp
memory/3348-21-0x0000000003AF0000-0x0000000003C02000-memory.dmp
memory/3348-22-0x0000000003C10000-0x0000000003CE6000-memory.dmp
memory/3348-27-0x0000000003C10000-0x0000000003CE6000-memory.dmp
memory/3348-26-0x0000000003C10000-0x0000000003CE6000-memory.dmp
memory/2604-28-0x00000000025A0000-0x00000000025B2000-memory.dmp
memory/2604-29-0x0000000004C70000-0x0000000004C78000-memory.dmp
memory/3468-30-0x000000003A700000-0x000000003A721000-memory.dmp
memory/2604-34-0x0000000073360000-0x0000000073A4E000-memory.dmp
memory/3468-37-0x0000000073360000-0x0000000073A4E000-memory.dmp
memory/3468-36-0x000000003A700000-0x000000003A71E000-memory.dmp
memory/3468-40-0x0000000009290000-0x0000000009896000-memory.dmp
memory/3468-41-0x0000000006650000-0x0000000006662000-memory.dmp
memory/3468-42-0x0000000008BC0000-0x0000000008BFE000-memory.dmp
memory/3468-43-0x0000000008C70000-0x0000000008C80000-memory.dmp
memory/3468-44-0x0000000008C00000-0x0000000008C4B000-memory.dmp
memory/3468-45-0x0000000008E50000-0x0000000008F5A000-memory.dmp
memory/3468-104-0x0000000073360000-0x0000000073A4E000-memory.dmp
memory/3468-105-0x0000000008C70000-0x0000000008C80000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-22 05:18
Reported
2024-04-22 05:19
Platform
win10v2004-20240412-en
Max time kernel
42s
Max time network
44s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\keygen nl brute for all versions.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2668 set thread context of 1884 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\keygen nl brute for all versions.exe
"C:\Users\Admin\AppData\Local\Temp\keygen nl brute for all versions.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe
"C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | devinai.art | udp |
| US | 104.21.82.84:443 | devinai.art | tcp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.82.21.104.in-addr.arpa | udp |
| BG | 5.181.80.133:46720 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| BG | 5.181.80.133:46720 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| BG | 5.181.80.133:46720 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| BG | 5.181.80.133:46720 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 1eb2806e81537a2b014027bce424271a |
| SHA1 | ec47fbdc9639c66f69b94686e5aacc8a9faf5971 |
| SHA256 | 4dd3f793826c15cdd55a1c8d87dd7f915e4b01dcc875d61ac06bf4f67bc96aef |
| SHA512 | 188bedacb7ab274ad986d03c28144e32704e8d94241a706d572fb917cd144b273a3f227b7a69998752de6c8130e59a6f14e140f59966ef12ac45c5877f986d90 |
C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe
| MD5 | 62b039b2af7bf5f6abf35ef903024300 |
| SHA1 | 4ae220e451482e839619c2e927752468e0eda8d5 |
| SHA256 | 83d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5 |
| SHA512 | 8abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e |
memory/3216-19-0x0000000000400000-0x0000000001B3C000-memory.dmp
memory/2668-20-0x0000000000DF0000-0x0000000000DF8000-memory.dmp
memory/2668-21-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/2668-22-0x0000000005660000-0x0000000005670000-memory.dmp
memory/3216-23-0x0000000077380000-0x0000000077381000-memory.dmp
memory/2668-24-0x0000000003010000-0x0000000003022000-memory.dmp
memory/2668-25-0x0000000005640000-0x0000000005648000-memory.dmp
memory/1884-26-0x0000000051790000-0x00000000517B3000-memory.dmp
memory/2668-28-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/1884-29-0x0000000051790000-0x00000000517AE000-memory.dmp
memory/1884-30-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/1884-31-0x00000000052F0000-0x0000000005908000-memory.dmp
memory/1884-32-0x0000000004B80000-0x0000000004B92000-memory.dmp
memory/1884-33-0x0000000004BE0000-0x0000000004C1C000-memory.dmp
memory/1884-34-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
memory/1884-35-0x0000000004C20000-0x0000000004C6C000-memory.dmp
memory/1884-36-0x0000000004E90000-0x0000000004F9A000-memory.dmp
memory/3216-37-0x0000000000400000-0x0000000001B3C000-memory.dmp
memory/1884-38-0x0000000074820000-0x0000000074FD0000-memory.dmp
memory/1884-39-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-22 05:18
Reported
2024-04-22 05:19
Platform
win11-20240412-en
Max time kernel
33s
Max time network
37s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1416 set thread context of 4668 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\keygen nl brute for all versions.exe
"C:\Users\Admin\AppData\Local\Temp\keygen nl brute for all versions.exe"
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe
"C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | devinai.art | udp |
| US | 172.67.155.109:443 | devinai.art | tcp |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp | |
| BG | 5.181.80.133:46720 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\1.exe
| MD5 | 1eb2806e81537a2b014027bce424271a |
| SHA1 | ec47fbdc9639c66f69b94686e5aacc8a9faf5971 |
| SHA256 | 4dd3f793826c15cdd55a1c8d87dd7f915e4b01dcc875d61ac06bf4f67bc96aef |
| SHA512 | 188bedacb7ab274ad986d03c28144e32704e8d94241a706d572fb917cd144b273a3f227b7a69998752de6c8130e59a6f14e140f59966ef12ac45c5877f986d90 |
C:\Users\Admin\AppData\Local\Temp\KeyGen by PC-RET.exe
| MD5 | 62b039b2af7bf5f6abf35ef903024300 |
| SHA1 | 4ae220e451482e839619c2e927752468e0eda8d5 |
| SHA256 | 83d7f6eaf7fe075503ea6a0bc726633c34595a6eae7edd7deab95ab4d4a66fd5 |
| SHA512 | 8abcf2fb422465fa578eb59e2788317ef88360551b675c964e03475a865e22dd4b86550bb442c1823fa72de059cedb438cac34538dcb291ccdb22fd34ee5433e |
memory/900-19-0x0000000000400000-0x0000000001B3C000-memory.dmp
memory/1416-20-0x0000000000A60000-0x0000000000A68000-memory.dmp
memory/1416-21-0x0000000074940000-0x00000000750F1000-memory.dmp
memory/900-22-0x0000000077680000-0x0000000077681000-memory.dmp
memory/1416-23-0x0000000005430000-0x0000000005440000-memory.dmp
memory/1416-24-0x0000000002EB0000-0x0000000002EC2000-memory.dmp
memory/1416-25-0x0000000002EF0000-0x0000000002EF8000-memory.dmp
memory/4668-26-0x000000004BFA0000-0x000000004BFC8000-memory.dmp
memory/1416-29-0x0000000074940000-0x00000000750F1000-memory.dmp
memory/4668-28-0x000000004BFA0000-0x000000004BFBE000-memory.dmp
memory/4668-30-0x0000000074940000-0x00000000750F1000-memory.dmp
memory/4668-31-0x0000000005300000-0x0000000005918000-memory.dmp
memory/4668-32-0x0000000004D10000-0x0000000004D22000-memory.dmp
memory/4668-33-0x0000000004D70000-0x0000000004DAC000-memory.dmp
memory/4668-34-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/4668-35-0x0000000004DB0000-0x0000000004DFC000-memory.dmp
memory/4668-36-0x0000000005010000-0x000000000511A000-memory.dmp
memory/900-37-0x0000000000400000-0x0000000001B3C000-memory.dmp
memory/4668-38-0x0000000074940000-0x00000000750F1000-memory.dmp
memory/4668-39-0x0000000004CD0000-0x0000000004CE0000-memory.dmp