Analysis
-
max time kernel
106s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
26/04/2024, 01:01
General
-
Target
Deadly Team and VBR Cracked by SobFoX.zip
-
Size
5.6MB
-
MD5
0e88574b3a438a440bcb6ff128c1ccd6
-
SHA1
f129feeee9950e9bc24954888ac80573d7839184
-
SHA256
c603a87cacf12026db4d215e466599ca52f495334eb78fb438aaaa834437f5f1
-
SHA512
e41ff983d76ad12ad98c25b2ce0cfe0620c22286548896bfb5d0172e573a9cb092d1439d5564733f3a99b62451ad95bdacb73b1fa2b19c21ef7873740e89fc33
-
SSDEEP
98304:KpLVv28w/9eROXezMjNwwiIekrPSqjrr7sVNu2MZPHaIU5zi5D8KbkFPlvj5LO3Q:KpL88Q9eYNO/qSqsN5MZPHaIU5zi51k1
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NewLoader.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NewLoader.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NewLoader.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ NewLoader.exe -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NewLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NewLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NewLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NewLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NewLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NewLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NewLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NewLoader.exe -
resource yara_rule behavioral1/memory/5040-13-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/5040-15-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/5040-16-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/5040-17-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/5040-18-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/5040-19-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/5040-20-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/2848-24-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/2848-25-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/2848-26-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/2848-27-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/2848-28-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/2848-29-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/1708-32-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/1708-33-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/1708-34-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/1708-35-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/1708-36-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/1708-37-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/676-41-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/676-42-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/676-43-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/676-44-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/676-45-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida behavioral1/memory/676-46-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp themida -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 5040 NewLoader.exe 2848 NewLoader.exe 1708 NewLoader.exe 676 NewLoader.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4604 timeout.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 3 IoCs
pid Process 2180 PING.EXE 1636 PING.EXE 636 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe 1832 crack.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1688 taskmgr.exe Token: SeSystemProfilePrivilege 1688 taskmgr.exe Token: SeCreateGlobalPrivilege 1688 taskmgr.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe Token: SeDebugPrivilege 1832 crack.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe 1688 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2988 crack.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3728 wrote to memory of 4004 3728 cmd.exe 115 PID 3728 wrote to memory of 4004 3728 cmd.exe 115 PID 4004 wrote to memory of 3836 4004 net.exe 116 PID 4004 wrote to memory of 3836 4004 net.exe 116 PID 3728 wrote to memory of 1832 3728 cmd.exe 117 PID 3728 wrote to memory of 1832 3728 cmd.exe 117 PID 3728 wrote to memory of 2180 3728 cmd.exe 119 PID 3728 wrote to memory of 2180 3728 cmd.exe 119 PID 3728 wrote to memory of 5040 3728 cmd.exe 120 PID 3728 wrote to memory of 5040 3728 cmd.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 1832 wrote to memory of 5040 1832 crack.exe 120 PID 5040 wrote to memory of 3140 5040 NewLoader.exe 122 PID 5040 wrote to memory of 3140 5040 NewLoader.exe 122 PID 4704 wrote to memory of 116 4704 cmd.exe 133 PID 4704 wrote to memory of 116 4704 cmd.exe 133 PID 116 wrote to memory of 4508 116 net.exe 134 PID 116 wrote to memory of 4508 116 net.exe 134 PID 4704 wrote to memory of 4600 4704 cmd.exe 135 PID 4704 wrote to memory of 4600 4704 cmd.exe 135 PID 4704 wrote to memory of 1636 4704 cmd.exe 137 PID 4704 wrote to memory of 1636 4704 cmd.exe 137 PID 4704 wrote to memory of 2848 4704 cmd.exe 138 PID 4704 wrote to memory of 2848 4704 cmd.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 4600 wrote to memory of 2848 4600 crack.exe 138 PID 2848 wrote to memory of 4508 2848 NewLoader.exe 140 PID 2848 wrote to memory of 4508 2848 NewLoader.exe 140
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Deadly Team and VBR Cracked by SobFoX.zip"1⤵PID:4332
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3684
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\start.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:3836
-
-
-
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\crack.exe"crack.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832
-
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.12⤵
- Runs ping.exe
PID:2180
-
-
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe"NewLoader.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:3140
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\start.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:4508
-
-
-
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\crack.exe"crack.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4600
-
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.12⤵
- Runs ping.exe
PID:1636
-
-
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe"NewLoader.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:4508
-
-
-
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe"C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1708 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵PID:3584
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe" MD53⤵PID:868
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2988
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:4176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Initialized && timeout /t 5"2⤵PID:3376
-
C:\Windows\system32\cmd.execmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Initialized && timeout /t 5"3⤵PID:712
-
C:\Windows\system32\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
PID:4604
-
-
-
-
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\crack.exe"C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\crack.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:2988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\start.cmd" "1⤵PID:2596
-
C:\Windows\system32\net.exenet session2⤵PID:4000
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:4664
-
-
-
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\crack.exe"crack.exe"2⤵PID:4536
-
-
C:\Windows\system32\PING.EXEping -n 3 127.0.0.12⤵
- Runs ping.exe
PID:636
-
-
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe"NewLoader.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:1336
-
-