Analysis Overview
SHA256
c6fb597368ddc8bbd2f5190499e4af824b050c2a1665a35327c6c1f968826df6
Threat Level: Shows suspicious behavior
The file Velocc Permanent Spoofer v5.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Themida packer
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 17:08
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win7-20240611-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\reset-all.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\reset-all.exe"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
162s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\reset-all.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\reset-all.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.169.36.23.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| DE | 142.250.186.138:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 138.186.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\PerfStringBackup.TMP | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\system32\PerfStringBackup.INI | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x8c 0x3fc
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.169.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Windows\System32\perfc011.dat
| MD5 | eef14d868d4e0c2354c345abc4902445 |
| SHA1 | 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d |
| SHA256 | 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f |
| SHA512 | c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee |
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | b133a676d139032a27de3d9619e70091 |
| SHA1 | 1248aa89938a13640252a79113930ede2f26f1fa |
| SHA256 | ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15 |
| SHA512 | c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5 |
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | ffdeea82ba4a5a65585103dd2a922dfe |
| SHA1 | 094c3794503245cc7dfa9e222d3504f449a5400b |
| SHA256 | c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390 |
| SHA512 | 7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a |
C:\Windows\System32\perfh007.dat
| MD5 | 82d7f8765db25b313ecf436572dbe840 |
| SHA1 | da9ed48d5386a1133f878b3e00988cbf4cdebab8 |
| SHA256 | 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3 |
| SHA512 | 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8 |
C:\Windows\System32\perfc007.dat
| MD5 | 1bd26a75846ce780d72b93caffac89f6 |
| SHA1 | ff89b7c5e8c46c6c2e52383849bbf008bd91d66e |
| SHA256 | 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a |
| SHA512 | 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e |
C:\Windows\System32\perfh00C.dat
| MD5 | 099a4cfda7f72958205e2dc897df9d70 |
| SHA1 | 3acf3a8bc62f4acea89fcfc721d0c57822bad6cf |
| SHA256 | 454dae9e37ca1458c67087f801a7a8a73d73f43c4efb57f64d624c5190662c40 |
| SHA512 | a531d8767afc2ce8005c9433f430acb27011c7ff41db25a69e70f0433fe6224a8f42c7d95aa3a4680d60c4351f26014e05a7d79d9faba42817a3e700c385750f |
C:\Windows\System32\perfc00C.dat
| MD5 | 6adbb878124fcd6561655718f12bff5f |
| SHA1 | 1711619dda04178fb47eea6658da6ad52f6cf660 |
| SHA256 | 0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf |
| SHA512 | 88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006 |
C:\Windows\System32\perfh011.dat
| MD5 | 7f2b576ab40800aa5f1e3c163176c1c7 |
| SHA1 | 7c24fd2342498e1095f58d264078988323834e20 |
| SHA256 | f98dfd85751e15486b725d4f36f7ef3fa0d72b76dd48401ce93e68b19e486e60 |
| SHA512 | 6780454b0ca385ae18baae45ca37103aa69352ce5dcf1f16debe6a49923a4137e4e1471439853ca8a965c12a9a5498b5f634119a1d9daaf5301e43663da7db94 |
C:\Windows\System32\perfh010.dat
| MD5 | 2b41db88b556a31593911ade702a8306 |
| SHA1 | 9820c8ffef6b27fad15badab22408eaf52d58300 |
| SHA256 | 61a5192c872e646050ee10eaef95bbc313fb7ae639b43c1ed3d2040f50cc1186 |
| SHA512 | 0b0c6b8cae683aa645ea2e0285209ac6d82624bfdacdb4e0b92d8118c30fa2fa6def665150b548e4adbee399074f73a961217e6065b05e65919c198efeb424f6 |
C:\Windows\System32\perfc010.dat
| MD5 | dd17fab2e74e18fa9a8dd7c2475de6fc |
| SHA1 | 0fb0656ebdacc28c2d056ceff2579a485507b3f9 |
| SHA256 | 3b56a360bf9cac36d8cdf9a76147c504490444e65c1435c188d0174e63da8a65 |
| SHA512 | 3ccc0f4e536649d88a524e0fc2a4036a2d3354d76a7b563733751ff70b8e4fa6603de61c3d065db28df8e27fab32fd7a83297b3d8decbd13433bcd3d221cbadf |
C:\Windows\System32\perfh00A.dat
| MD5 | feb35e575911f5d568fbbfa7d0434412 |
| SHA1 | e896dfc32b25633322d2e252cfa65520d30677a2 |
| SHA256 | bf628d6ab769fc710e7eb097ca0132bd88cfbf63bd3aa08e24cd5820594fccf9 |
| SHA512 | c9544c2cfed9fc11696896cd6d6184f9de0e8e26d3d61cf211449de77d9ec8cac000d3408ccac8baf078a82ed73f735e9f740a00af59a392f14673e2bae056b5 |
C:\Windows\System32\perfc00A.dat
| MD5 | 6d4b430c2abf0ec4ca1909e6e2f097db |
| SHA1 | 97c330923a6380fe8ea8e440ce2c568594d3fff7 |
| SHA256 | 44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e |
| SHA512 | cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b |
C:\Windows\System32\perfh009.dat
| MD5 | 407f4fed9a4510646f33a2869a184de8 |
| SHA1 | e2e622f36b28057bbfbaee754ab6abac2de04778 |
| SHA256 | 64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615 |
| SHA512 | 1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win7-20240611-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{6DA2AF65-CA5A-491D-9B72-D94B704F86A4}\.cr\RUN ME FIRST.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{6DA2AF65-CA5A-491D-9B72-D94B704F86A4}\.cr\RUN ME FIRST.exe | N/A |
Checks installed software on the system
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe"
C:\Windows\Temp\{6DA2AF65-CA5A-491D-9B72-D94B704F86A4}\.cr\RUN ME FIRST.exe
"C:\Windows\Temp\{6DA2AF65-CA5A-491D-9B72-D94B704F86A4}\.cr\RUN ME FIRST.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
Network
Files
\Windows\Temp\{6DA2AF65-CA5A-491D-9B72-D94B704F86A4}\.cr\RUN ME FIRST.exe
| MD5 | 53e9222bc438cbd8b7320f800bef2e78 |
| SHA1 | c4f295d8855b4b16c7450a4a9150eb95046f6390 |
| SHA256 | 0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888 |
| SHA512 | 7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a |
\Windows\Temp\{A53D535B-1BEC-43B5-BAF5-4A1730102169}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Windows\Temp\{A53D535B-1BEC-43B5-BAF5-4A1730102169}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win7-20240611-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Velo.cc Spoofer_protected.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Velo.cc Spoofer_protected.exe"
Network
Files
memory/2248-1-0x0000000140000000-0x0000000140CA5000-memory.dmp
memory/2248-0-0x0000000140000000-0x0000000140CA5000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win7-20240220-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 764 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 764 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 764 wrote to memory of 2192 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\zlib1.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 764 -s 80
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win7-20240611-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
memory/2984-0-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2984-1-0x0000000000400000-0x0000000000552000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SET589F.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SET589F.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SET58B0.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SET58B0.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup32.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DirectX\WebSetup | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DirectX.log | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2780 wrote to memory of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe |
| PID 2780 wrote to memory of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe |
| PID 2780 wrote to memory of 2740 | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.227:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
| MD5 | ac3a5f7be8cd13a863b50ab5fe00b71c |
| SHA1 | eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9 |
| SHA256 | 8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da |
| SHA512 | c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
| MD5 | ad8982eaa02c7ad4d7cdcbc248caa941 |
| SHA1 | 4ccd8e038d73a5361d754c7598ed238fc040d16b |
| SHA256 | d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00 |
| SHA512 | 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
| MD5 | 984cad22fa542a08c5d22941b888d8dc |
| SHA1 | 3e3522e7f3af329f2235b0f0850d664d5377b3cd |
| SHA256 | 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308 |
| SHA512 | 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef |
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll
| MD5 | a5412a144f63d639b47fcc1ba68cb029 |
| SHA1 | 81bd5f1c99b22c0266f3f59959dfb4ea023be47e |
| SHA256 | 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6 |
| SHA512 | 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{0FC6536C-CC63-4CD1-829C-E541F98C1369}\.cr\RUN ME FIRST.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{0FC6536C-CC63-4CD1-829C-E541F98C1369}\.cr\RUN ME FIRST.exe | N/A |
Checks installed software on the system
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 100 wrote to memory of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe | C:\Windows\Temp\{0FC6536C-CC63-4CD1-829C-E541F98C1369}\.cr\RUN ME FIRST.exe |
| PID 100 wrote to memory of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe | C:\Windows\Temp\{0FC6536C-CC63-4CD1-829C-E541F98C1369}\.cr\RUN ME FIRST.exe |
| PID 100 wrote to memory of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe | C:\Windows\Temp\{0FC6536C-CC63-4CD1-829C-E541F98C1369}\.cr\RUN ME FIRST.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe"
C:\Windows\Temp\{0FC6536C-CC63-4CD1-829C-E541F98C1369}\.cr\RUN ME FIRST.exe
"C:\Windows\Temp\{0FC6536C-CC63-4CD1-829C-E541F98C1369}\.cr\RUN ME FIRST.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME FIRST.exe" -burn.filehandle.attached=528 -burn.filehandle.self=696
Network
Files
C:\Windows\Temp\{0FC6536C-CC63-4CD1-829C-E541F98C1369}\.cr\RUN ME FIRST.exe
| MD5 | 53e9222bc438cbd8b7320f800bef2e78 |
| SHA1 | c4f295d8855b4b16c7450a4a9150eb95046f6390 |
| SHA256 | 0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888 |
| SHA512 | 7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a |
C:\Windows\Temp\{4EEDA182-F10A-4E75-9E39-B9F33E5373E7}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Windows\Temp\{4EEDA182-F10A-4E75-9E39-B9F33E5373E7}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Wifi & Bluetooth disabler\Disabler_Run_Admin.bat"
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Velo.cc Spoofer_protected.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Velo.cc Spoofer_protected.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4596 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.169.36.23.in-addr.arpa | udp |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.73.50.20.in-addr.arpa | udp |
Files
memory/1432-0-0x0000000140000000-0x0000000140CA5000-memory.dmp
memory/1432-1-0x0000000140000000-0x0000000140CA5000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\libcurl.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win10v2004-20240508-en
Max time kernel
79s
Max time network
100s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\zlib1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.48:443 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win10v2004-20240226-en
Max time kernel
139s
Max time network
160s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\CRU.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.79.70.13.in-addr.arpa | udp |
Files
memory/1300-0-0x00000000007C0000-0x00000000007C1000-memory.dmp
memory/1300-1-0x0000000000400000-0x0000000000552000-memory.dmp
memory/1300-2-0x0000000000400000-0x0000000000552000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win7-20240508-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
| File opened for modification | C:\Windows\setupact.log | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
| File opened for modification | C:\Windows\setuperr.log | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1700 wrote to memory of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe |
| PID 1700 wrote to memory of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe |
| PID 1700 wrote to memory of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe |
| PID 1700 wrote to memory of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe"
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe
restart64.exe
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\system32\PerfStringBackup.INI | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh007.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc010.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh009.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00A.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfh00C.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\perfc011.dat | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\system32\PerfStringBackup.TMP | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.h | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File created | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
| File opened for modification | C:\Windows\inf\WmiApRpl\WmiApRpl.ini | C:\Windows\system32\wbem\WMIADAP.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe |
| PID 1196 wrote to memory of 4796 | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart.exe"
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe
restart64.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x46c 0x2d4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4208,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /R /T
Network
| Country | Destination | Domain | Proto |
| US | 184.30.249.239:80 | tcp | |
| NL | 52.142.223.178:80 | tcp |
Files
C:\Windows\System32\wbem\Performance\WmiApRpl.ini
| MD5 | ffdeea82ba4a5a65585103dd2a922dfe |
| SHA1 | 094c3794503245cc7dfa9e222d3504f449a5400b |
| SHA256 | c20b11dff802aa472265f4e9f330244ec4aca81b0009f6efcb2cf8a36086f390 |
| SHA512 | 7570527fdae4818f0fc780f9f141ab6a2d313cc6b3fdb1f7d7ff05d994ad77d3f8d168b1d77c2555d25dc487d24c18f2cc0eab505d1dd758d709f2576aac1a8a |
C:\Windows\System32\perfc011.dat
| MD5 | eef14d868d4e0c2354c345abc4902445 |
| SHA1 | 173c39e29dbe6dfd5044f5f788fa4e7618d68d4d |
| SHA256 | 9f32176066529c5699d45728fcad1bccce41d19dded4649b49cb24f7eef9ce7f |
| SHA512 | c926f13a0fc900dd7d740e2d7d33cdd1902ece0bfb44b6e1f5fed6ffd348c3e7d71089fb9792e38799e8df6573bc09e67bbe132cf9c2ae0a7199534dc5d959ee |
C:\Windows\System32\wbem\Performance\WmiApRpl.h
| MD5 | b133a676d139032a27de3d9619e70091 |
| SHA1 | 1248aa89938a13640252a79113930ede2f26f1fa |
| SHA256 | ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15 |
| SHA512 | c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5 |
C:\Windows\System32\perfh00A.dat
| MD5 | 4e62108a0d4a00aa39624f4f941d2595 |
| SHA1 | 7fbff1d3ac293c715a303ac37da0ceb12591028b |
| SHA256 | 3df3adaa8bd1ec4dd99bf304c7a1b0d513097fbeb8648efad4b127c5522c3263 |
| SHA512 | c79a483e4012d8c97f4a2188fdc27ea04bae24993b12487551872f1413a1a0884197dc71d13ba1dfd32c9b2c93089761f6f3ec37f0bb19e209dbf19283462126 |
C:\Windows\System32\perfc00A.dat
| MD5 | 6d4b430c2abf0ec4ca1909e6e2f097db |
| SHA1 | 97c330923a6380fe8ea8e440ce2c568594d3fff7 |
| SHA256 | 44f8db37f14c399ea27550fa89787add9bfd916ffb0056c37f5908b2bac7723e |
| SHA512 | cf28046fb6ab040d0527d7c89870983c02a110e9fe0ecf276395f080a3bd5745b920a79b3ce3bb820d7a5a878c0d13c37f67f4b5097245c5b93ca1111c1e830b |
C:\Windows\System32\perfh009.dat
| MD5 | 407f4fed9a4510646f33a2869a184de8 |
| SHA1 | e2e622f36b28057bbfbaee754ab6abac2de04778 |
| SHA256 | 64a9d789cc9e0155153067c4354e1fc8baf3aa319fa870a2047482450811f615 |
| SHA512 | 1d420ea7ac787df81bbc1534e8fac89227f54fffff70c08c6d2da385762e6c5766448ab4a47aae1c5cbc671776522b6fb6d9c27870b505ae101462bce912867e |
C:\Windows\System32\perfh007.dat
| MD5 | 82d7f8765db25b313ecf436572dbe840 |
| SHA1 | da9ed48d5386a1133f878b3e00988cbf4cdebab8 |
| SHA256 | 3053aa67e9cb37cd6f9645ef3bec8d43b1863afd852d3860ea73fcd83c7010c3 |
| SHA512 | 59766b408b548dc020b54c79a426b361112c33c7263c16ca2e69485dadca05fb4c63b6433063e77c6a9e28a43ec6d3c8206ea702a33b79151fa6309d83b316a8 |
C:\Windows\System32\perfc007.dat
| MD5 | 1bd26a75846ce780d72b93caffac89f6 |
| SHA1 | ff89b7c5e8c46c6c2e52383849bbf008bd91d66e |
| SHA256 | 55b47d0f965800c179a78314b6489d02788a44fa2ce00f68b2d860440216927a |
| SHA512 | 4f5e14637e9e89700f1ee2d0e575d26d4f3d164d859487f1471bf4410dec6d0d7dbf552c6f791c12388be035c6b974610cda8882c6394438e2220b79e4d74e9e |
C:\Windows\System32\perfh00C.dat
| MD5 | b87c7ea0e738fc61eb32a94fbd6c6775 |
| SHA1 | 0e730aa70900f623205b93cb1d6e11be4c0d51b5 |
| SHA256 | 6cd8b09f644b22c39e02af26b57580baa0fbed01b682d158b29c676d17dac5c0 |
| SHA512 | 4bad64af992b17a5700cf25ccfa299b2db5be846b8bc28233fa6987964994a34694eb53329ede8d04092298e4b16f06563e459692c210111e0420ee34468f23d |
C:\Windows\System32\perfc00C.dat
| MD5 | 6adbb878124fcd6561655718f12bff5f |
| SHA1 | 1711619dda04178fb47eea6658da6ad52f6cf660 |
| SHA256 | 0b16ac631d596f85f0062dbe5da238c0745bd4c033207cba2508465c7c7983cf |
| SHA512 | 88ec8b3c4670970900ef8fdaf0865e24a5bbc9c0ca375eb6ce12e8d8a3ec08c8a45dfc8ae3c7f4ff1974d5e4b53e0905c5dffadb852e730eb8097a22cd750006 |
C:\Windows\System32\perfh010.dat
| MD5 | 77a299c7d27f4e4372cd6c1de0781586 |
| SHA1 | bb6bf16619da6d0acc30797cd10978bde64892fd |
| SHA256 | 6699946552b9d5ebe64d6854228984a773e413a345816a5597b7d7035d4c09bf |
| SHA512 | 21fa8fd59e56018a3d888aed054e4117b246a5ea4568c2df93334d7565d50a512b5fc2c66c09572f7d1363e5b65ddb34d0c072267be78b15681076d2380cf98b |
C:\Windows\System32\perfc010.dat
| MD5 | c0a264734479700068f6e00ef4fd4aa7 |
| SHA1 | 4e1a8c6a53ea9b54eb76f12d99b1327137a47ebd |
| SHA256 | 71c5a18d082651484ae96e93f127bac9ac217513976b7e98eeb2b879d643b735 |
| SHA512 | 85ff44333fc4d47b02cdbc8c665c0bace22a19961e40419227976333ec1384ef8779232d241a9e3b54d988117b84c436f695f0be80dd109ede60fed919ee5fca |
C:\Windows\System32\perfh011.dat
| MD5 | a8bc9760fe491ad0305212839f5caaaf |
| SHA1 | e5aa69598284bc55ef94adcf3745053650179f42 |
| SHA256 | 6de2fdef2860e6e37cab23fa1785182c47955bc525c6e43f5b6887962ec7da8b |
| SHA512 | 4e19385e847d0f2de2d66979272a32bdb159c34319f45e7a497672904f20e52fa288778a7a5d1500b43abaeaea5f9f3cfda805895cf94442e5bd4d92d8751f13 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win7-20240220-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
| File opened for modification | C:\Windows\setupact.log | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
| File opened for modification | C:\Windows\setuperr.log | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Monitor Spoof\restart64.exe"
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win7-20240611-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SET23E5.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SET23E5.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SET23F6.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SET23F6.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup32.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DirectX\WebSetup | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\security\logs\scecomp.log | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\Logs\DirectX.log | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe
"C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\RUN ME ALSO.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
| MD5 | ac3a5f7be8cd13a863b50ab5fe00b71c |
| SHA1 | eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9 |
| SHA256 | 8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da |
| SHA512 | c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
| MD5 | ad8982eaa02c7ad4d7cdcbc248caa941 |
| SHA1 | 4ccd8e038d73a5361d754c7598ed238fc040d16b |
| SHA256 | d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00 |
| SHA512 | 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
| MD5 | 984cad22fa542a08c5d22941b888d8dc |
| SHA1 | 3e3522e7f3af329f2235b0f0850d664d5377b3cd |
| SHA256 | 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308 |
| SHA512 | 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup32.dll
| MD5 | a5412a144f63d639b47fcc1ba68cb029 |
| SHA1 | 81bd5f1c99b22c0266f3f59959dfb4ea023be47e |
| SHA256 | 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6 |
| SHA512 | 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405 |
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win10v2004-20240611-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\Wifi & Bluetooth disabler\Disabler_Run_Admin.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-16 17:08
Reported
2024-06-16 17:11
Platform
win7-20240508-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\velocitytytytyt\libcurl.dll,#1