Analysis Overview
SHA256
347d4a35a5c99443dc26be1d36b93c308817808cc775ca15b1760243f0979d14
Threat Level: Known bad
The file SploitXE_Release.rar was found to be: Known bad.
Malicious Activity Summary
AgentTesla
AgentTesla payload
Agenttesla family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
AgentTesla payload
Identifies Wine through registry keys
Loads dropped DLL
Executes dropped EXE
Checks BIOS information in registry
Drops desktop.ini file(s)
Drops file in System32 directory
Loads dropped DLL
Checks installed software on the system
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Modifies registry class
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-18 16:15
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 16:15
Reported
2024-06-18 16:18
Platform
win7-20231129-en
Max time kernel
148s
Max time network
143s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Fraps\fraps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Fraps\fraps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Fraps\fraps.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Fraps\fraps.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Fraps\fraps.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Fraps\fraps.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Fraps\fraps.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Fraps\fraps.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Fraps\fraps.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine | C:\Fraps\fraps.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine | C:\Fraps\fraps.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine | C:\Fraps\fraps.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\frapsv64.dll | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
| File created | C:\Windows\SysWOW64\frapsvid.dll | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.avi | C:\Fraps\fraps.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{3E264436-F54B-4E06-91E2-5B40A583BFB5} | C:\Fraps\fraps.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.avi | C:\Fraps\fraps.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{3E264436-F54B-4E06-91E2-5B40A583BFB5} | C:\Fraps\fraps.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe
"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe"
C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe
"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\rbxfpsunlocker.exe"
C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe
"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"
C:\Fraps\fraps.exe
"C:\Fraps\fraps.exe" /exit
C:\Fraps\fraps.exe
"C:\Fraps\fraps.exe"
C:\Fraps\fraps.exe
"C:\Fraps\fraps.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
Files
memory/2264-0-0x0000000073FDE000-0x0000000073FDF000-memory.dmp
memory/2264-1-0x00000000008B0000-0x00000000008C6000-memory.dmp
memory/2264-2-0x0000000004C40000-0x0000000004E54000-memory.dmp
memory/2264-3-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/2264-4-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/2264-5-0x0000000073FDE000-0x0000000073FDF000-memory.dmp
memory/2264-6-0x0000000073FD0000-0x00000000746BE000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar5546.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2264-66-0x0000000073FD0000-0x00000000746BE000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsy68F2.tmp\AdvSplash.dll
| MD5 | 13cc92f90a299f5b2b2f795d0d2e47dc |
| SHA1 | aa69ead8520876d232c6ed96021a4825e79f542f |
| SHA256 | eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb |
| SHA512 | ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3 |
\Users\Admin\AppData\Local\Temp\nsy68F2.tmp\StartMenu.dll
| MD5 | a4173b381625f9f12aadb4e1cdaefdb8 |
| SHA1 | cf1680c2bc970d5675adbf5e89292a97e6724713 |
| SHA256 | 7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b |
| SHA512 | fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82 |
\Users\Admin\AppData\Local\Temp\nsy68F2.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Fraps\fraps.exe
| MD5 | 0ff5b5161a78bf5721811779376db71d |
| SHA1 | 35308429117b514237d34bd8015bfe4efa8e7d55 |
| SHA256 | da7f61f2b04266a2ae897a0b001e721f1920cb579d5e08a8e5930a79c5d2fb80 |
| SHA512 | d701440fa49f287a9631c8fb98cef5ea89b4f135901519d3ff3c45d0a7b8c464901514078bcf5ea8d2ffd23dbc7e30816ec0beaf06a531af045fdd1f5aec0204 |
memory/1584-104-0x0000000001FC0000-0x0000000001FD0000-memory.dmp
memory/3048-115-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/1584-114-0x0000000003EC0000-0x00000000046C3000-memory.dmp
memory/3048-117-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/2452-126-0x0000000000400000-0x0000000000C03000-memory.dmp
\Fraps\fraps32.dll
| MD5 | 6328007efe11f2ad0a50f122367ce743 |
| SHA1 | 3f48580a32d0c5cd2551dcbcbce885c9337ce044 |
| SHA256 | e800f37cb2efa8ba13a25278cdd578dae4a2c86d23d4247349673160b0301e4f |
| SHA512 | 67d38b4dadecf020d1dc1e567327b5c0ebb72391448956e3e5a99943b6552851a94236d407da47c70abeed841898d2681382d78c522a40f28f22bbb654f7a8ec |
C:\Fraps\FRAPSLCD.DLL
| MD5 | 895c32a4eefd648d62e92201e4954cd2 |
| SHA1 | 5d7753f95ab95176da45473eaa0d7de29ca02973 |
| SHA256 | 1376f53554c5977a627a7e749dd147cd10e7735ef4b860fd69b7ae31a7b15e74 |
| SHA512 | 76823f00376aff72b7ddf7fad259a43cdc5feec5486e3d79f6d63758f7325059d8e83dc10beb9447254501fe606b9f17fa6ed4d54f98a59dd4571453ff58fb35 |
memory/2452-131-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/3028-133-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/2452-140-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/2452-141-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/2452-139-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/2452-138-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/2452-137-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/2452-136-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/2452-135-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/2452-134-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/3028-143-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/2452-144-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/2452-145-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/2452-146-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/2452-150-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/2452-149-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/2452-148-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/2452-147-0x0000000004D00000-0x0000000004D0A000-memory.dmp
memory/2452-151-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/2452-152-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/2452-153-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/2452-154-0x0000000000400000-0x0000000000C03000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 16:15
Reported
2024-06-18 16:18
Platform
win10v2004-20240508-en
Max time kernel
114s
Max time network
51s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe
"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\SploitXE.exe"
Network
Files
memory/4788-0-0x0000000074E6E000-0x0000000074E6F000-memory.dmp
memory/4788-1-0x0000000000A80000-0x0000000000A96000-memory.dmp
memory/4788-2-0x00000000059F0000-0x0000000005F94000-memory.dmp
memory/4788-3-0x0000000005330000-0x00000000053C2000-memory.dmp
memory/4788-4-0x00000000053F0000-0x00000000053FA000-memory.dmp
memory/4788-5-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/4788-6-0x0000000005780000-0x0000000005994000-memory.dmp
memory/4788-7-0x0000000074E60000-0x0000000075610000-memory.dmp
memory/4788-8-0x0000000074E6E000-0x0000000074E6F000-memory.dmp
memory/4788-9-0x0000000074E60000-0x0000000075610000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-18 16:15
Reported
2024-06-18 16:18
Platform
win7-20240220-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe
"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsoF20.tmp\AdvSplash.dll
| MD5 | 13cc92f90a299f5b2b2f795d0d2e47dc |
| SHA1 | aa69ead8520876d232c6ed96021a4825e79f542f |
| SHA256 | eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb |
| SHA512 | ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-18 16:15
Reported
2024-06-18 16:18
Platform
win10v2004-20240508-en
Max time kernel
96s
Max time network
52s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Fraps\fraps.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Fraps\fraps.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Fraps\fraps.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Fraps\fraps.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Fraps\fraps.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Fraps\fraps.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Fraps\fraps.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine | C:\Fraps\fraps.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\Captures\desktop.ini | C:\Windows\system32\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\frapsvid.dll | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
| File created | C:\Windows\system32\frapsv64.dll | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
Checks installed software on the system
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps64.dat | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps64.dat | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.avi | C:\Fraps\fraps.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{3E264436-F54B-4E06-91E2-5B40A583BFB5} | C:\Fraps\fraps.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\Extensions\.avi | C:\Fraps\fraps.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{3E264436-F54B-4E06-91E2-5B40A583BFB5} | C:\Fraps\fraps.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{C71814BA-7287-45A7-84E2-64E1664CAB3D} | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Fraps\fraps.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps64.dat | N/A |
| N/A | N/A | C:\Fraps\fraps64.dat | N/A |
| N/A | N/A | C:\Fraps\fraps64.dat | N/A |
| N/A | N/A | C:\Fraps\fraps64.dat | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
| N/A | N/A | C:\Fraps\fraps.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1180 wrote to memory of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | C:\Fraps\fraps.exe |
| PID 1180 wrote to memory of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | C:\Fraps\fraps.exe |
| PID 1180 wrote to memory of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe | C:\Fraps\fraps.exe |
| PID 3264 wrote to memory of 1016 | N/A | C:\Fraps\fraps.exe | C:\Fraps\fraps64.dat |
| PID 3264 wrote to memory of 1016 | N/A | C:\Fraps\fraps.exe | C:\Fraps\fraps64.dat |
Processes
C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe
"C:\Users\Admin\AppData\Local\Temp\SploitXE Release\setup.exe"
C:\Fraps\fraps.exe
"C:\Fraps\fraps.exe" /exit
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
C:\Fraps\fraps.exe
"C:\Fraps\fraps.exe"
C:\Fraps\fraps64.dat
"C:\Fraps\fraps64.dat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsc40B4.tmp\AdvSplash.dll
| MD5 | 13cc92f90a299f5b2b2f795d0d2e47dc |
| SHA1 | aa69ead8520876d232c6ed96021a4825e79f542f |
| SHA256 | eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb |
| SHA512 | ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3 |
C:\Users\Admin\AppData\Local\Temp\nsc40B4.tmp\StartMenu.dll
| MD5 | a4173b381625f9f12aadb4e1cdaefdb8 |
| SHA1 | cf1680c2bc970d5675adbf5e89292a97e6724713 |
| SHA256 | 7755ff2707ca19344d489a5acec02d9e310425fa6e100d2f13025761676b875b |
| SHA512 | fcac79d42862da6bdd3ecad9d887a975cdff2301a8322f321be58f754a26b27077b452faa4751bbd09cd3371b4afce65255fbbb443e2c93dd2cba0ba652f4a82 |
C:\Users\Admin\AppData\Local\Temp\nsc40B4.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Fraps\fraps.exe
| MD5 | 0ff5b5161a78bf5721811779376db71d |
| SHA1 | 35308429117b514237d34bd8015bfe4efa8e7d55 |
| SHA256 | da7f61f2b04266a2ae897a0b001e721f1920cb579d5e08a8e5930a79c5d2fb80 |
| SHA512 | d701440fa49f287a9631c8fb98cef5ea89b4f135901519d3ff3c45d0a7b8c464901514078bcf5ea8d2ffd23dbc7e30816ec0beaf06a531af045fdd1f5aec0204 |
memory/2084-45-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/2084-46-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/2084-54-0x0000000000401000-0x0000000000419000-memory.dmp
memory/2084-53-0x0000000004D20000-0x0000000004D21000-memory.dmp
memory/2084-52-0x0000000004D10000-0x0000000004D11000-memory.dmp
memory/2084-51-0x0000000004D70000-0x0000000004D71000-memory.dmp
memory/2084-50-0x0000000004D50000-0x0000000004D51000-memory.dmp
memory/2084-49-0x0000000004D40000-0x0000000004D41000-memory.dmp
memory/2084-48-0x0000000004D60000-0x0000000004D61000-memory.dmp
memory/2084-47-0x0000000004D30000-0x0000000004D31000-memory.dmp
C:\Users\Admin\Videos\Captures\desktop.ini
| MD5 | b0d27eaec71f1cd73b015f5ceeb15f9d |
| SHA1 | 62264f8b5c2f5034a1e4143df6e8c787165fbc2f |
| SHA256 | 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2 |
| SHA512 | 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c |
memory/3264-77-0x0000000000400000-0x0000000000C03000-memory.dmp
C:\Fraps\frapslcd.dll
| MD5 | 895c32a4eefd648d62e92201e4954cd2 |
| SHA1 | 5d7753f95ab95176da45473eaa0d7de29ca02973 |
| SHA256 | 1376f53554c5977a627a7e749dd147cd10e7735ef4b860fd69b7ae31a7b15e74 |
| SHA512 | 76823f00376aff72b7ddf7fad259a43cdc5feec5486e3d79f6d63758f7325059d8e83dc10beb9447254501fe606b9f17fa6ed4d54f98a59dd4571453ff58fb35 |
C:\Fraps\fraps32.dll
| MD5 | 6328007efe11f2ad0a50f122367ce743 |
| SHA1 | 3f48580a32d0c5cd2551dcbcbce885c9337ce044 |
| SHA256 | e800f37cb2efa8ba13a25278cdd578dae4a2c86d23d4247349673160b0301e4f |
| SHA512 | 67d38b4dadecf020d1dc1e567327b5c0ebb72391448956e3e5a99943b6552851a94236d407da47c70abeed841898d2681382d78c522a40f28f22bbb654f7a8ec |
C:\Fraps\fraps64.dat
| MD5 | 79856998086dec03fa34a614708ae1e2 |
| SHA1 | f858dd68780063527953aeccdcbfc955b3ea2cb9 |
| SHA256 | a62a9241f3bf39176956d6fa45cec7a9aae12908c7156e4b533b81d35e902a9e |
| SHA512 | ca63ea0f8f269b957efa65faf4c836133c93cbe38b76f5c0117bdb3e9a1719ef1b1943a9a3f2f7e51e31e08fdc0a02b24233baaa12aa6087112db9b4b7bb7f48 |
C:\Fraps\fraps64.dll
| MD5 | 5fd7bee98d14dacdf2f206dad278a621 |
| SHA1 | 03181ad2c9ff23f679f4276ed6c34bdcc7a7282c |
| SHA256 | 6acebecb8934508832a44fdd92823e8026ea4878c81e6eb18ae03eaa7b5b5c6f |
| SHA512 | 12886a63450ed203dad5f4e485ae8cb0bad97e2d4ab76e136c37e4679f2fd83918786dd5c2c3b593766835447c9d4e320f8d82161281c097c5b852b741c13f56 |
memory/3264-90-0x0000000000400000-0x0000000000C03000-memory.dmp
memory/3264-91-0x0000000000400000-0x0000000000C03000-memory.dmp